Edit tour

Windows Analysis Report
lUy4SKlE6A.exe

Overview

General Information

Sample name:	lUy4SKlE6A.exe renamed because original name is a hash value
Original sample name:	bbc2e44d3556706693ff54f32038e0113a4dcc31f6982c1f5e23fcbc612a4b1d.exe
Analysis ID:	1569260
MD5:	4bed8db5ac048ddafc6f1681cc79a454
SHA1:	cf9c9c996b95fc856423ec7a1e4099615b34ef0f
SHA256:	bbc2e44d3556706693ff54f32038e0113a4dcc31f6982c1f5e23fcbc612a4b1d
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

lUy4SKlE6A.exe (PID: 3548 cmdline: "C:\Users\user\Desktop\lUy4SKlE6A.exe" MD5: 4BED8DB5AC048DDAFC6F1681CC79A454)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
lUy4SKlE6A.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
lUy4SKlE6A.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
lUy4SKlE6A.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33563:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33881:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: lUy4SKlE6A.exe PID: 3548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lUy4SKlE6A.exe PID: 3548	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.lUy4SKlE6A.exe.470000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.lUy4SKlE6A.exe.470000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.lUy4SKlE6A.exe.470000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33563:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33881:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 67.23.226.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\lUy4SKlE6A.exe, Initiated: true, ProcessId: 3548, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49708

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lUy4SKlE6A.exe

Avira: detected

Found malware configuration

Source: lUy4SKlE6A.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Multi AV Scanner detection for submitted file

Source: lUy4SKlE6A.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lUy4SKlE6A.exe

Joe Sandbox ML: detected

Source: lUy4SKlE6A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: lUy4SKlE6A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.6:49708 -> 67.23.226.139:587

Source: Joe Sandbox View	IP Address: 67.23.226.139 67.23.226.139
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49708 -> 67.23.226.139:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.showpiece.trillennium.biz

Source: lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.showpiece.trillennium.biz
Source: lUy4SKlE6A.exe, 00000000.00000002.4560857646.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: lUy4SKlE6A.exe, 00000000.00000002.4560857646.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: lUy4SKlE6A.exe, 00000000.00000002.4559214626.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://showpiece.trillennium.biz
Source: lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: lUy4SKlE6A.exe	String found in binary or memory: https://account.dyn.com/
Source: lUy4SKlE6A.exe	String found in binary or memory: https://api.ipify.org
Source: lUy4SKlE6A.exe, 00000000.00000002.4559214626.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: lUy4SKlE6A.exe, 00000000.00000002.4559214626.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: lUy4SKlE6A.exe, SKTzxzsJw.cs

.Net Code: pT1h

Installs a global keyboard hook

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\lUy4SKlE6A.exe

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: lUy4SKlE6A.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.lUy4SKlE6A.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_027C4A98	0_2_027C4A98
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_027CA960	0_2_027CA960
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_027C3E80	0_2_027C3E80
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_027C41C8	0_2_027C41C8
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06495648	0_2_06495648
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06497E20	0_2_06497E20
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_0649C220	0_2_0649C220
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_0649B2C8	0_2_0649B2C8
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06492348	0_2_06492348
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06497740	0_2_06497740
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_0649E440	0_2_0649E440
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06495D98	0_2_06495D98
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06490040	0_2_06490040
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06581988	0_2_06581988
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06581982	0_2_06581982
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06490025	0_2_06490025

Source: lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs lUy4SKlE6A.exe
Source: lUy4SKlE6A.exe, 00000000.00000002.4557940198.00000000008F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs lUy4SKlE6A.exe
Source: lUy4SKlE6A.exe, 00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs lUy4SKlE6A.exe
Source: lUy4SKlE6A.exe	Binary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs lUy4SKlE6A.exe

Source: lUy4SKlE6A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lUy4SKlE6A.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.lUy4SKlE6A.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: lUy4SKlE6A.exe, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: lUy4SKlE6A.exe, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: lUy4SKlE6A.exe

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.BK

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/2

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Mutant created: NULL

Source: lUy4SKlE6A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lUy4SKlE6A.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lUy4SKlE6A.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: lUy4SKlE6A.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lUy4SKlE6A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_027C0C6D push edi; retf	0_2_027C0C7A
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_027C0C45 push ebx; retf	0_2_027C0C52
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_065876E0 push esp; iretd	0_2_065876E9
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Code function: 0_2_06587CA4 push esp; iretd	0_2_06587CAD

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Memory allocated: E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Memory allocated: E30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Window / User API: threadDelayed 7539			Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Window / User API: threadDelayed 2318			Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 2748	Thread sleep count: 7539 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 2748	Thread sleep count: 2318 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -99210s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98633s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe TID: 5580	Thread sleep time: -94250s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 99210	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98633	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96983	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94906	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94687	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94359	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Thread delayed: delay time: 94250	Jump to behavior

Source: lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Queries volume information: C:\Users\user\Desktop\lUy4SKlE6A.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: lUy4SKlE6A.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lUy4SKlE6A.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lUy4SKlE6A.exe PID: 3548, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\lUy4SKlE6A.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: lUy4SKlE6A.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lUy4SKlE6A.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lUy4SKlE6A.exe PID: 3548, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: lUy4SKlE6A.exe, type: SAMPLE
Source: Yara match	File source: 0.0.lUy4SKlE6A.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lUy4SKlE6A.exe PID: 3548, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	141 Virtualization/Sandbox Evasion	21 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	21 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
lUy4SKlE6A.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
lUy4SKlE6A.exe	100%	Avira	TR/Spy.Gen8
lUy4SKlE6A.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.12.205	true	false	high
showpiece.trillennium.biz	67.23.226.139	true	true	unknown
mail.showpiece.trillennium.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://showpiece.trillennium.biz	lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org	lUy4SKlE6A.exe	false	high
https://account.dyn.com/	lUy4SKlE6A.exe	false	high
http://r11.o.lencr.org0#	lUy4SKlE6A.exe, 00000000.00000002.4560857646.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	lUy4SKlE6A.exe, 00000000.00000002.4559214626.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mail.showpiece.trillennium.biz	lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	lUy4SKlE6A.exe, 00000000.00000002.4559214626.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	false	high
http://r11.i.lencr.org/0	lUy4SKlE6A.exe, 00000000.00000002.4560857646.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4558298006.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, lUy4SKlE6A.exe, 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.23.226.139	showpiece.trillennium.biz	United States		33182	DIMENOCUS	true
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569260
Start date and time:	2024-12-05 16:57:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lUy4SKlE6A.exe renamed because original name is a hash value
Original Sample Name:	bbc2e44d3556706693ff54f32038e0113a4dcc31f6982c1f5e23fcbc612a4b1d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 58 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: lUy4SKlE6A.exe

