Edit tour

Windows Analysis Report
odo7jrvnU3.exe

Overview

General Information

Sample name:	odo7jrvnU3.exe renamed because original name is a hash value
Original sample name:	f16bef1f03fc8f4601297f15577a550d4de4ba4a47a943ac591585c6802fe340.exe
Analysis ID:	1571571
MD5:	b6c329165699196acb38053ae6308e61
SHA1:	8a082a54b892a9963382c3cb66d98def3cf1bfa0
SHA256:	f16bef1f03fc8f4601297f15577a550d4de4ba4a47a943ac591585c6802fe340
Tags:	213-21-220-222exeRedLineStealeruser-JAMESWT_MHT
Infos:

Detection

RedLine

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

odo7jrvnU3.exe (PID: 8012 cmdline: "C:\Users\user\Desktop\odo7jrvnU3.exe" MD5: B6C329165699196ACB38053AE6308E61)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "213.21.220.222:8080"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
odo7jrvnU3.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.1273548797.00000000000D2000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: odo7jrvnU3.exe PID: 8012	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.odo7jrvnU3.exe.d0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 213.21.220.222, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\odo7jrvnU3.exe, Initiated: true, ProcessId: 8012, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49702

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: odo7jrvnU3.exe.8012.5.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "213.21.220.222:8080"}

Multi AV Scanner detection for submitted file

Source: odo7jrvnU3.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: odo7jrvnU3.exe

Joe Sandbox ML: detected

Source: odo7jrvnU3.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: odo7jrvnU3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: odo7jrvnU3.exe, 00000005.00000002.2529785055.00000000008F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: odo7jrvnU3.exe, 00000005.00000002.2529785055.000000000099F000.00000004.00000020.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2531268430.0000000004BE0000.00000004.00000020.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2529785055.000000000096B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: odo7jrvnU3.exe, 00000005.00000002.2529785055.000000000096B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbC source: odo7jrvnU3.exe, 00000005.00000002.2531268430.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 213.21.220.222:8080

Source: global traffic

TCP traffic: 192.168.2.10:49702 -> 213.21.220.222:8080

Source: Joe Sandbox View

IP Address: 213.21.220.222 213.21.220.222

Source: Joe Sandbox View

ASN Name: VERSIALV VERSIALV

Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.21.220.222

Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyl
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/8)
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1LR
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1ResponseXx
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2LR
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2ResponseXx
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3LR
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3ResponseXx
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000024E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000024E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip

System Summary

.NET source code contains very large array initializations

Source: odo7jrvnU3.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: odo7jrvnU3.exe, 00000005.00000000.1273548797.00000000000D2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamePutz.exe" vs odo7jrvnU3.exe
Source: odo7jrvnU3.exe, 00000005.00000002.2529785055.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs odo7jrvnU3.exe
Source: odo7jrvnU3.exe	Binary or memory string: OriginalFilenamePutz.exe" vs odo7jrvnU3.exe

Source: odo7jrvnU3.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\odo7jrvnU3.exe

Mutant created: NULL

Source: odo7jrvnU3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: odo7jrvnU3.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\odo7jrvnU3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: odo7jrvnU3.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Section loaded: mswsock.dll	Jump to behavior

Source: odo7jrvnU3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: odo7jrvnU3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: odo7jrvnU3.exe, 00000005.00000002.2529785055.00000000008F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: odo7jrvnU3.exe, 00000005.00000002.2529785055.000000000099F000.00000004.00000020.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2531268430.0000000004BE0000.00000004.00000020.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2529785055.000000000096B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: odo7jrvnU3.exe, 00000005.00000002.2529785055.000000000096B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbC source: odo7jrvnU3.exe, 00000005.00000002.2531268430.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp

Source: odo7jrvnU3.exe

Static PE information: 0xCD6FC304 [Tue Mar 21 19:48:20 2079 UTC]

Source: C:\Users\user\Desktop\odo7jrvnU3.exe

Code function: 5_2_0089B2E0 push eax; iretd

5_2_0089B2E1

Source: odo7jrvnU3.exe, TTmEWhqQy8Sta6FEMu.cs

High entropy of concatenated method names: 'acyXjuTJ5', 'E8sSpQDy9', 'fHBMYaca3', 'HIl3HqZ3u', 'ILpaFTW9N', 'KeekH7pVM', 'BXBTut9OB', 'TNBgMmXfx', 'FPx4aLUO9', 'moUzdrNxj'

Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Memory allocated: 890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Memory allocated: 2250000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: odo7jrvnU3.exe, 00000005.00000002.2531268430.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\odo7jrvnU3.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Queries volume information: C:\Users\user\Desktop\odo7jrvnU3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\odo7jrvnU3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\odo7jrvnU3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: odo7jrvnU3.exe, type: SAMPLE
Source: Yara match	File source: 5.0.odo7jrvnU3.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1273548797.00000000000D2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: odo7jrvnU3.exe PID: 8012, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: odo7jrvnU3.exe, type: SAMPLE
Source: Yara match	File source: 5.0.odo7jrvnU3.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1273548797.00000000000D2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: odo7jrvnU3.exe PID: 8012, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
odo7jrvnU3.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealer
odo7jrvnU3.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.ip.s	0%	Avira URL Cloud	safe
213.21.220.222:8080	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
213.21.220.222:8080	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000024E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject1LR	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject2LR	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject2ResponseXx	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.s	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000024E4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyl	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject3ResponseXx	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject1ResponseXx	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/8)	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject3LR	odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000261B000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000272E000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.00000000026EC000.00000004.00000800.00020000.00000000.sdmp, odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/	odo7jrvnU3.exe, 00000005.00000002.2530216022.0000000002667000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	odo7jrvnU3.exe, 00000005.00000002.2530216022.000000000259F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.21.220.222	unknown	Latvia		8285	VERSIALV	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571571
Start date and time:	2024-12-09 15:08:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	odo7jrvnU3.exe renamed because original name is a hash value
Original Sample Name:	f16bef1f03fc8f4601297f15577a550d4de4ba4a47a943ac591585c6802fe340.exe
Detection:	MAL
Classification:	mal80.troj.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target odo7jrvnU3.exe, PID 8012 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: odo7jrvnU3.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
213.21.220.222	5pjP6CEFUO.exe	Get hash	malicious	RedLine	Browse
	h2TTyq9R7h.exe	Get hash	malicious	RedLine	Browse
	1iYCBTo5tf.exe	Get hash	malicious	RedLine	Browse
	DTOmEgnQPL.exe	Get hash	malicious	RedLine	Browse
	O6QBxoK4Gf.exe	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.8926.894.exe	Get hash	malicious	RedLine, zgRAT	Browse
	I2kX6f0yTr.exe	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.19212.12665.exe	Get hash	malicious	RedLine, zgRAT	Browse
	3aH5fWewHY.exe	Get hash	malicious	RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VERSIALV	5pjP6CEFUO.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	h2TTyq9R7h.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	1iYCBTo5tf.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	DTOmEgnQPL.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	O6QBxoK4Gf.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	SecuriteInfo.com.Win32.CrypterX-gen.8926.894.exe	Get hash	malicious	RedLine, zgRAT	Browse	213.21.220.222
	I2kX6f0yTr.exe	Get hash	malicious	RedLine	Browse	213.21.220.222
	SecuriteInfo.com.Win32.TrojanX-gen.19212.12665.exe	Get hash	malicious	RedLine, zgRAT	Browse	213.21.220.222
	3aH5fWewHY.exe	Get hash	malicious	RedLine, zgRAT	Browse	213.21.220.222
	file.exe	Get hash	malicious	RedLine	Browse	213.21.220.222

