Edit tour
Windows
Analysis Report
zq6a1iqg.exe
Overview
General Information
| Sample name: | zq6a1iqg.exe |
| Analysis ID: | 1577368 |
| MD5: | fd636191c054ea1e9f60d45bb50eaafc |
| SHA1: | 351cda4cd5f58d474126f5a60f92d4296f28121e |
| SHA256: | d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1 |
| Tags: | 18521511316185215113209bulletproofexeuser-abus3reports |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
zq6a1iqg.exe (PID: 6844 cmdline: "C:\Users\ user\Deskt op\zq6a1iq g.exe" MD5: FD636191C054EA1E9F60D45BB50EAAFC) 
MSBuild.exe (PID: 1748 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
- cleanup
{"C2 url": ["leg-sate-boat.sbs", "occupy-blushi.sbs", "powerful-avoids.sbs", "disobey-curly.sbs", "frogs-severz.sbs", "story-tense-faz.sbs", "property-imper.sbs", "blade-govern.sbs", "motion-treesz.sbs"], "Build id": "rFk4jg--yout"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Kiran kumar s, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:50.048256+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49706 | 23.55.153.106 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:46.608297+0100 | 2057812 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 52470 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:47.317603+0100 | 2057814 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 50618 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:45.953375+0100 | 2057818 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 63917 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:47.073586+0100 | 2057824 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 61625 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:47.544511+0100 | 2057826 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 50347 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:46.376546+0100 | 2057830 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 55571 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:47.774985+0100 | 2057834 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 63821 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:45.722572+0100 | 2057836 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 61750 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:46.844563+0100 | 2057842 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 59550 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:50.839388+0100 | 2858666 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49706 | 23.55.153.106 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_02D9E8A0 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043B860 | |
| Source: | Code function: | 2_2_00420870 | |
| Source: | Code function: | 2_2_0040C02B | |
| Source: | Code function: | 2_2_0043F8D0 | |
| Source: | Code function: | 2_2_0043F8D0 | |
| Source: | Code function: | 2_2_0040E0D8 | |
| Source: | Code function: | 2_2_0043B8E0 | |
| Source: | Code function: | 2_2_0043B8E0 | |
| Source: | Code function: | 2_2_0043BCE0 | |
| Source: | Code function: | 2_2_004098F0 | |
| Source: | Code function: | 2_2_00405C90 | |
| Source: | Code function: | 2_2_00405C90 | |
| Source: | Code function: | 2_2_0040BC9D | |
| Source: | Code function: | 2_2_00428CB0 | |
| Source: | Code function: | 2_2_0040E970 | |
| Source: | Code function: | 2_2_0040AD00 | |
| Source: | Code function: | 2_2_0040EA38 | |
| Source: | Code function: | 2_2_00425E90 | |
| Source: | Code function: | 2_2_0040E35B | |
| Source: | Code function: | 2_2_00440F60 | |
| Source: | Code function: | 2_2_0040CF05 | |
| Source: | Code function: | 2_2_004077D0 | |
| Source: | Code function: | 2_2_004077D0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00434470 | |
| Source: | Code function: | 2_2_00434470 | |
| Source: | Code function: | 1_2_02D909F8 | |
| Source: | Code function: | 1_2_02D909E7 | |
| Source: | Code function: | 1_2_05E70040 | |
| Source: | Code function: | 1_2_05E785A0 | |
| Source: | Code function: | 1_2_05E78590 | |
| Source: | Code function: | 1_2_05E70006 | |
| Source: | Code function: | 1_2_05E7B7AC | |
| Source: | Code function: | 2_2_004089A0 | |
| Source: | Code function: | 2_2_0040B210 | |
| Source: | Code function: | 2_2_00404040 | |
| Source: | Code function: | 2_2_00406840 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_00420870 | |
| Source: | Code function: | 2_2_00439030 | |
| Source: | Code function: | 2_2_00406CC0 | |
| Source: | Code function: | 2_2_004094D0 | |
| Source: | Code function: | 2_2_0043F8D0 | |
| Source: | Code function: | 2_2_0040E0D8 | |
| Source: | Code function: | 2_2_0043B8E0 | |
| Source: | Code function: | 2_2_004324E0 | |
| Source: | Code function: | 2_2_004098F0 | |
| Source: | Code function: | 2_2_00440C80 | |
| Source: | Code function: | 2_2_00405C90 | |
| Source: | Code function: | 2_2_00428CB0 | |
| Source: | Code function: | 2_2_0040E970 | |
| Source: | Code function: | 2_2_00423D70 | |
| Source: | Code function: | 2_2_0040AD00 | |
| Source: | Code function: | 2_2_00419530 | |