Simulations

Behavior and APIs

Time	Type	Description
10:58:23	API Interceptor	10661474x Sleep call for process: lUy4SKlE6A.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.23.226.139	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	3Pd480eWHA.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	https://app.peony.ink/view/902b02a8-11f0-4e28-89b1-5318035c10eb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	7Gt3icFvQW.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	1AxSwjpyGp.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	FPBKcOFjEP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	MerchantDetailedStatement_37063_04122024.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://click.pstmrk.it/3s/bmxn8t84vg.gherapilta.shop%2F/ySDk/28y5AQ/AQ/e82f1f59-f734-42be-affb-895d81855fb4/1/pD2JDTOBnb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	venomderek.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://kitces.emlnk1.com	Get hash	malicious	Unknown	Browse	104.20.0.15
	https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/	Get hash	malicious	Unknown	Browse	172.64.150.63
	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBD	Get hash	malicious	HTMLPhisher	Browse	104.21.80.92
	MOV-0903787857-(Jmulvey)MMS0%3A28.mp4.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8zn	Get hash	malicious	HTMLPhisher	Browse	104.21.80.92
	9KpgpwwGDy.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	http://womenluxuryfashion.com	Get hash	malicious	TechSupportScam	Browse	104.21.18.31
	https://www.canva.com/design/DAGYb4KDTLU/01pg_uwrCOTruDt9hzwmow/edit	Get hash	malicious	Unknown	Browse	104.16.103.112
DIMENOCUS	ky.ps1	Get hash	malicious	Unknown	Browse	184.171.244.231
	script.vbs	Get hash	malicious	Unknown	Browse	184.171.244.231
	mg.vbs	Get hash	malicious	Unknown	Browse	184.171.244.231
	mj.ps1	Get hash	malicious	Unknown	Browse	184.171.244.231
	ap.ps1	Get hash	malicious	Unknown	Browse	184.171.244.231
	cu.ps1	Get hash	malicious	Unknown	Browse	184.171.244.231
	Scripts_Obfusque.vbs	Get hash	malicious	Unknown	Browse	184.171.244.231
	ni.ps1	Get hash	malicious	Unknown	Browse	184.171.244.231
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Nymaim, RHADAMANTHYS, Stealc, Vidar	Browse	67.23.237.28
	file.exe	Get hash	malicious	Amadey	Browse	67.23.237.28

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	9KpgpwwGDy.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	z43INF_20231205_A1B5C3.msi	Get hash	malicious	Unknown	Browse	104.26.12.205
	9V4TlKwcz3.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	uC70JKtV2B.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	cxYwMzCUCd.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	t4U6b6M0ZH.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	XXzrAuPle1.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	O7T6gwPvqA.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.000012191217098
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	lUy4SKlE6A.exe
File size:	240'128 bytes
MD5:	4bed8db5ac048ddafc6f1681cc79a454
SHA1:	cf9c9c996b95fc856423ec7a1e4099615b34ef0f
SHA256:	bbc2e44d3556706693ff54f32038e0113a4dcc31f6982c1f5e23fcbc612a4b1d
SHA512:	e22c17dc09f162010288b18cc8a846689c356fa80de28274f07980860fb6595854a2dc0fae471cde88b31244ee2f1112f639cf667837a9c7c12fe9b9b090226d
SSDEEP:	3072:kruC+iGyQnOvA0CSjFbGwvXcMpVSn9XP5hstpWHbAc:kruC+iGyQnOvA7SJbGKLSnZEt3
TLSH:	70340E037E88EB15E1A83E3782EF6C2413B2B4C71633D60B6F49AF6518516426D7E72D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jf............................>.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43bf3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x666AC59C [Thu Jun 13 10:10:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bee8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39f44	0x3a000	bbb03c6ad77f112452497e7f3ae29488	False	0.35730401400862066	data	5.011415609956667	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x546	0x600	3e38e7618a0fa418e1671bd27616f5bf	False	0.400390625	data	4.000760919578383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	87c78cf5481d79b53b9e178ceff2e955	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c0a0	0x2bc	data			0.43857142857142856
RT_MANIFEST	0x3c35c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 16:58:22.012092113 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:22.012140989 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:22.012213945 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:22.021255016 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:22.021276951 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.237917900 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.238048077 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:23.242017031 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:23.242028952 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.242326021 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.286885977 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:23.293837070 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:23.335333109 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.684299946 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.684370995 CET	443	49707	104.26.12.205	192.168.2.6
Dec 5, 2024 16:58:23.684468031 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:23.689728975 CET	49707	443	192.168.2.6	104.26.12.205
Dec 5, 2024 16:58:25.560488939 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:25.680372000 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:25.680476904 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:26.833069086 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:26.833512068 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:26.953551054 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.178059101 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.178237915 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:27.298126936 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.522420883 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.523006916 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:27.642868042 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.886149883 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.886198997 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.886336088 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:27.887198925 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.887258053 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:27.887304068 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:28.078402042 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:28.105787039 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:28.225578070 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:28.486428022 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:28.489367008 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:28.609314919 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:28.846482038 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:28.847486019 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:28.967413902 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:29.207178116 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:29.208235979 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:29.328433990 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:29.567893028 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:29.568577051 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:29.688532114 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:29.909677982 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:29.910065889 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:30.030507088 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.275384903 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.275662899 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:30.395339012 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.624913931 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.625647068 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:30.625739098 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:30.625763893 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:30.625788927 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 16:58:30.745733023 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.745758057 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.745769024 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:30.745855093 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:31.010713100 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 16:58:31.052593946 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 17:00:04.234380007 CET	49708	587	192.168.2.6	67.23.226.139
Dec 5, 2024 17:00:04.354243994 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 17:00:04.574403048 CET	587	49708	67.23.226.139	192.168.2.6
Dec 5, 2024 17:00:04.575330973 CET	49708	587	192.168.2.6	67.23.226.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 16:58:21.864190102 CET	61185	53	192.168.2.6	1.1.1.1
Dec 5, 2024 16:58:22.003441095 CET	53	61185	1.1.1.1	192.168.2.6
Dec 5, 2024 16:58:24.203242064 CET	57394	53	192.168.2.6	1.1.1.1
Dec 5, 2024 16:58:25.205872059 CET	57394	53	192.168.2.6	1.1.1.1
Dec 5, 2024 16:58:25.508789062 CET	53	57394	1.1.1.1	192.168.2.6
Dec 5, 2024 16:58:25.508815050 CET	53	57394	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 16:58:21.864190102 CET	192.168.2.6	1.1.1.1	0xe011	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 5, 2024 16:58:24.203242064 CET	192.168.2.6	1.1.1.1	0x7b97	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false
Dec 5, 2024 16:58:25.205872059 CET	192.168.2.6	1.1.1.1	0x7b97	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 16:58:22.003441095 CET	1.1.1.1	192.168.2.6	0xe011	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 5, 2024 16:58:22.003441095 CET	1.1.1.1	192.168.2.6	0xe011	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 5, 2024 16:58:22.003441095 CET	1.1.1.1	192.168.2.6	0xe011	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 5, 2024 16:58:25.508789062 CET	1.1.1.1	192.168.2.6	0x7b97	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 16:58:25.508789062 CET	1.1.1.1	192.168.2.6	0x7b97	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false
Dec 5, 2024 16:58:25.508815050 CET	1.1.1.1	192.168.2.6	0x7b97	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 16:58:25.508815050 CET	1.1.1.1	192.168.2.6	0x7b97	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	104.26.12.205	443	3548	C:\Users\user\Desktop\lUy4SKlE6A.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 15:58:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-05 15:58:23 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 15:58:23 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ed53cc4e9215e7c-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2302&min_rtt=2216&rtt_var=893&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1317689&cwnd=190&unsent_bytes=0&cid=8f6061f0f8213e72&ts=456&x=0"
2024-12-05 15:58:23 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 5, 2024 16:58:26.833069086 CET	587	49708	67.23.226.139	192.168.2.6	220-super.nseasy.com ESMTP Exim 4.96.2 #2 Thu, 05 Dec 2024 10:58:26 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 5, 2024 16:58:26.833512068 CET	49708	587	192.168.2.6	67.23.226.139	EHLO 724536
Dec 5, 2024 16:58:27.178059101 CET	587	49708	67.23.226.139	192.168.2.6	250-super.nseasy.com Hello 724536 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Dec 5, 2024 16:58:27.178237915 CET	49708	587	192.168.2.6	67.23.226.139	STARTTLS
Dec 5, 2024 16:58:27.522420883 CET	587	49708	67.23.226.139	192.168.2.6	220 TLS go ahead