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.339922832732466
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	odo7jrvnU3.exe
File size:	228'688 bytes
MD5:	b6c329165699196acb38053ae6308e61
SHA1:	8a082a54b892a9963382c3cb66d98def3cf1bfa0
SHA256:	f16bef1f03fc8f4601297f15577a550d4de4ba4a47a943ac591585c6802fe340
SHA512:	8068deba37c340d37a9873a5a97e6d510b2a02bf90d72cbeefdd9f8f7de9d0a14594a016d7efe8a06989cdf343e5adfffa6f60e39058a5c773ff5ead39c4ef0a
SSDEEP:	6144:E+57amV8gvw9jbqViDlTi7EBc4tlkTGtkgh:h5umvvw5WEMxGKgh
TLSH:	4424AE6C6358EE76E2BF01B5D47240BC43B59A262122E79F5DC4BCE33F213D162611AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o...............0..............8... ...@....@.. ....................................@................................

File Icon


Icon Hash:	1733390fccec7117

Static PE Info

General

Entrypoint:	0x4238be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCD6FC304 [Tue Mar 21 19:48:20 2079 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23870	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x9af8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x218c4	0x21a00	c7504c5d23ade79f97ad96e53ebcb470	False	0.5264869888475836	data	6.482553095482042	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x9af8	0x9c00	51e5776c52d2b84e806afb3de56ee4e3	False	0.2604166666666667	data	3.328211259016847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0xc	0x200	1f3b1ae9aa8009a4a489ab54c1c6b796	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x24130	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	0.2528379230607526
RT_GROUP_ICON	0x2d5d8	0x14	data	1.15
RT_VERSION	0x2d5ec	0x31e	data	0.449874686716792
RT_MANIFEST	0x2d90c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 15:09:45.806180000 CET	49702	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:09:45.926474094 CET	8080	49702	213.21.220.222	192.168.2.10
Dec 9, 2024 15:09:45.926572084 CET	49702	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:09:45.973400116 CET	49702	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:09:46.094429970 CET	8080	49702	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:07.846189976 CET	8080	49702	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:07.846267939 CET	49702	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:07.880656004 CET	49702	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:07.907018900 CET	49746	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:08.026736021 CET	8080	49746	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:08.026931047 CET	49746	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:08.027302027 CET	49746	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:08.146656990 CET	8080	49746	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:29.923749924 CET	8080	49746	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:29.923832893 CET	49746	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:29.924226999 CET	49746	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:29.926284075 CET	49796	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:30.046061993 CET	8080	49796	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:30.046238899 CET	49796	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:30.046602964 CET	49796	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:30.166380882 CET	8080	49796	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:51.971072912 CET	8080	49796	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:51.971208096 CET	49796	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:51.971560001 CET	49796	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:51.973674059 CET	49848	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:52.093014956 CET	8080	49848	213.21.220.222	192.168.2.10
Dec 9, 2024 15:10:52.093214035 CET	49848	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:52.093575954 CET	49848	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:10:52.212845087 CET	8080	49848	213.21.220.222	192.168.2.10
Dec 9, 2024 15:11:14.019879103 CET	8080	49848	213.21.220.222	192.168.2.10
Dec 9, 2024 15:11:14.019969940 CET	49848	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:14.024704933 CET	49848	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:14.026791096 CET	49899	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:14.146440029 CET	8080	49899	213.21.220.222	192.168.2.10
Dec 9, 2024 15:11:14.146609068 CET	49899	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:14.146992922 CET	49899	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:14.270832062 CET	8080	49899	213.21.220.222	192.168.2.10
Dec 9, 2024 15:11:36.050697088 CET	8080	49899	213.21.220.222	192.168.2.10
Dec 9, 2024 15:11:36.051913023 CET	49899	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:36.052186012 CET	49899	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:36.054230928 CET	49949	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:36.175272942 CET	8080	49949	213.21.220.222	192.168.2.10
Dec 9, 2024 15:11:36.175426960 CET	49949	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:36.175769091 CET	49949	8080	192.168.2.10	213.21.220.222
Dec 9, 2024 15:11:36.295140982 CET	8080	49949	213.21.220.222	192.168.2.10

Target ID:	5
Start time:	09:09:44
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\odo7jrvnU3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\odo7jrvnU3.exe"
Imagebase:	0xd0000
File size:	228'688 bytes
MD5 hash:	B6C329165699196ACB38053AE6308E61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.1273548797.00000000000D2000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00890ED8 Relevance: 3.0, Instructions: 3035COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bdd93e51662bf8956cbbe01187161e8efdae9e0d495ec9836c603df2139843
Instruction ID: 460b286a9b968e3f52505fbb6702bf0b3e5bee12b698d119d832de506dae71cd
Opcode Fuzzy Hash: 90bdd93e51662bf8956cbbe01187161e8efdae9e0d495ec9836c603df2139843
Instruction Fuzzy Hash: 0E73B6749013588FDB65DF65C9547A9BBB2FF88301F1081E9D649AB360EB396E81CF80

Function 00890EC9 Relevance: 3.0, Instructions: 2979COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628c869e2bd2ae89976a889dbbc45bf53a1afa695aa1142c3ad270dfa5d58591
Instruction ID: fb7a73aefb311a1cd0c6c452f8660b1aae56790f060f1eb6fb8d8b2e1ce653e7
Opcode Fuzzy Hash: 628c869e2bd2ae89976a889dbbc45bf53a1afa695aa1142c3ad270dfa5d58591
Instruction Fuzzy Hash: 8373B6749013588FDB65DF65C9547A9BBB2FF88301F1081E9D649AB360EB396E81CF80