| Source: | Code function: | 2_2_004341D0 | |
| Source: | Code function: | 2_2_00403580 | |
| Source: | Code function: | 2_2_00441580 | |
| Source: | Code function: | 2_2_004061A0 | |
| Source: | Code function: | 2_2_00420650 | |
| Source: | Code function: | 2_2_00409210 | |
| Source: | Code function: | 2_2_00427E20 | |
| Source: | Code function: | 2_2_00404AC0 | |
| Source: | Code function: | 2_2_00425E90 | |
| Source: | Code function: | 2_2_0041FB60 | |
| Source: | Code function: | 2_2_00440F60 | |
| Source: | Code function: | 2_2_00428770 | |
| Source: | Code function: | 2_2_0040CF05 | |
| Source: | Code function: | 2_2_0041DB30 | |
| Source: | Code function: | 2_2_004027D0 | |
| Source: | Code function: | 2_2_004077D0 | |
| Source: | Code function: | 2_2_00402B80 | |
| Source: | Code function: | 2_2_0043C780 | |
| Source: | Code function: | 2_2_00421790 | |
| Source: | Code function: | 2_2_004387B0 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00439030 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_05E7E141 | |
| Source: | Code function: | 1_2_05E7E141 | |
| Source: | Code function: | 2_2_00415058 | |
| Source: | Code function: | 2_2_0041802B | |
| Source: | Code function: | 2_2_00416438 | |
| Source: | Code function: | 2_2_00418102 | |
| Source: | Code function: | 2_2_00418135 | |
| Source: | Code function: | 2_2_004181DB | |
| Source: | Code function: | 2_2_00414BD4 | |
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | File source: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_0043DF70 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 11 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Clipboard Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 31 Virtualization/Sandbox Evasion | Security Account Manager | 12 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 311 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 113 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Software Packing | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Timestomp | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 76% | ReversingLabs | Win32.Trojan.Remcos | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| steamcommunity.com | 23.55.153.106 | true | false | high | |
| occupy-blushi.sbs | unknown | unknown | false | high | |
| disobey-curly.sbs | unknown | unknown | false | high | |
| blade-govern.sbs | unknown | unknown | false | high | |
| story-tense-faz.sbs | unknown | unknown | false | high | |
| powerful-avoids.sbs | unknown | unknown | false | high | |
| motion-treesz.sbs | unknown | unknown | false | high | |
| property-imper.sbs | unknown | unknown | false | high | |
| frogs-severz.sbs | unknown | unknown | false | high | |
| leg-sate-boat.sbs | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 23.55.153.106 | steamcommunity.com | United States | 20940 | AKAMAI-ASN1EU | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577368 |
| Start date and time: | 2024-12-18 12:40:38 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | zq6a1iqg.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@3/1@10/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: zq6a1iqg.exe
| Time | Type | Description |
|---|---|---|
| 06:41:43 | API Interceptor | |
| 06:41:44 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 23.55.153.106 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | Stealc, Vidar | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| steamcommunity.com | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AKAMAI-ASN1EU | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\zq6a1iqg.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 323 |
| Entropy (8bit): | 5.363435887027673 |
| Encrypted: | false |
| SSDEEP: | 6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTt92W+P12MUAvvrs:Q3La/KDLI4MWuPTAt92n4M6 |
| MD5: | 073F05396DE9273ED9563E2E299BB296 |
| SHA1: | 3EBA610FE88F782B4BCA99C3C39DC6AF65C574ED |
| SHA-256: | C180FCC444FA7EAAC96D0EBC011ADA54DCFF3022C06087CB2526A182BA05C30B |
| SHA-512: | 354432510FD8C60EAC239DC8E9BE7A8C92CACB0FC09F3908721D41B8BBD8F480E88D650BC6AB306CAFE3D189660356200BB2F5E11143776222A75B2F9C5748BE |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.949608835675208 |
| TrID: |
|
| File name: | zq6a1iqg.exe |
| File size: | 2'394'760 bytes |
| MD5: | fd636191c054ea1e9f60d45bb50eaafc |
| SHA1: | 351cda4cd5f58d474126f5a60f92d4296f28121e |
| SHA256: | d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1 |
| SHA512: | 0e4c0f02081bc77115479f136aa2bbd5a8ec6f1d83119b74ceec3a3ee98116c1557623328095a32fd99d380b9f43b519933e307f333f5c6b927774587fb07436 |
| SSDEEP: | 49152:5X3GDR6HM+RNLVqzAJamOHZF+Pzgvk9afAPr1686itwodRTOayqf/L:5X3o6HMmVUAk4bgcAfAPJhztwouayqfz |
| TLSH: | 22B5231F72A9CF42D19014B2C1CFC8B427E26CA79A7AEB553B48321B1FF9267DD1111A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................F".. .......d".. ...."...@.. ........................$.....<.$...@................................ |