Target ID:	0
Start time:	10:58:20
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\lUy4SKlE6A.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lUy4SKlE6A.exe"
Imagebase:	0x470000
File size:	240'128 bytes
MD5 hash:	4BED8DB5AC048DDAFC6F1681CC79A454
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4559214626.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4559214626.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.2109413372.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4559214626.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 027CA960 Relevance: 3.1, Instructions: 3102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4558842964.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1aedab46009981427fccb07ce25a9ca4c3fb13701644bc0b31fe3d9661ab88d
Instruction ID: 6ada561fd93db5344ea78a1670f66407d4e3a0c25496a09ec549bf66a52b2da8
Opcode Fuzzy Hash: e1aedab46009981427fccb07ce25a9ca4c3fb13701644bc0b31fe3d9661ab88d
Instruction Fuzzy Hash: 5463FB31D10B1A8ADB11EF68C8846A9F7B1FF99300F15D79AE45877121EB70AAC5CF81

Function 06495648 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06495D54

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 5d9957594da3565fb30fee747771e0aefa78bddb65fbc160e929a80ddf58e566
Instruction ID: 6e799bc4cabb8b119888ce7c11b3ac690e934093536dfc47be9b7e46d0df7ceb
Opcode Fuzzy Hash: 5d9957594da3565fb30fee747771e0aefa78bddb65fbc160e929a80ddf58e566
Instruction Fuzzy Hash: 8F22D275F402548FDF6ADBA4C5806AFBBB2EF84320F24846AD445EB345DA31DD42CBA0

Function 06492348 Relevance: 1.5, Instructions: 1521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6057552b59058bcd8f4948a8328dae9ff1aef74b475079a57237185f0dda02d
Instruction ID: 93bacbadde431fc8b7fd0b64553d0ce7f2dd30ad4049d41382a28d36abf92a28
Opcode Fuzzy Hash: e6057552b59058bcd8f4948a8328dae9ff1aef74b475079a57237185f0dda02d
Instruction Fuzzy Hash: 2DE22834A10205CFDB65DF68C484A9EBBF2FF89314F5485AAD409AB365EB70ED81CB50

Function 027C3E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V[n, xrefs: 027C40CB

Memory Dump Source

Source File: 00000000.00000002.4558842964.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID: \V[n
API String ID: 0-1005319620
Opcode ID: 96415f3da91a76ee393922c08f1d2eca1a88cca621ada247f0b93bb2fe9f090e
Instruction ID: 52421cb14d84ef8ccde20d949c6da9a891105cefcf02c1587f758a9b0791d4c7
Opcode Fuzzy Hash: 96415f3da91a76ee393922c08f1d2eca1a88cca621ada247f0b93bb2fe9f090e
Instruction Fuzzy Hash: 09913870E00209DFDF14CFA9C9A579EBBF2AF88714F24852DE415A7254EB749885CB81

Function 0649B2C8 Relevance: .8, Instructions: 766COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d2719b2fd14e31a0676d394e8cb28272c2f811fc341588771c9eb2ce4c7d6e
Instruction ID: fc9f5ce5c60ae40a27aecde4b040eab467d9c2074864ec5f33627fcd50494c0a
Opcode Fuzzy Hash: 34d2719b2fd14e31a0676d394e8cb28272c2f811fc341588771c9eb2ce4c7d6e
Instruction Fuzzy Hash: 1E526E30E502098FEF65DBA8E5947AFBBB2FB85310F20852AE405DB355DA74DC41CBA1

Function 0649C220 Relevance: .6, Instructions: 644
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586564c35c457eafc56431d5d5fea001307763a835463160d0862a1aa4b48b74
Instruction ID: 61f3b6e21f7b9c88a94a111794e26737e0adaf124e93696d035f4e406c32668d
Opcode Fuzzy Hash: 586564c35c457eafc56431d5d5fea001307763a835463160d0862a1aa4b48b74
Instruction Fuzzy Hash: E7327134B412058FDF55DB68D890BAEBBB2FB89310F10952AE505EB355DB35EC42CBA0