Function 0089CA90 Relevance: 2.0, Instructions: 2024COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296e8790c4972518a8be24084d6b066f9d5f388af5edb8dbf85b10d0fad25311
Instruction ID: e5489f2bc214ec1be334dfb2276b3ad130b4c8bf5738c1ea52e5dfa5c8d54af4
Opcode Fuzzy Hash: 296e8790c4972518a8be24084d6b066f9d5f388af5edb8dbf85b10d0fad25311
Instruction Fuzzy Hash: A1233F35D02204DFCF56AFA0C518659B7B7FB9A345B2094AFDD06267A4CB7A8C42DF08

Function 0089CAA0 Relevance: 2.0, Instructions: 1978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5690aae9131a35e3451938df22d3652ce64b5ca65ba0e05595da93eac9198a0d
Instruction ID: fe068bdadbba8604fea6a2ee2a0811763aab2e54411d70a8f71fa905548412b2
Opcode Fuzzy Hash: 5690aae9131a35e3451938df22d3652ce64b5ca65ba0e05595da93eac9198a0d
Instruction Fuzzy Hash: 52233F35D02204DFCB56AFA0C518659B7B7FB9A345B20A4AFDD06267A4CB7B8C41DF08

Function 00896ED1 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae06c8f30eacc975e6f8c76f6e9202204df50c5cdc6280af56777e4bcc8d0984
Instruction ID: ad68470e1ff8c57cace4db33ade1d04a6adad3e727b078437ddabd6a8aae60a9
Opcode Fuzzy Hash: ae06c8f30eacc975e6f8c76f6e9202204df50c5cdc6280af56777e4bcc8d0984
Instruction Fuzzy Hash: 8591BD30B106048FDB14FBB8D55856DBBB2FF89310B158629E416A7394DF35AC46CB92

Function 00894B10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ede84620a1e3812e59270a1f5ab4b84d01009795b52a504e4e8007c998512fa
Instruction ID: 75e6c0795cd9bf925c4176cb3743d7236a3bc393ce1067d8fb67b7dc1427d42e
Opcode Fuzzy Hash: 6ede84620a1e3812e59270a1f5ab4b84d01009795b52a504e4e8007c998512fa
Instruction Fuzzy Hash: 1F715035A00209DFCB14EFA8D454AADBBF6FF89314F2581AAE405EB361DB759C41CB90

Function 008952A0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61a111f4763039296882f339c200eb1542ef66e7826b542430c8dc96457b535
Instruction ID: 993420d59c92ab3ebc9ecf9fa0a5fd199d6fac473ef6e6d29bb3b24568f23fac
Opcode Fuzzy Hash: e61a111f4763039296882f339c200eb1542ef66e7826b542430c8dc96457b535
Instruction Fuzzy Hash: 83518970E046098FDF45EBA9D8547AEBBB2FF88301F24806AD405FB241DB309946CF90

Function 0089BCE7 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840db4dc80d03cc68e97daf1dd75cb79388ea926e8ec0c4ef210d400e9226787
Instruction ID: bf14419e32d7429f3bc1d75cd2538a0ea3681c39effa66f779e4e3143c3c9de8
Opcode Fuzzy Hash: 840db4dc80d03cc68e97daf1dd75cb79388ea926e8ec0c4ef210d400e9226787
Instruction Fuzzy Hash: 5F4125706047469FCB21EF24E58869E7BE2EF89300B18862DD446CB751DB78DD02CB91

Function 0089BBB0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeceb2163bdd02292ce9dc7074f704ae63b4d9de8d5341beaf69724dbad31061
Instruction ID: af746a4f4334bd145124b24645307852a6beb522ddc2b4528aa991fcdfb4c57a
Opcode Fuzzy Hash: eeceb2163bdd02292ce9dc7074f704ae63b4d9de8d5341beaf69724dbad31061
Instruction Fuzzy Hash: 6C31D6357082586FDB249B79AD48A9E7F66EBC5330F24823AE515CB2D1DE398D02C790

Function 0089ECA8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0197acd36067aac79d230eae3eb49b442916c094d672dce1b989a1c8f55bff
Instruction ID: 6fe50c8ee45793c7786764023a749dd7c67a40be348f57d5eb87d5f9cf551bce
Opcode Fuzzy Hash: ec0197acd36067aac79d230eae3eb49b442916c094d672dce1b989a1c8f55bff
Instruction Fuzzy Hash: 8641D130B042589FEB11EB79D8597AE7BB2EB86300F1040B9D505EB385DF789D06CB91

Function 0089C8FF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170626d15de8b5576563b77a1bc697acc4da0b7864fa60da7d865bdab9228db3
Instruction ID: d40f7895742aea1fc3de353cb6f30926f5bd7c11cf1d3511655d29d18089d215
Opcode Fuzzy Hash: 170626d15de8b5576563b77a1bc697acc4da0b7864fa60da7d865bdab9228db3
Instruction Fuzzy Hash: 67414872A04246CFCF02EF78C8641A97B71FF99304719817AD489AB286EB35A947C791

Function 0089C2F0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac94941e4d5f6f450feff0b10d6bbbd8c99c45732a59c2a7636eb3b9e59a7653
Instruction ID: b850606eca6afb6a730804b5fb18bc7998a4be363c99d8fc70f19b4bf6d16246
Opcode Fuzzy Hash: ac94941e4d5f6f450feff0b10d6bbbd8c99c45732a59c2a7636eb3b9e59a7653
Instruction Fuzzy Hash: 4E31F8347042048FDB68EF65D568B6E7BF2FB8D311F144468E906EB3A4CA7A9C41DB50

Function 0089C439 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5004cbe177d7200dc7315cc14b26810ede15ec38bbecd39396c6682203e346
Instruction ID: c55a6a9574338b137a78b8db17826dfebb9913e0a2afcac9a954e1ba9845730a
Opcode Fuzzy Hash: 1a5004cbe177d7200dc7315cc14b26810ede15ec38bbecd39396c6682203e346
Instruction Fuzzy Hash: 2D31EA307093504FD725A735942856D3FA7EFCA21071585BED546C7782EE6D8C078792