 | |
| Icon Hash: | c7637f7164645095 |
| Entrypoint: | 0x6264be |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0xB79A8A14 [Fri Aug 12 07:07:00 2067 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Signature Valid: | false |
| Signature Issuer: | CN=Oppo Electronic Korea |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | CBBCA22547E35857495BF30584BB10CF |
| Thumbprint SHA-1: | 8FA494CAB924441A9FEB3D7D9CE971AC5B1AEA9E |
| Thumbprint SHA-256: | 8537E18CB0EE231AF45FA04E3E11F513DE08EED65293126EA94454135952884F |
| Serial: | 54FECD73D26608B944146AFDD037D542 |
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x226470 | 0x4b | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x22a000 | 0x21b8c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x246a00 | 0x2088 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x24c000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x226423 | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0x2244c4 | 0x224600 | 01d096a732019c0565e3d97baaf00c2d | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .sdata | 0x228000 | 0x1e8 | 0x200 | ba1a51c546597b8fdcb7d0154e4ab651 | False | 0.857421875 | data | 6.638446248926509 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x22a000 | 0x21b8c | 0x21c00 | c7d8b3432c4961cdef428290237c75ee | False | 0.5937861689814815 | DIY-Thermocam raw data (Lepton 2.x), scale -13875--13824, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 144115188075855872.000000 | 6.500294930322141 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x24c000 | 0xc | 0x200 | 8ea5d68875b502e916028994b7bba8eb | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x22a1c0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | 0.676125703564728 | ||
| RT_ICON | 0x22b268 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | 0.48187293339631554 | ||
| RT_ICON | 0x22f490 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | 0.3423192949248787 | ||
| RT_ICON | 0x23fcb8 | 0xb63c | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9990997170539312 | ||
| RT_GROUP_ICON | 0x24b2f4 | 0x3e | data | 0.8225806451612904 | ||
| RT_VERSION | 0x24b334 | 0x66c | data | 0.2773722627737226 | ||
| RT_MANIFEST | 0x24b9a0 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T12:41:45.722572+0100 | 2057836 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (property-imper .sbs) | 1 | 192.168.2.8 | 61750 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:45.953375+0100 | 2057818 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (frogs-severz .sbs) | 1 | 192.168.2.8 | 63917 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:46.376546+0100 | 2057830 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (occupy-blushi .sbs) | 1 | 192.168.2.8 | 55571 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:46.608297+0100 | 2057812 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blade-govern .sbs) | 1 | 192.168.2.8 | 52470 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:46.844563+0100 | 2057842 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (story-tense-faz .sbs) | 1 | 192.168.2.8 | 59550 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:47.073586+0100 | 2057824 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leg-sate-boat .sbs) | 1 | 192.168.2.8 | 61625 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:47.317603+0100 | 2057814 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (disobey-curly .sbs) | 1 | 192.168.2.8 | 50618 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:47.544511+0100 | 2057826 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (motion-treesz .sbs) | 1 | 192.168.2.8 | 50347 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:47.774985+0100 | 2057834 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (powerful-avoids .sbs) | 1 | 192.168.2.8 | 63821 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T12:41:50.048256+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49706 | 23.55.153.106 | 443 | TCP |
| 2024-12-18T12:41:50.839388+0100 | 2858666 | ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup | 1 | 192.168.2.8 | 49706 | 23.55.153.106 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 12:41:38.166093111 CET | 49676 | 443 | 192.168.2.8 | 52.182.143.211 |
| Dec 18, 2024 12:41:38.416099072 CET | 49673 | 443 | 192.168.2.8 | 23.206.229.226 |
| Dec 18, 2024 12:41:38.744254112 CET | 49672 | 443 | 192.168.2.8 | 23.206.229.226 |
| Dec 18, 2024 12:41:40.791332006 CET | 49677 | 80 | 192.168.2.8 | 192.229.211.108 |
| Dec 18, 2024 12:41:48.025486946 CET | 49673 | 443 | 192.168.2.8 | 23.206.229.226 |
| Dec 18, 2024 12:41:48.213893890 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:48.213954926 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:48.214035988 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:48.353559017 CET | 49672 | 443 | 192.168.2.8 | 23.206.229.226 |