Function 06497E20 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607849170b1b880c933ff83eee6a57929624d45ba7ad9348f397307e5ee1d881
Instruction ID: d587859b2b0a53622aa97ea1ddd653912847fc8395e8c51eca32ed1e698bf054
Opcode Fuzzy Hash: 607849170b1b880c933ff83eee6a57929624d45ba7ad9348f397307e5ee1d881
Instruction Fuzzy Hash: 35029030B412158FDF55DB68D984AAEBBF2FF85300F14892AD4159B395EB71EC42CBA0

Function 027C4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4558842964.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c267c159e4340f8eeae181cfad848717a85c0b797536ce52a43f4b4785cdf5
Instruction ID: 7d8df12f42e7565444b6d87b9867e0c6fd7a1b6cfa5e34d00ade65ca757452ce
Opcode Fuzzy Hash: d4c267c159e4340f8eeae181cfad848717a85c0b797536ce52a43f4b4785cdf5
Instruction Fuzzy Hash: 89B15B71E002098FDB14DFB9C8A57ADBBF2AF88314F24812DD815EB294EB749845CF91

Function 027CEC08 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 027CEC77

Memory Dump Source

Source File: 00000000.00000002.4558842964.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_lUy4SKlE6A.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 87d8a5073fa91d37724d8b73e0081844727b0b0249e35b3394da10eaee79dcb8
Instruction ID: f0ce4726adfbe0b28e69924a7f0f3b243c06069c0fbdfbc9f763bcf0db18857a
Opcode Fuzzy Hash: 87d8a5073fa91d37724d8b73e0081844727b0b0249e35b3394da10eaee79dcb8
Instruction Fuzzy Hash: 5F1147B1C0025A9FCB10CFAAC544BDEFBF4BF48324F21812AD518A3240D378A941CFA1

Function 027CEC10 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 027CEC77

Memory Dump Source

Source File: 00000000.00000002.4558842964.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_lUy4SKlE6A.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b5e3a4d2c6f8cda812e0023e2f3a7002db8f9db40392d77955c24e3b2790475a
Instruction ID: 2a7b3f443b9e17863ef6ed808cd59146b267cf6396ad088b6262a10969265c2c
Opcode Fuzzy Hash: b5e3a4d2c6f8cda812e0023e2f3a7002db8f9db40392d77955c24e3b2790475a
Instruction Fuzzy Hash: EA1114B1C0065A9BCB10CFAAC544B9EFBF4AF48324F11816AD518A7240D378A954CFA1

Function 0649CFE0 Relevance: .8, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e90068964bd29d472fc204499db13b6a031e84c5c510eca676715a21fc0589
Instruction ID: c74ba69c62e9da1749334a8044e822167c9a244c2f7b78e7cba2fe933b1b52d1
Opcode Fuzzy Hash: 22e90068964bd29d472fc204499db13b6a031e84c5c510eca676715a21fc0589
Instruction Fuzzy Hash: 8A624A30A0160ACFDF59EB68D590A5EBBB2FF84300F208A69D4059F359DB75ED46CB90

Function 0649AD60 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802716a68dd9650218e40f16b3525d9136e11d9215baf359bba251419c4ff2ae
Instruction ID: 61850a38c1d5942de26786b17f3f90c6a88abd5b7d6b4353349c09f0b9e3124f
Opcode Fuzzy Hash: 802716a68dd9650218e40f16b3525d9136e11d9215baf359bba251419c4ff2ae
Instruction Fuzzy Hash: 84E17F30F512098FDF59DB68D8946AEBBB2FF89304F20852AE405AB355DB749C42CB91

Function 0649B2BA Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f660e408a33d99be558aa2625c44e0b575b8ccece1925daef5a2c8bd1c5830a
Instruction ID: 8eaf2f8eb7a912432e8645137d09297f9bea6fffe07dda16ef89ea25f5e70b96
Opcode Fuzzy Hash: 3f660e408a33d99be558aa2625c44e0b575b8ccece1925daef5a2c8bd1c5830a
Instruction Fuzzy Hash: 43A19530F401098FEF65DAA8E4947BFBBB2FB89310F60442AE405E7396DA35DC419B61

Function 06496DB8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3668a75f1e11503489c17382051661c37637d1ec1bc5054a59d53c1f8baefaf4
Instruction ID: 73df2ec1dc7b874f7fb06d2382bab0822fd22f4ac1a8b7a3a948ccc7c86c2d9a
Opcode Fuzzy Hash: 3668a75f1e11503489c17382051661c37637d1ec1bc5054a59d53c1f8baefaf4
Instruction Fuzzy Hash: E9A17930A50204CFDF54EB68D544AAEBBF2EF85314F54C46AE50AAB351DB76EC42CB90

Function 064991E8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a300daa5a79e32688d2890d52da24dddf29b18daa84720a2f2d9a9b2c56b5a54
Instruction ID: e5f931034c614cc969fd0f5adba7c24db8a543059ea29039753df5ec649f821d
Opcode Fuzzy Hash: a300daa5a79e32688d2890d52da24dddf29b18daa84720a2f2d9a9b2c56b5a54
Instruction Fuzzy Hash: B0914F30B4025A8FDF55DF69D890BAE77F6FF89200F54856AC409EB348EA709D42CB90

Function 06496298 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d7e951febd6b124aba027b5b0d69d87f2e2fe4145e97a852c94c603593f3e7
Instruction ID: 8ae5c329168e6d339ea177b8de4e5d371840ceb98cafb36070db19821a801a7b
Opcode Fuzzy Hash: b5d7e951febd6b124aba027b5b0d69d87f2e2fe4145e97a852c94c603593f3e7
Instruction Fuzzy Hash: 7261B072F001214BDF55AB7EC88465FBAD7AFC4220B25447AE90EDB364DEA5EC0287D1

Function 06494348 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c751efd81da8284d157e116c5aae32651d61ca1dfb46a042f5a544d167fbe9
Instruction ID: d4d0bf72e773657a0ec1cdaa21b1e3e1c62d3fc962b3c42301f9f930529ffbb0
Opcode Fuzzy Hash: 14c751efd81da8284d157e116c5aae32651d61ca1dfb46a042f5a544d167fbe9
Instruction Fuzzy Hash: 47813B34B4124A8FDF55DBA9D5947AEBBF2AF89300F248529D40ADB354EB34DC438B90

Function 06494664 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eafa42ef6e7d98a79fdf746dcd365ad17971d21f9dab69f3bedaa1d4ac633e
Instruction ID: 519fc6701b0793ed8ab460fcf471341f41b342224786758ac1cff10ceef814bf
Opcode Fuzzy Hash: 14eafa42ef6e7d98a79fdf746dcd365ad17971d21f9dab69f3bedaa1d4ac633e
Instruction Fuzzy Hash: 46913E34E106198BDF51DF64C880B9DBBB1FF89310F20859AD549AB345DB70AE86CF90