Function 00899680 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de4f61576534984dc73e3dbef181597c6aa562440f21b23dd07171670223920
Instruction ID: e43afefc1f8027556a7e589f548eb2785dd41b564432e9650a0690f4efc2603f
Opcode Fuzzy Hash: 9de4f61576534984dc73e3dbef181597c6aa562440f21b23dd07171670223920
Instruction Fuzzy Hash: 8D41AD76905245DFDF42EFA0E94889D7FF2FB59310B04406AE101AB266D736AD02DF91

Function 008996BF Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110d6680818e52564d9924d98db5df6168f3e39209d2fca015ada21fcf1f82c1
Instruction ID: 799af8031df9d6694047e68d75da6d5248aa739fbbd33ef0b903e146b4f2085d
Opcode Fuzzy Hash: 110d6680818e52564d9924d98db5df6168f3e39209d2fca015ada21fcf1f82c1
Instruction Fuzzy Hash: CC410976900209DFDF41EFA0EA4899D7FF2FB58310B004429E601BB265DB36AD51DF51

Function 008908A8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd686704b7a2a66aba305c1f467efc5ff33415838c0071dc3d96d7277edb14c9
Instruction ID: 168f05b226eb82b3caa5019d5acb227dc9f433ac800204303d0f3ce68885a636
Opcode Fuzzy Hash: cd686704b7a2a66aba305c1f467efc5ff33415838c0071dc3d96d7277edb14c9
Instruction Fuzzy Hash: 16315E30B006058FEF15AB76981837EBAA6FF84351F188129D85ADB292DF34CD41CB95

Function 0089B8B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee6ba9b89202d68287044502f219fbfafe00810b47a846f35fe580379a05d7d
Instruction ID: b42f7896e9d377d4ae43cb4a09492fa5b70eab75e5a5ecf3c2845ed015df73b5
Opcode Fuzzy Hash: aee6ba9b89202d68287044502f219fbfafe00810b47a846f35fe580379a05d7d
Instruction Fuzzy Hash: 672146307083545FDB246B34A81856E3FEAEBCA210715447BE506DB382DF3A8C06C791

Function 0089F817 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6567a576244ab214319e83ce086df0ba9c160b28ae79ae8c703443ba265a62d
Instruction ID: f781c9e49b9d9f391b281e116bd43f71ac2dac62b8872b343a2ece67b0645fc0
Opcode Fuzzy Hash: a6567a576244ab214319e83ce086df0ba9c160b28ae79ae8c703443ba265a62d
Instruction Fuzzy Hash: C2319D31D107478ACB11EFB9D8502D9BB71FF99320F25872AE0597B241EB31B690CB80

Function 0089C2DF Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fcd11552fcb03393b18942cd824bef0e062ca43cb5ba0071f66fc09368de3a
Instruction ID: 968848a62bfc261c82485655573e03b368f0dbb895114f3705e89609626ec1d1
Opcode Fuzzy Hash: 73fcd11552fcb03393b18942cd824bef0e062ca43cb5ba0071f66fc09368de3a
Instruction Fuzzy Hash: AC31F8347042048FDB14EF64D5A8BAE7BF2FB89310F184468E506EB3A1CB769C41DB90

Function 0089F828 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d217cd7d3d91e1a1735d92985db9f5215d6df053a33c70f6469ddbabd55c9b
Instruction ID: 4dfd387f06b0794ea0a985a48285fcc02cb5db2f7e7b2ae29b63ba81c471029a
Opcode Fuzzy Hash: 27d217cd7d3d91e1a1735d92985db9f5215d6df053a33c70f6469ddbabd55c9b
Instruction Fuzzy Hash: 00318D31D107078ADB11EFB9D800299BBB1FF99320F25872AE5597B201EB71B6D0CB90

Function 008996D0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f837c1740c3a1be12a80ec470a522ffafa84bf8cde7143a8af2287a3532c52b
Instruction ID: cdae28295a2decd7c40927736be1665274c612b83d49695c07bf35c190535d91
Opcode Fuzzy Hash: 8f837c1740c3a1be12a80ec470a522ffafa84bf8cde7143a8af2287a3532c52b
Instruction Fuzzy Hash: 5031E776900209EFDF41EFA0E94899DBFF2FB4C310B008429E601BB225DB36A951DF51

Function 00890899 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f359eeaca2911f49f411144e010616260c8d2fdfdec0987fd84b6ef814a5924
Instruction ID: 6903aec0e196652634d85abbb8a9fbfdfaa3ad562a311b835c2e57c578500781
Opcode Fuzzy Hash: 7f359eeaca2911f49f411144e010616260c8d2fdfdec0987fd84b6ef814a5924
Instruction Fuzzy Hash: F4218C31B006058FDF10EB65C8187BEBBA6FF84351F188129D85ADB292DB34C941CB95

Function 0089C960 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6460698d936cafca9b57545e99c6e69a1a711d74746150319daee63ac8adfbb
Instruction ID: 25a14adbdca9ec62553ecfb524cd5d4e06190228f0a2611b721d3f92ec57df65
Opcode Fuzzy Hash: a6460698d936cafca9b57545e99c6e69a1a711d74746150319daee63ac8adfbb
Instruction Fuzzy Hash: 7E31B331E00646CBDB11EF75D4142AABBB1FF99304B10862AD459B7285EB35A941CB90

Function 0089C970 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c737dca12a39139c303d1cae2a97009b2cb22abde6ebff9bd4846adffc4727
Instruction ID: cd69109ea48c03f065c79382ab96bf362a341710df58d95913c015998c4d9cb5
Opcode Fuzzy Hash: 08c737dca12a39139c303d1cae2a97009b2cb22abde6ebff9bd4846adffc4727
Instruction Fuzzy Hash: 10318431E0075ACBDF11EF79C4142AAB7B1FF99304B10853AD45AB7385EB75A941CB90

Function 00890862 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95eba6a2ee795b8b53a46b7dd982ffec54136b8621b7b6c52ee16d0673a02591
Instruction ID: aaa7ebabc864cd1260ff1fa6ccaf0b836da0f67033d74200ed274506ab686003
Opcode Fuzzy Hash: 95eba6a2ee795b8b53a46b7dd982ffec54136b8621b7b6c52ee16d0673a02591
Instruction Fuzzy Hash: A821AC317006458FEF11AB35881437ABBA2FF85301F2C81A9C89ADB292DF34CC42CB55

Function 00898C91 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983ca11a922555d9ef8fefd06c21deea4bdc404f938640881bb4ae045291b600
Instruction ID: 48312fd6beec58d9118561a86f21dc0f6dacec5963e8a16009c04a86b35d0bdd
Opcode Fuzzy Hash: 983ca11a922555d9ef8fefd06c21deea4bdc404f938640881bb4ae045291b600
Instruction Fuzzy Hash: 24315931900109FFDB12AF90EE48AAC7FF6FB58300F008966E6057B269D772A954DF51