| Dec 18, 2024 12:41:48.650160074 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:48.650185108 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.048105001 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.048255920 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.053869009 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.053874969 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.054341078 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.103564978 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.108486891 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.155337095 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.792819977 CET | 443 | 49705 | 23.206.229.226 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.793000937 CET | 49705 | 443 | 192.168.2.8 | 23.206.229.226 |
| Dec 18, 2024 12:41:50.839449883 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.839489937 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.839646101 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.839646101 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.839663982 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.839677095 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.839683056 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:50.839695930 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:50.840147972 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:51.017584085 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:51.017687082 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:51.017699003 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:51.017723083 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:51.017785072 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:51.025141954 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:51.025249004 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:51.037306070 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:51.037306070 CET | 49706 | 443 | 192.168.2.8 | 23.55.153.106 |
| Dec 18, 2024 12:41:51.037332058 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Dec 18, 2024 12:41:51.037343025 CET | 443 | 49706 | 23.55.153.106 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 12:41:45.722572088 CET | 61750 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:45.946563959 CET | 53 | 61750 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:45.953375101 CET | 63917 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:46.350291014 CET | 53 | 63917 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:46.376545906 CET | 55571 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:46.603393078 CET | 53 | 55571 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:46.608297110 CET | 52470 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:46.840184927 CET | 53 | 52470 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:46.844563007 CET | 59550 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:47.068253994 CET | 53 | 59550 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:47.073585987 CET | 61625 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:47.313752890 CET | 53 | 61625 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:47.317603111 CET | 50618 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:47.541815042 CET | 53 | 50618 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:47.544511080 CET | 50347 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:47.772561073 CET | 53 | 50347 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:47.774985075 CET | 63821 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:48.006917953 CET | 53 | 63821 | 1.1.1.1 | 192.168.2.8 |
| Dec 18, 2024 12:41:48.059348106 CET | 55848 | 53 | 192.168.2.8 | 1.1.1.1 |
| Dec 18, 2024 12:41:48.196715117 CET | 53 | 55848 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 12:41:45.722572088 CET | 192.168.2.8 | 1.1.1.1 | 0xa9bb | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:45.953375101 CET | 192.168.2.8 | 1.1.1.1 | 0xea78 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:46.376545906 CET | 192.168.2.8 | 1.1.1.1 | 0x2e5d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:46.608297110 CET | 192.168.2.8 | 1.1.1.1 | 0xb938 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:46.844563007 CET | 192.168.2.8 | 1.1.1.1 | 0xaeb1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.073585987 CET | 192.168.2.8 | 1.1.1.1 | 0x52c3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.317603111 CET | 192.168.2.8 | 1.1.1.1 | 0x8735 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.544511080 CET | 192.168.2.8 | 1.1.1.1 | 0x43c8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.774985075 CET | 192.168.2.8 | 1.1.1.1 | 0x46df | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:48.059348106 CET | 192.168.2.8 | 1.1.1.1 | 0x2e5e | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 12:41:45.946563959 CET | 1.1.1.1 | 192.168.2.8 | 0xa9bb | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:46.350291014 CET | 1.1.1.1 | 192.168.2.8 | 0xea78 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:46.603393078 CET | 1.1.1.1 | 192.168.2.8 | 0x2e5d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:46.840184927 CET | 1.1.1.1 | 192.168.2.8 | 0xb938 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.068253994 CET | 1.1.1.1 | 192.168.2.8 | 0xaeb1 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.313752890 CET | 1.1.1.1 | 192.168.2.8 | 0x52c3 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.541815042 CET | 1.1.1.1 | 192.168.2.8 | 0x8735 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:47.772561073 CET | 1.1.1.1 | 192.168.2.8 | 0x43c8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:48.006917953 CET | 1.1.1.1 | 192.168.2.8 | 0x46df | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 12:41:48.196715117 CET | 1.1.1.1 | 192.168.2.8 | 0x2e5e | No error (0) | 23.55.153.106 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49706 | 23.55.153.106 | 443 | 1748 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 11:41:50 UTC | 219 | OUT | |
| 2024-12-18 11:41:50 UTC | 1905 | IN | |
| 2024-12-18 11:41:50 UTC | 14479 | IN | |
| 2024-12-18 11:41:51 UTC | 10097 | IN | |
| 2024-12-18 11:41:51 UTC | 1089 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 1 |
| Start time: | 06:41:42 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\zq6a1iqg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x990000 |
| File size: | 2'394'760 bytes |
| MD5 hash: | FD636191C054EA1E9F60D45BB50EAAFC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 06:41:44 |
| Start date: | 18/12/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd40000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 21.7% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 95 |
| Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E08CE Relevance: 6.3, Strings: 5, Instructions: 91COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0719 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0C83 Relevance: 3.9, Strings: 3, Instructions: 112COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E092C Relevance: 3.8, Strings: 3, Instructions: 89COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E022E Relevance: 3.8, Strings: 3, Instructions: 77COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0613 Relevance: 3.8, Strings: 3, Instructions: 67COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0135 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0972 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E088D Relevance: 2.6, Strings: 2, Instructions: 59COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7F2A9 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7F2B0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7F180 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7F188 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02D9E3C0 Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7F090 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7F098 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0FC2 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02D9F7A8 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0D5D Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0136D01C Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0136D017 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E1640 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E1630 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E15D0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E1A40 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E15C1 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E1AB0 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E1AA1 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E1A30 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E0DF7 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E7B7AC Relevance: 3.9, Strings: 3, Instructions: 159COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E785A0 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05E78590 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02D909E7 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02D909F8 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02D9E8A0 Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 055E06CF Relevance: 6.3, Strings: 5, Instructions: 96COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 24% |
| Total number of Nodes: | 254 |
| Total number of Limit Nodes: | 18 |
Graph
Function 004089A0 Relevance: 7.7, APIs: 5, Instructions: 242threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DED0 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439030 Relevance: 30.4, APIs: 10, Strings: 7, Instructions: 621memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434470 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 111clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|