Function 06494358 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdf8ce3f2e01cefb7f57a0497457abaa91675ad13327862027252dad2ab3697
Instruction ID: c5adbb735d3cbb1e9a8a0f51d0f24faaebac6de155434a55fb5747733ae5804c
Opcode Fuzzy Hash: cfdf8ce3f2e01cefb7f57a0497457abaa91675ad13327862027252dad2ab3697
Instruction Fuzzy Hash: 4F813B30B5124A8FDF55DBA9D5547AEBBF2AF89300F108529D40AEB354EB34DC428B91

Function 06494678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c29f64dd9c08ec2fe3faa7e8b1b1842e9dc9f9ff84120e43e4e6f0314d87d40
Instruction ID: f402bc9ab0b43418883badd7a85f494eb24dbf2c94b8641e7542c6c0e64748e9
Opcode Fuzzy Hash: 7c29f64dd9c08ec2fe3faa7e8b1b1842e9dc9f9ff84120e43e4e6f0314d87d40
Instruction Fuzzy Hash: FE911D34E106198BDF61DF68C880B9DB7B1FF89310F208599D549BB345EB71AA86CF90

Function 0649EBB2 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c56d275a51193dd883c32f9acdfe3f37d3baf893c95a215c6c98d61f5c711f
Instruction ID: 3a9daadf52cc5cb198569d6353800ee37d8da5b42c172adec87d1db02af64884
Opcode Fuzzy Hash: 29c56d275a51193dd883c32f9acdfe3f37d3baf893c95a215c6c98d61f5c711f
Instruction Fuzzy Hash: DB712931A402099FDF55DBA9D980AAEBBF6FF88300F24852AD405EB355DB30ED46CB50

Function 0649EBC0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbd4eaad93a1d7e9d4cf1759129d5d3e6d8b57ddbed2e13451b5cd6fba97b13
Instruction ID: 222036327293ef6d8efcd950aa5819cd1265df7418fbd923846a79fdbeb27837
Opcode Fuzzy Hash: cdbd4eaad93a1d7e9d4cf1759129d5d3e6d8b57ddbed2e13451b5cd6fba97b13
Instruction Fuzzy Hash: D671FA31A402099FDF55EBA9D980A9EBBF6FF88300F24852AD405EB355DB70ED46CB50

Function 06494C10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ca5bd23379663a1a13c56b9a88f568b85456d2e5598fb4fdea72ce8dd3bff0
Instruction ID: d2ce4747465c2231c10a54652c6e5a57b024a106486c5ea0a152fd42db1a8037
Opcode Fuzzy Hash: c7ca5bd23379663a1a13c56b9a88f568b85456d2e5598fb4fdea72ce8dd3bff0
Instruction Fuzzy Hash: 5B617F31F402199FEF559BA5C8557AEBBF6EF88300F20812AE105AB395DF754C468B90

Function 064991D8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305710c081e6bd25b66f5f56fcf60243731381bdea7ddac4d2fdae4bedae8fa9
Instruction ID: 3efd7a01bb0b127f6128f2b3516ef57d29c13f95aa02c8da4226724298d34f7e
Opcode Fuzzy Hash: 305710c081e6bd25b66f5f56fcf60243731381bdea7ddac4d2fdae4bedae8fa9
Instruction Fuzzy Hash: F2514030B412568FEF55DB68D991BAE77F6FF89200F14896AD406DB348EA31DC02CB90

Function 0649FAD8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deddc71c972e015bbc27f6604c4f2b54cd80fbe63fc70e66a68a86aa649db2ad
Instruction ID: 2e7e20843788807bfcd46c86479129a3b05af1df4461e31d8656a6bf00ba3525
Opcode Fuzzy Hash: deddc71c972e015bbc27f6604c4f2b54cd80fbe63fc70e66a68a86aa649db2ad
Instruction Fuzzy Hash: A4518434F501059BEFA666B8D854B6F3E6AE7C9310F20442BE50ACB396CE69CC4547A2

Function 0649FD38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b81af5b93fda497ee509d9984ebe38cc955aac7b19216cf2f310f0f5e609e0
Instruction ID: 4898692eb1027ed98c89286e9d2ab05081602b3da7bd58346b4630e1b81d3821
Opcode Fuzzy Hash: f7b81af5b93fda497ee509d9984ebe38cc955aac7b19216cf2f310f0f5e609e0
Instruction Fuzzy Hash: 5151F331E40105CFDF94EBB8E8486AEBBB2EF85315F10896AE106D7355DB318859CB90

Function 0649FAE8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93f3a98c5602676ea459ab8f6c115f823d0883b94da10fbec64a17593ae7af4
Instruction ID: 83ef2ac6e9904b787767130d4efac1f1fc838ba156d2668eae7fb324f8d887c5
Opcode Fuzzy Hash: d93f3a98c5602676ea459ab8f6c115f823d0883b94da10fbec64a17593ae7af4
Instruction Fuzzy Hash: C5519534F501059BFFA566BCD854B6F3E5AE7C9310F20442BE50ACB396CE69CC4547A2

Function 06495637 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8243904d14917d6d4402a389622262399f5124627188c78b34acd1e2b911c6e0
Instruction ID: da390218356fd4c29d92de5f5fdcea26dad350e91195459404d0238b8c230b86
Opcode Fuzzy Hash: 8243904d14917d6d4402a389622262399f5124627188c78b34acd1e2b911c6e0
Instruction Fuzzy Hash: 82518134E502058FDF6B9A68C480B6FBFB2EB45310F34886BE159DB381C635D941CB61

Function 06494C01 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8064dcfe4694323a509f049045c6a700b73c8af273209f83eafc8a88aea60b26
Instruction ID: 4a1ad5a3d274a88470028f6ed2137310a31a84b2beb1b0b3f94e9d0306f3745a
Opcode Fuzzy Hash: 8064dcfe4694323a509f049045c6a700b73c8af273209f83eafc8a88aea60b26
Instruction Fuzzy Hash: 2D415E75B102189FDF55DBA4C955BAEBBF6EF88300F20852AE105AB395DA718C068B90

Function 064954C8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d14dc3d9482af14f1080b1fcff95ef161c16ee60465ca61c2e3a13d2d3e16b
Instruction ID: c2049b6e518f92738f34acd20cb862b20298103a09c72a1445232241cf248180
Opcode Fuzzy Hash: 27d14dc3d9482af14f1080b1fcff95ef161c16ee60465ca61c2e3a13d2d3e16b
Instruction Fuzzy Hash: 07414F31E406099FDF75CF99D880AAFFBB2EB84320F20492AD216D7655D630E9558BA0