Function 007ED4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529354803.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ed000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b65e86347587b5554da42b35cc2c8c82a8703d12709ace818a092a8755aa0a
Instruction ID: 2520712a9b144f49133d7ca4b3cf65c9069f059c95c87e5ac432d43825de7496
Opcode Fuzzy Hash: b4b65e86347587b5554da42b35cc2c8c82a8703d12709ace818a092a8755aa0a
Instruction Fuzzy Hash: 2B2128B1504280DFDB25DF54D9C0B26BF65FB98314F34C569E90A0B256C33ADC66CBA2

Function 00898CA0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f64baada61618c095af2a1a56b85ac3a9840d68ea9de9ced3aa02abc018d513
Instruction ID: 0ac29f67ba81d7b2f764a19b8589964212f20df6bbe744d8cee5f6c88080f0a1
Opcode Fuzzy Hash: 9f64baada61618c095af2a1a56b85ac3a9840d68ea9de9ced3aa02abc018d513
Instruction Fuzzy Hash: C7313835500109FFDB11AF94EE48AAD7FF6FB58300F008866E6057B268CBB2A954DF51

Function 0089B5F0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850a6e9f4ab4d686884b4a59df78800f4a66d42c08d159dd49697f211a4b5885
Instruction ID: 1a8474943101312039a0dab9016044ca105c02ccb834eac9bbaa5bdc4204847c
Opcode Fuzzy Hash: 850a6e9f4ab4d686884b4a59df78800f4a66d42c08d159dd49697f211a4b5885
Instruction Fuzzy Hash: F2115930B083085FDF39ABB4A9186BD3FA9EF85300F0400BAE409D7282CB349D01CB81

Function 00890E39 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580e3aa2681ac37b92d9d0b1037a4203664108f060294ff876f0ad84b12eaddf
Instruction ID: 132dea0472581a9b1a5076f70c5b16be88511bce3e91fc8c41b6be95065c4da4
Opcode Fuzzy Hash: 580e3aa2681ac37b92d9d0b1037a4203664108f060294ff876f0ad84b12eaddf
Instruction Fuzzy Hash: EF016D37305610AFD7216A59E95036AF7A8F784725F444533E908CB582D735EC43CBD0

Function 0089810D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603db6a2a57bf35e5d98bea20cc115b6e208e415a4d6a55eb1a96f7d60f39ddb
Instruction ID: 84dffb3a268ff90dde221c30adb5625f145c6c17f1647894fc414d2fb6840f46
Opcode Fuzzy Hash: 603db6a2a57bf35e5d98bea20cc115b6e208e415a4d6a55eb1a96f7d60f39ddb
Instruction Fuzzy Hash: 4F1122362012418FE758E734E6982AD77A3FFC96047888439D0878B605CEB5BD87CB91

Function 007ED49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529354803.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ed000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: d343150cec35f72b7fd983f6d0033f4684cc63eb0ae695f5f2fdae38aa956ad0
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: DC11D376504280CFDB16CF14D5C4B16BF71FB98324F34C5A9D9090B656C33AD966CBA2

Function 00897699 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5812261c57c642c1466d7de5d2e369e988a8922063c156c302874c9356b31b3
Instruction ID: 13b7cfe2ee77f21515016628d79171b5be4613625284d09f0411b96b95b4d71a
Opcode Fuzzy Hash: e5812261c57c642c1466d7de5d2e369e988a8922063c156c302874c9356b31b3
Instruction Fuzzy Hash: F6F0E9313052515FD3259765AC8DADE7FA6EBCA310701003DE00DD7283DA5A5C0683A6

Function 00897630 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbd4d7fc2e4164b1eaf87ceee520452d6e73665e22a182fb369e250e8a3e0ff
Instruction ID: df790656afa0b665c030cc8351adcc425d32c039f39fb76d90f25a448a6defa3
Opcode Fuzzy Hash: 9bbd4d7fc2e4164b1eaf87ceee520452d6e73665e22a182fb369e250e8a3e0ff
Instruction Fuzzy Hash: 50F0246224D7A00FE3026B38A5692DE3FA1DEC312030900FBD0978B193EA58884783DA

Function 007ED6AB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529354803.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ed000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e414d2b7e9d87279800688febe0d22be6a20fb89f49ecd2c8a84b1e88905f73
Instruction ID: d9044d14d18c760d77ca4c46c87992eb2ad8f311da3480d1c6580da1cc4abeec
Opcode Fuzzy Hash: 5e414d2b7e9d87279800688febe0d22be6a20fb89f49ecd2c8a84b1e88905f73
Instruction Fuzzy Hash: 8BF03776200610AF83208F0AD984C23FBA9EBC8770319C45AE84A4B612C671FC41CEA0

Function 007ED69C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529354803.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ed000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3680cf5d26d77e59fb202cebe3db31a3c6085a93bade3d050464e5def7507c
Instruction ID: d07ce67cd257d4fe936a6b923da08bb96583598d79daf4730c2918c2aa3f5bfd
Opcode Fuzzy Hash: de3680cf5d26d77e59fb202cebe3db31a3c6085a93bade3d050464e5def7507c
Instruction Fuzzy Hash: 08F03C75104680AFD325CF06C994C63BFB9EF8A7607198489E8994B352C675FC42CF70

Function 00895291 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883b8acf307738600d233a30f5d9382a95150c34abeffe35264233e29190419d
Instruction ID: 1505c78fc19e3407b466ac3d681d9553936d64793abe50583685518696ec3178
Opcode Fuzzy Hash: 883b8acf307738600d233a30f5d9382a95150c34abeffe35264233e29190419d
Instruction Fuzzy Hash: 04F03C71D0834B8ECF05DFA898051EEBFB1EE96300B1585AAD114E7051E774164ACBD1

Function 00898220 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7003c8fc65ed467b5ca34736a16c1a2ff0a00bdfd4c1f4d405816a635c761561
Instruction ID: 12d86a72379912253375ca0c384e802964e09882f18ee2df7823f9547c5e6305
Opcode Fuzzy Hash: 7003c8fc65ed467b5ca34736a16c1a2ff0a00bdfd4c1f4d405816a635c761561
Instruction Fuzzy Hash: C901F470509B06CFD325DF21D548446BFF1FF98300300856AD44A87A52DB74A806CF80