Function 0649DB68 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6085b774cd0ef7958a69260f5dc83d7193b1f9f7fd4a8bae27e4909546337b
Instruction ID: eb8401dd4489385314d58159ccf08fe3c579f94a2149169dd23d002eda8b03cb
Opcode Fuzzy Hash: 7a6085b774cd0ef7958a69260f5dc83d7193b1f9f7fd4a8bae27e4909546337b
Instruction Fuzzy Hash: 5C416E30E4060ADFDF55EFA5C884AAEBFB2EF85340F20492AD405EB354DB719942CB90

Function 0649DB55 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7509da6cc8fc697e65e12e2616ee551553b808e3dda3ac465523146ffa118e83
Instruction ID: 636475a2ee9b4f0f81492f14dafe2567dfc9d85187118286788c63842c71f4a1
Opcode Fuzzy Hash: 7509da6cc8fc697e65e12e2616ee551553b808e3dda3ac465523146ffa118e83
Instruction Fuzzy Hash: 5B418F30E106469FDF56DFB5C88469EBFB2EF85240F248A2AD405EB355EB70D842CB91

Function 064921AD Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9169b00b98d0c9f342f4957868bdeb870654c4f87f0fa24d76cce3f42cd6c4f
Instruction ID: d826d5946ea68ba3432c28521dbf14e7607bc50934fe9ff455a44fb6b0a25711
Opcode Fuzzy Hash: a9169b00b98d0c9f342f4957868bdeb870654c4f87f0fa24d76cce3f42cd6c4f
Instruction Fuzzy Hash: E931F031B202059FDF5AAB74C9546AF7BB2AF89200B14456DC402DB396DE75CE06C7A0

Function 064921C0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b2eec363562c78fe9e14c4d60b414767a1edc7dfcc5a9aa7853f5c0275ea4b
Instruction ID: 776825253677dcd0d270dc1025b6f8cb4b5722315050380bf8483396f025bad8
Opcode Fuzzy Hash: c6b2eec363562c78fe9e14c4d60b414767a1edc7dfcc5a9aa7853f5c0275ea4b
Instruction Fuzzy Hash: 1C31CD31B202059FDF59AB74C554AAF7BA2AF89640F24452DC402DB395EE75CE06C7E0

Function 0649DA08 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d521e140d680e1231595bd9b71071e5b784f8f1dcfb05400a6cd365b254b9e89
Instruction ID: 4d1091acf9aa153b66990b7af62d38056c4e5e84908d62aebcc36d807942bf8f
Opcode Fuzzy Hash: d521e140d680e1231595bd9b71071e5b784f8f1dcfb05400a6cd365b254b9e89
Instruction Fuzzy Hash: 3C319631E5470A9FDF15DF64C98069EBFB6EF85300F14892AE905EB344DBB0A946CB90

Function 06492071 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4737f07c32dccda6a3177e6681a1e4137cf991eb53c7d05cbae9669203a3b1d6
Instruction ID: 4cd477e8206a422d515460307b5e4f1bdee42e74daa3fe2ff8b61634099bb234
Opcode Fuzzy Hash: 4737f07c32dccda6a3177e6681a1e4137cf991eb53c7d05cbae9669203a3b1d6
Instruction Fuzzy Hash: 7F319334E60215AFDB15CF64C85569FBBB2FF89300F10841AE906EB351DBB1AD46CB50

Function 06492080 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34cf1b09bdd32fe9614f76c10a109555f0d2444681349928cd51ec4e5eabc0c8
Instruction ID: 6a74e594ea2a5a32310110fc27e7d9783d5a9590d93c938d2fb52f960b0e0ab3
Opcode Fuzzy Hash: 34cf1b09bdd32fe9614f76c10a109555f0d2444681349928cd51ec4e5eabc0c8
Instruction Fuzzy Hash: ED317034E50205ABDF19CF64D89569FBBB2FF89700F10891AE906E7340DBB1AD82CB50

Function 06493B48 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8284298c10eb41b2eab1e574bbbf21400ac10da202b9dcc1215bdcfbf5e82a0
Instruction ID: 82a820960894bad08d5d9bf6f21716003bbb3b6be8e38e552e11116ec02415a1
Opcode Fuzzy Hash: f8284298c10eb41b2eab1e574bbbf21400ac10da202b9dcc1215bdcfbf5e82a0
Instruction Fuzzy Hash: F7218E76F016159FDF41DFA8E881AEEBBF5EB48750F108126E906E7350E730D9418BA0

Function 06493B58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33104e55b3048c33c06d9b5b0ebf75f6c71914d41cf4abb7970fb718860bde9
Instruction ID: 78ea2fa0ebfc317c4f748ff3d90ffaa1e01b6ab3e7959f25b91645c1efd7463b
Opcode Fuzzy Hash: f33104e55b3048c33c06d9b5b0ebf75f6c71914d41cf4abb7970fb718860bde9
Instruction Fuzzy Hash: 9A217875E016159FDF51DFA9D880AAEBBF1EB88720F14812AE905E7350E730DC418BA0

Function 06496DA9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3016f774b5f16d9de38794c4b31af487456ef852b66f1bce50fbfac1fa689585
Instruction ID: c56780d590030b43b4078d1bf08f6233a254f839f0590d8a23382598b9fac936
Opcode Fuzzy Hash: 3016f774b5f16d9de38794c4b31af487456ef852b66f1bce50fbfac1fa689585
Instruction Fuzzy Hash: 49212631B101199FEF48DB68E9516AEBBB6FF84310F24842AD505EB345EB31DC028BD0

Function 064954B8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84dd2defc45fe00a01bea3c07e74651fa7313167a3a917cd14b94e690a5ee2c
Instruction ID: d72b186174848f33cd8d2616f2c7f0b6becb857587601a914b6379739c4fce8d
Opcode Fuzzy Hash: c84dd2defc45fe00a01bea3c07e74651fa7313167a3a917cd14b94e690a5ee2c
Instruction Fuzzy Hash: 3021A132A406059FCF66CFA9DC81BAFBBB2FB84310F24492AD115D7651D734A8468B90

Function 00AAD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4558202799.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cee3248302a3e4e9071e875b4540bd04d2b42cc11fbb62ee6363cd3e3319b46
Instruction ID: f7599d7bc2d8e379c2c352e1e69c58867e89f5cfa2a844423f611ef4a14cecc7
Opcode Fuzzy Hash: 7cee3248302a3e4e9071e875b4540bd04d2b42cc11fbb62ee6363cd3e3319b46
Instruction Fuzzy Hash: 78213475504304EFCB14CF20D9C0B26BB71FB89314F20CA6DE98B4B692C77AD846CA61

Function 064942AA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5a27714598fdd0e0efdd85a6a3196a90e672ba0316f73d36644cace7831504
Instruction ID: 5bb3aaa5d061aacc59d6a35ae6efcde18be9e788e366f032d19f9cec582d70be
Opcode Fuzzy Hash: 2d5a27714598fdd0e0efdd85a6a3196a90e672ba0316f73d36644cace7831504
Instruction Fuzzy Hash: 2E01D234B441101FEF2A9279D85575B7BEAEBC5710F10882BE10AC7351E964DC0247A0

Function 06493C68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae520fad34c744123838c216c7fbbf6023014662706912fc082190f10ec349b
Instruction ID: 8c48ab36fca26b42b975c701ea1a235c66d48c60445d83a74324960c68435f37
Opcode Fuzzy Hash: 9ae520fad34c744123838c216c7fbbf6023014662706912fc082190f10ec349b
Instruction Fuzzy Hash: 0011A536B105254BDF599A78D8146AFB7EAEBC9311F04453AD40AE7344DE34DC028BE0

Function 0649EE31 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3eb5eb6b13fdeb54874b346defa926a6e994970e35e1df2e448b1a8919b7b0a
Instruction ID: afdc613a91d4531c24bd16f1e55d1b71a8b5b7a7ba1641c8f117f408e7e6f676
Opcode Fuzzy Hash: f3eb5eb6b13fdeb54874b346defa926a6e994970e35e1df2e448b1a8919b7b0a
Instruction Fuzzy Hash: 61019E357500114FDF26DA6DD891A6BBBE6EFC9710F18882AE60ACB382DA25DC024791

Function 06493921 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ddd31bf22805c9d0937ff231b26e2662c4420f55dba5fe5b7470b78f3e5fb1
Instruction ID: b4921c08251560f71525a97f10ca0bf0c4da6fb1d4eb644d892f0ec57954069f
Opcode Fuzzy Hash: 79ddd31bf22805c9d0937ff231b26e2662c4420f55dba5fe5b7470b78f3e5fb1
Instruction Fuzzy Hash: 0321EFB5C01219DFCB00CF9AD984B9EFBB4BF48324F10862AE518A7250D374A554CFA5

Function 0649A399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5e09835fe038a6d29c02edb505716278ce893363861026475fc5d09ede6868
Instruction ID: 78befda8790b1564fdeb3584fcad836709849d56f4d0da45b89fde4c59094551
Opcode Fuzzy Hash: ad5e09835fe038a6d29c02edb505716278ce893363861026475fc5d09ede6868
Instruction Fuzzy Hash: E301B134B941504FDB66E638E86576B7BE2EB86310F10882AF20ACB351DE21DC424790

Function 06493C57 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62766c90cfbd57c7ba3e4c9ba04e963cf536b0a59e7026a65924216d952bcfe
Instruction ID: b72780b042b789746e648b5a65987434d57367d608f9196ae0ac5bfd240d617e
Opcode Fuzzy Hash: e62766c90cfbd57c7ba3e4c9ba04e963cf536b0a59e7026a65924216d952bcfe
Instruction Fuzzy Hash: B4012432B105654BEF9ADAB8DC156EF76AAEBC9610F14003AD40BE7344EA748C0287E0

Function 06493108 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a436f92571d08ce944eada0fba4f62070647e65291d7447ae671f0f543c84e
Instruction ID: 3de3e3c32de63ab4f407aa1ae643df0894b58e15edca87d7c1553e6043a136c9
Opcode Fuzzy Hash: e8a436f92571d08ce944eada0fba4f62070647e65291d7447ae671f0f543c84e
Instruction Fuzzy Hash: A401AD75E002188ADF69DFB9C8405DFFFB5EB8A310F10856AD50AE7300EA319A40CBE0

Function 00AAD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4558202799.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: ef697e331bddd107c7b187f58005ad013ddf85c360092011ce8b57fe282e1ede
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 62119D75504284DFCB15CF10D9C4B15BBA2FB89314F24C6ADE88A4B696C33AD84ACF62

Function 06493928 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a11ba78c37130d1d82497dc8277fe0c9aef2c904b8b44edd9ea9173d829541
Instruction ID: 4e34c9b5406a3b251ab49279f3c8d24d314e3222356837634122666e2abf1ce4
Opcode Fuzzy Hash: 52a11ba78c37130d1d82497dc8277fe0c9aef2c904b8b44edd9ea9173d829541
Instruction Fuzzy Hash: F511CFB1D01219EFCB00CF9AD884BDEFBB4FB48324F10812AE918A7300D374A954CBA5

Function 064942B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ba4da897ca2956b38b14060aab619b5ba27484863ac5a47f20df748ff1eca7
Instruction ID: a2808f19f4700a5126e63955857f4a9ba076dfa6051fb9f730d8ae52efa7cc3c
Opcode Fuzzy Hash: 18ba4da897ca2956b38b14060aab619b5ba27484863ac5a47f20df748ff1eca7
Instruction Fuzzy Hash: 9501D135B500100BEF69A6BED415B5FBBDAEBC9720F20883AE10AC7380DD61DC4347A0

Function 0649EE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c894a53c0edcffc6a38371286c878dab43f6d038057d21ead54522f3c3aab4
Instruction ID: 1e7432783df7d3458f5e3217d9589ab785a52407e30dca2797065159cd269546
Opcode Fuzzy Hash: 67c894a53c0edcffc6a38371286c878dab43f6d038057d21ead54522f3c3aab4
Instruction Fuzzy Hash: 51016939B500114BDF6AD66D9490B2B7AE6EBC9710F14883AF20ACB340EE65DC024791

Function 0649A3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8739784d9768c7d7b3d2a9883b058787251af706c796cf78d8858477a2b752c3
Instruction ID: 9a80d721b85413ef50b55a6fcd35c018b634b32abd41dfb320b2b4b8fac7a991
Opcode Fuzzy Hash: 8739784d9768c7d7b3d2a9883b058787251af706c796cf78d8858477a2b752c3
Instruction Fuzzy Hash: 51018134B500144FDF66AA78D465B2F7BD6EB85710F10882AF20ACB354DE21DC424B90