Function 008981C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e0e545263efc1f059fe9ad9fef06ea4361edd810c0ee836e50a15e9250de42
Instruction ID: 426789f21000842dcf8569b721537610c0c398d95dbc29b13d6cbd4342d05982
Opcode Fuzzy Hash: e0e0e545263efc1f059fe9ad9fef06ea4361edd810c0ee836e50a15e9250de42
Instruction Fuzzy Hash: FAF096312097D14FD322AB35E54834A7FE5DBC6204F0844AED1868B542DAA9B846CB62

Function 0089EF3C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f1f57afa4fb3e57349cd45201e42a4d71ca0a7a277ebea0332d5682ace6653
Instruction ID: 44b4edcdac94b40b033f4f3c7d941deb0acbbaab0bc9413ba216fff71f38ae67
Opcode Fuzzy Hash: 54f1f57afa4fb3e57349cd45201e42a4d71ca0a7a277ebea0332d5682ace6653
Instruction Fuzzy Hash: 2AE092A3749990969B01FBEC9C1626CAF42F9A037A34C039BD835D66D1CF170C32C159

Function 008981D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485bff936606838ae717b2c00d75dce3b9cb4d7d8f7c90a96891cc73e3223d70
Instruction ID: 627ef8d420ba00a90f8f4a06033d36e5ef165238c25864ea84fd600287e5fc29
Opcode Fuzzy Hash: 485bff936606838ae717b2c00d75dce3b9cb4d7d8f7c90a96891cc73e3223d70
Instruction Fuzzy Hash: ECE065302047908FD321AB29E54875E7FEADB85614F48457DE1868B645CBAABC058BA2

Function 0089EC98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a919a379f1b62c3c3b33bb6c6207f7731602cb5559fe780a7ff590d36595d278
Instruction ID: 2199bfb20788e3e5f79e67bbdf0edb0a5e7a7f88a1bced6a205b857b1bc43f3d
Opcode Fuzzy Hash: a919a379f1b62c3c3b33bb6c6207f7731602cb5559fe780a7ff590d36595d278
Instruction Fuzzy Hash: 37E020347191518FE721E73598894CD3FA0DF0620430500E6D448CF152D660DC16C7D2

Function 0089C510 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b411147243707e21a1cf8c73b1cb311f1c944b5be3d530489684c88a15bf67d
Instruction ID: 4dfdaecc68e60b8a75d8b4e6cb48bec0e202ace3d5bfcf1e2f43a0f7795dbea6
Opcode Fuzzy Hash: 8b411147243707e21a1cf8c73b1cb311f1c944b5be3d530489684c88a15bf67d
Instruction Fuzzy Hash: AEE0D8301067108FC728E736D54559EB7DBAF89600390C93DD08B83615DFF4AD0D4BA2

Function 0089B8A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e66ec9c5b90f70452f3a4c4ce105904f183d6b223dc8145028a90b38e8434f
Instruction ID: d75c948253f0be472b86bdcae4c22c442d81bb172484a1c2761b76485e271b9d
Opcode Fuzzy Hash: 18e66ec9c5b90f70452f3a4c4ce105904f183d6b223dc8145028a90b38e8434f
Instruction Fuzzy Hash: 06E0C2787482221FCB261214A8A40DE3F6AEA8612431940B6E405CB7C3EB198C0783C2

Function 0089EE70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffecc278f1a502a26fb71e3ce3d6ef50e23aadbf38660496ae8f7423b63aa20
Instruction ID: db089282d681a4cc38414f43e7b37c11c78aea1cea36fd62d7b904b0185c7725
Opcode Fuzzy Hash: 4ffecc278f1a502a26fb71e3ce3d6ef50e23aadbf38660496ae8f7423b63aa20
Instruction Fuzzy Hash: ADE02B73A5C7901FE746E6681C915DF3FA5894115030100B7C008CF2D3EB60590743DA

Function 00897660 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83019618fb01b235019cac32d374afaac660a62e0454098c8bfb392977e118b3
Instruction ID: 1bbcf2ab3ceae838f624cd0a8b9d9bcb8396d287937b48b695c91b47537e36cf
Opcode Fuzzy Hash: 83019618fb01b235019cac32d374afaac660a62e0454098c8bfb392977e118b3
Instruction Fuzzy Hash: 4DD05B313042645786157765B61E5EE3BEAEAC9A513050039E10BC3240CF6A5D1187D5

Function 0089B5EA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4553ae07c6d1536ccd1c882a12ba165507a77046c44e591e5e27955f7a6fd5cb
Instruction ID: e187e8e163c8fddc26b48c991ecc2a44355484add3ae8850c4d21c71cffa4328
Opcode Fuzzy Hash: 4553ae07c6d1536ccd1c882a12ba165507a77046c44e591e5e27955f7a6fd5cb
Instruction Fuzzy Hash: F5D022307420215B8B2165513B0A0CC3B28C980920F080132D80CCB0C0EB04CE1382CA

Function 0089EE80 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c260ea585acc4e0d28f87511f8f121e81643beea6d8db2fa8dcd50d1c9a1d3f5
Instruction ID: d6b04058b3cea780ab0af0444205f9a031fca4044dc5bbd3b58103c770a49f34
Opcode Fuzzy Hash: c260ea585acc4e0d28f87511f8f121e81643beea6d8db2fa8dcd50d1c9a1d3f5
Instruction Fuzzy Hash: CAD022336003182B5704EAAD54105CEBFEDCA80030B00007AC40DD7200EEB1694002D9

Function 0089A72E Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fd2bff1b9a5b69bb8cdcf424b3023807d540967212a9499418e731bcff8ede
Instruction ID: ef4c7542a3e773cafe1bfab734c24dbb31275210fd98d46e52141f049d67f347
Opcode Fuzzy Hash: 12fd2bff1b9a5b69bb8cdcf424b3023807d540967212a9499418e731bcff8ede
Instruction Fuzzy Hash: 9AD012702007118BEA16B725F44439C33A2E399210BA18296D01DAB259C7756D464B85

Function 0089EE50 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feb46f160bd56284b9090680be60e777ee63f94909b628c11086021add809d4
Instruction ID: 37b26a400d8e43756263559a22a7f641ec512fe70772871bc7d55da076a460ed
Opcode Fuzzy Hash: 0feb46f160bd56284b9090680be60e777ee63f94909b628c11086021add809d4
Instruction Fuzzy Hash: 76C09B649AD3534FFF53D5605CEA0C93F70A5512557110195C005CB083E509C407C5DB

Function 00890880 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa736bd9a70a8e506b6b0a29b3725c331f6aaf6ff92a85b7f80e64a99eef06a9
Instruction ID: cb503a3e06772713e44b9e2c8aadd6acfb4af5bd703a33a987779096baf57e35
Opcode Fuzzy Hash: fa736bd9a70a8e506b6b0a29b3725c331f6aaf6ff92a85b7f80e64a99eef06a9
Instruction Fuzzy Hash: 60B092316485924FEEB9A7909D0A78D7B20FB41309F0C87BBC011CA863CB290886CEC6

Non-executed Functions

Function 0089A767 Relevance: 46.7, Strings: 37, Instructions: 424COMMON

Download Yara Rule

Strings

DUm, xrefs: 0089AC8E
DUm, xrefs: 0089A8D1
DUm, xrefs: 0089A8F6
DUm, xrefs: 0089A7CE
DUm, xrefs: 0089ACE4
DUm, xrefs: 0089AA33
DUm, xrefs: 0089A943
DUm, xrefs: 0089A9BB
DUm, xrefs: 0089AD0F
DUm, xrefs: 0089AC63
DUm, xrefs: 0089AAA8
DUm, xrefs: 0089A887
DUm, xrefs: 0089AAF8
DUm, xrefs: 0089A862
DUm, xrefs: 0089AA83
DUm, xrefs: 0089A993
DUm, xrefs: 0089AA0B
DUm, xrefs: 0089AB20
DUm, xrefs: 0089A9E3
DUm, xrefs: 0089AB48
DUm, xrefs: 0089A784
DUm, xrefs: 0089ABE8
DUm, xrefs: 0089A91B
DUm, xrefs: 0089A7F3
DUm, xrefs: 0089AC10
DUm, xrefs: 0089ACB9
DUm, xrefs: 0089AB98
DUm, xrefs: 0089A818
DUm, xrefs: 0089AC38
DUm, xrefs: 0089A83D
DUm, xrefs: 0089ABC0
DUm, xrefs: 0089AAD0
DUm, xrefs: 0089AA5B
DUm, xrefs: 0089A96B
DUm, xrefs: 0089A7A9
DUm, xrefs: 0089A8AC
DUm, xrefs: 0089AB70

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-2642909659
Opcode ID: 4cc79851690703bb88f1236772afaffcb3cfe03bdc7630ffe3e22818734a823b
Instruction ID: 0aa1a81ff1e1bf1792caab48db1537431646dd28350feeb8467cc5bfb2221f81
Opcode Fuzzy Hash: 4cc79851690703bb88f1236772afaffcb3cfe03bdc7630ffe3e22818734a823b
Instruction Fuzzy Hash: C8E1C170300611ABD70AABB1DC95A7D72D3BBCA700B84843DD2098FB99EFB26D154797

Function 0089A778 Relevance: 46.6, Strings: 37, Instructions: 383COMMON

Download Yara Rule

Strings

DUm, xrefs: 0089AC8E
DUm, xrefs: 0089A8D1
DUm, xrefs: 0089A8F6
DUm, xrefs: 0089A7CE
DUm, xrefs: 0089ACE4
DUm, xrefs: 0089AA33
DUm, xrefs: 0089A943
DUm, xrefs: 0089A9BB
DUm, xrefs: 0089AD0F
DUm, xrefs: 0089AC63
DUm, xrefs: 0089AAA8
DUm, xrefs: 0089A887
DUm, xrefs: 0089AAF8
DUm, xrefs: 0089A862
DUm, xrefs: 0089AA83
DUm, xrefs: 0089A993
DUm, xrefs: 0089AA0B
DUm, xrefs: 0089AB20
DUm, xrefs: 0089A9E3
DUm, xrefs: 0089AB48
DUm, xrefs: 0089A784
DUm, xrefs: 0089ABE8
DUm, xrefs: 0089A91B
DUm, xrefs: 0089A7F3
DUm, xrefs: 0089AC10
DUm, xrefs: 0089ACB9
DUm, xrefs: 0089AB98
DUm, xrefs: 0089A818
DUm, xrefs: 0089AC38
DUm, xrefs: 0089A83D
DUm, xrefs: 0089ABC0
DUm, xrefs: 0089AAD0
DUm, xrefs: 0089AA5B
DUm, xrefs: 0089A96B
DUm, xrefs: 0089A7A9
DUm, xrefs: 0089A8AC
DUm, xrefs: 0089AB70

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-2642909659
Opcode ID: de9a9fd486274273c40c6d0c4ff8aca643d54300726ce565c688e7f32fe8dcd7
Instruction ID: 91a1300442ba9df673b034c416e45353edca8e3eaf390e61ca8ececd7fe7d244
Opcode Fuzzy Hash: de9a9fd486274273c40c6d0c4ff8aca643d54300726ce565c688e7f32fe8dcd7
Instruction Fuzzy Hash: 7ED18070300711ABD60AABB1D895A7D71D3BBC9700B84843DD3099FB99EFB22D154797

Function 00899137 Relevance: 16.4, Strings: 13, Instructions: 148COMMON

Download Yara Rule

Strings

DUm, xrefs: 0089919E
DUm, xrefs: 00899310
DUm, xrefs: 008991C3
DUm, xrefs: 008992C6
DUm, xrefs: 008991E8
DUm, xrefs: 0089920D
DUm, xrefs: 00899179
DUm, xrefs: 008992EB
DUm, xrefs: 00899154
DUm, xrefs: 008992A1
DUm, xrefs: 00899232
DUm, xrefs: 00899257
DUm, xrefs: 0089927C

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-3777224257
Opcode ID: 4608699c0dfb97920d14fa3589ebf832be7ea7eb9473cff8193c8bf05aea4433
Instruction ID: 2e8c39a88d5e13a1562e1b79031e5add0ca463b69fcff6e63c21a3bfbfa9fa69
Opcode Fuzzy Hash: 4608699c0dfb97920d14fa3589ebf832be7ea7eb9473cff8193c8bf05aea4433
Instruction Fuzzy Hash: B64198703003107BD20AA7B1D865A3D72D3BBCA700B844839D3099FA99EFB66D554797

Function 00899148 Relevance: 16.4, Strings: 13, Instructions: 143COMMON

Download Yara Rule

Strings

DUm, xrefs: 0089919E
DUm, xrefs: 00899310
DUm, xrefs: 008991C3
DUm, xrefs: 008992C6
DUm, xrefs: 008991E8
DUm, xrefs: 0089920D
DUm, xrefs: 00899179
DUm, xrefs: 008992EB
DUm, xrefs: 00899154
DUm, xrefs: 008992A1
DUm, xrefs: 00899232
DUm, xrefs: 00899257
DUm, xrefs: 0089927C

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-3777224257
Opcode ID: 8d37be370c830edea061eb0055349a7b2dc098bf9d00d67cd08c88583538c975
Instruction ID: f69f97ce78d5102908b386db2f50d7bbb6c2091555804a010cab5199de2de996
Opcode Fuzzy Hash: 8d37be370c830edea061eb0055349a7b2dc098bf9d00d67cd08c88583538c975
Instruction Fuzzy Hash: 824183703006107BD20AABB1D865A3D71D3BBCA700B848839D3099FA89EFB67D5547A7

Function 00899387 Relevance: 10.1, Strings: 8, Instructions: 98COMMON

Download Yara Rule

Strings

DUm, xrefs: 008993A4
DUm, xrefs: 008994A7
DUm, xrefs: 00899482
DUm, xrefs: 00899413
DUm, xrefs: 008993C9
DUm, xrefs: 00899438
DUm, xrefs: 008993EE
DUm, xrefs: 0089945D

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-403174359
Opcode ID: c4b982a2fb7c73559579b148771043b4b576c836208eccb916e9c23ed37aea18
Instruction ID: d4cb8b05dffe55aab0d7f4cca82a17a32c599939b87b9dcab89984af4ff64f79
Opcode Fuzzy Hash: c4b982a2fb7c73559579b148771043b4b576c836208eccb916e9c23ed37aea18
Instruction Fuzzy Hash: 3431D771300311ABD30AB7B1D85577EB293BBC9700B848839D3099FA95EFB62D554397

Function 00899398 Relevance: 10.1, Strings: 8, Instructions: 93COMMON

Download Yara Rule

Strings

DUm, xrefs: 008993A4
DUm, xrefs: 008994A7
DUm, xrefs: 00899482
DUm, xrefs: 00899413
DUm, xrefs: 008993C9
DUm, xrefs: 00899438
DUm, xrefs: 008993EE
DUm, xrefs: 0089945D

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-403174359
Opcode ID: 35347f6b7f732c7203e845e24b02003761f149dd2880047e7dbdad1464daa6ee
Instruction ID: d1e3facd3a85f5fe73b118231aa4d55565aaf9b31e11419036ba976cfc5e816d
Opcode Fuzzy Hash: 35347f6b7f732c7203e845e24b02003761f149dd2880047e7dbdad1464daa6ee
Instruction Fuzzy Hash: B1218670300310ABD60AB7B1D85573DB293BBC9700B858939D3099FA89EFB67D554397

Function 00898E20 Relevance: 8.8, Strings: 7, Instructions: 87COMMON

Download Yara Rule

Strings

DUm, xrefs: 00898F09
DUm, xrefs: 00898E65
DUm, xrefs: 00898EE0
DUm, xrefs: 00898EB7
DUm, xrefs: 00898E8E
DUm, xrefs: 00898F32
DUm, xrefs: 00898E3C

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-694694695
Opcode ID: def4b22285a9cdeda277d9b4f88335e8178c652e46aaf626d17c5404082cedc2
Instruction ID: 38967fa5da37bfebdf52c4fc44f471c12db6e5b8afbc5ec6ecffc5d7cc8c57df
Opcode Fuzzy Hash: def4b22285a9cdeda277d9b4f88335e8178c652e46aaf626d17c5404082cedc2
Instruction Fuzzy Hash: AD31F730301242AFDB066BB1DC49A6D77A3BB8A700741842DE11A8FA95DFB11D9A8793

Function 00898E30 Relevance: 8.8, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

DUm, xrefs: 00898F09
DUm, xrefs: 00898E65
DUm, xrefs: 00898EE0
DUm, xrefs: 00898EB7
DUm, xrefs: 00898E8E
DUm, xrefs: 00898F32
DUm, xrefs: 00898E3C

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-694694695
Opcode ID: 3d4f85b6554cfcdbe12ae70041e4916fb3122c1fe2ff17925019304fc53a21d5
Instruction ID: ff67498bb0b10cd0f79c1d37125a5c138d01825b129ad2b755b2c0970ca14bda
Opcode Fuzzy Hash: 3d4f85b6554cfcdbe12ae70041e4916fb3122c1fe2ff17925019304fc53a21d5
Instruction Fuzzy Hash: 8821D830301246BFDB066BB1DC49A6D77A3FB8A700780443DE11A8F695DFB11D9A8793

Function 008999DA Relevance: 7.6, Strings: 6, Instructions: 78COMMON

Download Yara Rule

Strings

DUm, xrefs: 00899A63
DUm, xrefs: 00899A88
DUm, xrefs: 00899AAD
DUm, xrefs: 008999F4
DUm, xrefs: 00899A3E
DUm, xrefs: 00899A19

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-1110279135
Opcode ID: a36d6c7f565968dc0da394aafc408327112054b533ba487f6f2d4f84950c1611
Instruction ID: c4980a58fbb9be34a67fa5c221cfc127ef8c596eef6a137a257d94b25ccf9341
Opcode Fuzzy Hash: a36d6c7f565968dc0da394aafc408327112054b533ba487f6f2d4f84950c1611
Instruction Fuzzy Hash: DE210A313043106BD70AA7B1D85562D7693BBCA700B84843DD3098FA89EFB36D1643A3

Function 008999E8 Relevance: 7.6, Strings: 6, Instructions: 73COMMON

Download Yara Rule

Strings

DUm, xrefs: 00899A63
DUm, xrefs: 00899A88
DUm, xrefs: 00899AAD
DUm, xrefs: 008999F4
DUm, xrefs: 00899A3E
DUm, xrefs: 00899A19

Memory Dump Source

Source File: 00000005.00000002.2529727002.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_890000_odo7jrvnU3.jbxd

Similarity

API ID:
String ID: DUm$DUm$DUm$DUm$DUm$DUm
API String ID: 0-1110279135
Opcode ID: 6e4b941f0ec53c3beb8d973203d349f1d1e542ba4166617eec384b898b245c25
Instruction ID: 93c4a4d8f9e7f8853dfa0044181bf08aca5a642f820fe29e1d92168e835ecd48
Opcode Fuzzy Hash: 6e4b941f0ec53c3beb8d973203d349f1d1e542ba4166617eec384b898b245c25
Instruction Fuzzy Hash: 0D1196713003106BD60AA7B1D855A2DB2D7BBC9710B84853DE3099FA89EFB32D5543A7

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report odo7jrvnU3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
odo7jrvnU3.exe