Function 0649C878 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6a015c7fe1c3d170602edb646551dcf257a4db3268e965f241fce672f6434a
Instruction ID: 6bd0272f48058ef6ee98c8c1062486ae7a48f2e73a7e38ee5128bac1d93b1d29
Opcode Fuzzy Hash: 0e6a015c7fe1c3d170602edb646551dcf257a4db3268e965f241fce672f6434a
Instruction Fuzzy Hash: 1C01A431F50224DFDF59DA79E881A9EBB76F785350F10452EE905EB344DB32A8018BD4

Function 0649AFB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5304718d7affdcaec370d4e11eabeab10599cadb1f39d7611e37564ca8ae7a
Instruction ID: 9b8b0b0284e06b2b0ce8c60e9178c921299f0a7e8683bdb228aea76b7cfc5599
Opcode Fuzzy Hash: cf5304718d7affdcaec370d4e11eabeab10599cadb1f39d7611e37564ca8ae7a
Instruction Fuzzy Hash: B6F05576E502188BDF7086A9E80478FBFA9E741324F10443BE90AE3300D6319C80CBA1

Function 06496519 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabc8a87a56e74a0fc50a064bf496d2a5ae8423be9d944c49cf701d96c5b2436
Instruction ID: 24ec76a8a7eb506920b1b83127ce65c5ac774e0ecf9acd2d7c3a15e0b6411c20
Opcode Fuzzy Hash: eabc8a87a56e74a0fc50a064bf496d2a5ae8423be9d944c49cf701d96c5b2436
Instruction Fuzzy Hash: BEE02672E681489BFF91CEB0DA0539B3E64EB43214F6148F7C808CB202E176CD018350

Function 06496528 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2149c8404fdb3d378cb6846175523c8f02b307357daa6c7fb311a4fbcfcf5a
Instruction ID: 917bee8ae1e9df8c0cc693d8ce60f1c1b7989af64c7e7ad5fdad8795ec573ba4
Opcode Fuzzy Hash: 8c2149c8404fdb3d378cb6846175523c8f02b307357daa6c7fb311a4fbcfcf5a
Instruction Fuzzy Hash: AEE0C271E5010CABEF50CEB4D90575F7BACD702224FA184A6D808C7302E272CE0187A0

Non-executed Functions

Function 06490040 Relevance: 2.0, Instructions: 1968COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1d2c3b90fb7df4c449e92909aa4c217478d163169721c94398915a8528c89c
Instruction ID: 3c2ce93a2f3e788037b81754cba309cd3bca91888c429a1a1149b542adbe28f2
Opcode Fuzzy Hash: 9c1d2c3b90fb7df4c449e92909aa4c217478d163169721c94398915a8528c89c
Instruction Fuzzy Hash: 8C23EB31D10B198ACB11EF68C89459EF7B1FF99300F15D79AE458B7221EB70AAC5CB81

Function 027C41C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V[n, xrefs: 027C447F

Memory Dump Source

Source File: 00000000.00000002.4558842964.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID: \V[n
API String ID: 0-1005319620
Opcode ID: c132e36189e8909377ea97faad2789f1591681e73bd7f0477199ea4a07930d57
Instruction ID: 359dee317d982527c9e5715bdf865ef435d68395a9ef2fae409f34f1665cf592
Opcode Fuzzy Hash: c132e36189e8909377ea97faad2789f1591681e73bd7f0477199ea4a07930d57
Instruction Fuzzy Hash: 0EB13970E002198FDB14CFB9D8A57AEBBF2BF88714F24812DD815A7294EB749945CF81

Function 0649E440 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c987db754b4b16b9a32f1d10f01e3af6ce448f545d5547b1699488591a92e20
Instruction ID: 5b008c07df8e94026a8cf79fb0c76d7681a9692ec2e5246a192b2cba1c5529dd
Opcode Fuzzy Hash: 9c987db754b4b16b9a32f1d10f01e3af6ce448f545d5547b1699488591a92e20
Instruction Fuzzy Hash: 58228E30B101058FDF55DB68D484AAEBBF2EF89310F24856AD506DB3A2DB75DC42CBA1

Function 06497740 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36936bb0fadc3d22bb848eaf036318698ff892c32bfabd32d4d956f43e81134e
Instruction ID: 8e376ca87e820da2da060cc8ed58113f8502af08fc8f30cb350fb88a53a6c9c1
Opcode Fuzzy Hash: 36936bb0fadc3d22bb848eaf036318698ff892c32bfabd32d4d956f43e81134e
Instruction Fuzzy Hash: 65122C30E51219CFDF69DB65C854AAEBBB2FF88304F20856AD50AAB355DB309D41CF90

Function 06495D98 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561213815.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6490000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f179b2e0ae7b288a3c30a3ed9aca504d5b17bbb4294ee1099f2fd56d5a7e0490
Instruction ID: 40648e8eda5913913b1cb4424e92fc3b8dde06b87ded31fda9885d097cfbfde3
Opcode Fuzzy Hash: f179b2e0ae7b288a3c30a3ed9aca504d5b17bbb4294ee1099f2fd56d5a7e0490
Instruction Fuzzy Hash: E0D1E531B101148FDF55DB68D584AAEBBF6FB89310F25846BE44ADB392CA31DC45C7A0

Function 06581988 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561321487.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6580000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cc76639083b34965fada6210c476d2746ba121bb45d1da93439ab46492d341
Instruction ID: 4d8a4bbe67bbc9bb4c086d4adb4dd6e07819450109b7dfceb72768a0ab15494d
Opcode Fuzzy Hash: 51cc76639083b34965fada6210c476d2746ba121bb45d1da93439ab46492d341
Instruction Fuzzy Hash: EE1298B2C8AB468BD790CF66E88C1893BB1B741318BD1CB09D3621F2E5D7B4116ACF44

Function 06581982 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4561321487.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6580000_lUy4SKlE6A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e9d7b612626771069654b20599d5c6142bfd779055b7c1aa3f174903c16fc7
Instruction ID: a9ab050e51e71311cfd24a618a3f43f1774aed4b8c02cb206d030d0757b25007
Opcode Fuzzy Hash: c4e9d7b612626771069654b20599d5c6142bfd779055b7c1aa3f174903c16fc7
Instruction Fuzzy Hash: 5AC10CB1C9AB468BD790CF66E88C1897BB1BB85314F91CB09D3622F2D0DBB41466CF44

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lUy4SKlE6A.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
lUy4SKlE6A.exe

Function 06495648 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Function 027C3E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Function 0649C220 Relevance: .6, Instructions: 644
COMMON

Function 027CEC08 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 027CEC10 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 0649CFE0 Relevance: .8, Instructions: 800
COMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre