Edit tour

Windows Analysis Report
cali.exe

Overview

General Information

Sample name:	cali.exe
Analysis ID:	1577452
MD5:	cae505e91242b082fefcf521b25d02f5
SHA1:	049fe643f4807770cee9d8163bd739763a693a8e
SHA256:	053eb54af528f36c930565abc0ae8888dc8ea7c8740dcb25e02cad88a26dfe34
Tags:	AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cali.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\cali.exe" MD5: CAE505E91242B082FEFCF521B25D02F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
cali.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
cali.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
cali.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2623919463.000000000327F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cali.exe PID: 7360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cali.exe PID: 7360	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.cali.exe.f00000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.cali.exe.f00000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.cali.exe.f00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 198.54.122.135, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\cali.exe, Initiated: true, ProcessId: 7360, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49708

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cali.exe

Avira: detected

Found malware configuration

Source: cali.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Multi AV Scanner detection for submitted file

Source: cali.exe

ReversingLabs: Detection: 83%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: cali.exe

Joe Sandbox ML: detected

Source: cali.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49707 version: TLS 1.2

Source: cali.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.9:49708 -> 198.54.122.135:587

Source: Joe Sandbox View	IP Address: 198.54.122.135 198.54.122.135
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.9:49708 -> 198.54.122.135:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.privateemail.com

Source: cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cali.exe, 00000000.00000002.2625643912.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: cali.exe, 00000000.00000002.2625643912.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainVaJ
Source: cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: cali.exe, 00000000.00000002.2623919463.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cali.exe	String found in binary or memory: https://account.dyn.com/
Source: cali.exe	String found in binary or memory: https://api.ipify.org
Source: cali.exe, 00000000.00000002.2623919463.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: cali.exe, 00000000.00000002.2623919463.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: cali.exe, SKTzxzsJw.cs

.Net Code: mWXy4

System Summary

Malicious sample detected (through community Yara rule)

Source: cali.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.cali.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_0188B9EE	0_2_0188B9EE
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_01884A98	0_2_01884A98
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_0188DCC7	0_2_0188DCC7
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_01883E80	0_2_01883E80
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_018841C8	0_2_018841C8
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D60FE0	0_2_06D60FE0
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D63C6B	0_2_06D63C6B
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D64570	0_2_06D64570
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D63520	0_2_06D63520
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D691B0	0_2_06D691B0
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D6A108	0_2_06D6A108
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D65628	0_2_06D65628
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D602F8	0_2_06D602F8
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D6C328	0_2_06D6C328

Source: cali.exe, 00000000.00000002.2623175687.000000000162E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs cali.exe
Source: cali.exe, 00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs cali.exe
Source: cali.exe, 00000000.00000002.2623021311.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs cali.exe
Source: cali.exe	Binary or memory string: OriginalFilenamea405aee0-8989-4d2f-871d-52e1f783cbe2.exe4 vs cali.exe

Source: cali.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cali.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.cali.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: cali.exe, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cali.exe, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: cali.exe

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\cali.exe

Mutant created: NULL

Source: cali.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cali.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\cali.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\cali.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\cali.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cali.exe

ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\cali.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: cali.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cali.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_01880C55 push ebx; retf	0_2_01880C52
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_01880C6D push edi; retf	0_2_01880C7A
Source: C:\Users\user\Desktop\cali.exe	Code function: 0_2_06D68DEC push 8B042594h; iretd	0_2_06D68DF1

Source: C:\Users\user\Desktop\cali.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\cali.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\cali.exe	Memory allocated: 1880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Memory allocated: 51F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe	Window / User API: threadDelayed 1876			Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Window / User API: threadDelayed 7966			Jump to behavior

Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7520	Thread sleep count: 1876 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7520	Thread sleep count: 7966 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -98193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97947s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97840s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96165s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95595s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95346s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -95088s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94853s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe TID: 7516	Thread sleep time: -94078s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\cali.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\cali.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 98193	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97947	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97840	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96165	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95719	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95595	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95469	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95346	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95201	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 95088	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94969	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94853	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94746	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94625	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94515	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94406	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94297	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94187	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Thread delayed: delay time: 94078	Jump to behavior

Source: cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\cali.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\cali.exe	Queries volume information: C:\Users\user\Desktop\cali.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cali.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: cali.exe, type: SAMPLE
Source: Yara match	File source: 0.0.cali.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2623919463.000000000327F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cali.exe PID: 7360, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\cali.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\cali.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\cali.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: cali.exe, type: SAMPLE
Source: Yara match	File source: 0.0.cali.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cali.exe PID: 7360, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: cali.exe, type: SAMPLE
Source: Yara match	File source: 0.0.cali.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2623919463.000000000327F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cali.exe PID: 7360, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	141 Virtualization/Sandbox Evasion	1 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
cali.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
cali.exe	100%	Avira	TR/Spy.Gen8
cali.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.135	true	false		high
api.ipify.org	104.26.13.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.ipify.org	cali.exe	false	high
http://crl.m	cali.exe, 00000000.00000002.2625643912.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sectigo.com/CPS0	cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.dyn.com/	cali.exe	false	high
http://crl.micro	cali.exe, 00000000.00000002.2625643912.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	cali.exe, 00000000.00000002.2623919463.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoRSADomainVaJ	cali.exe, 00000000.00000002.2623175687.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://mail.privateemail.com	cali.exe, 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cali.exe, 00000000.00000002.2623919463.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.122.135	mail.privateemail.com	United States		22612	NAMECHEAP-NETUS	false
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577452
Start date and time:	2024-12-18 13:37:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cali.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 53 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: cali.exe

Simulations

Behavior and APIs

Time	Type	Description
07:38:56	API Interceptor	55x Sleep call for process: cali.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.54.122.135	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ItPTgiBC07.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	q6utlq83i0.exe	Get hash	malicious	Unknown	Browse
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DO9uvdGMde.exe	Get hash	malicious	AgentTesla	Browse
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse
104.26.13.205	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.privateemail.com	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	ItPTgiBC07.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	q6utlq83i0.exe	Get hash	malicious	Unknown	Browse	198.54.122.135
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	DO9uvdGMde.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse	198.54.122.135
api.ipify.org	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Harrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	winws1.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	rDOC24INV0616.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://cavotec-au.sharefile.com/public/share/web-1271a93971714a91	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	PqCznDthHP.exe	Get hash	malicious	Edge Stealer	Browse	104.26.13.205
	https://www.canva.com/design/DAGZLdpMEGI/O58JBUDFuRvFcdZ0tgIwgA/edit?utm_content=DAGZLdpMEGI&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://johnlewispartners.shop	Get hash	malicious	Unknown	Browse	104.19.163.95
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.80.99
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.177.42
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.23.76
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.64.80
	https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossing	Get hash	malicious	Unknown	Browse	172.66.0.145
NAMECHEAP-NETUS	https://towergroupofcompany.com/wp-includes/blobcit.html	Get hash	malicious	HTMLPhisher	Browse	63.250.38.156
	PO1341489LTB GROUP.vbs	Get hash	malicious	FormBook	Browse	199.193.6.134
	236236236.elf	Get hash	malicious	Unknown	Browse	104.219.248.76
	Herinnering.msg	Get hash	malicious	Unknown	Browse	162.0.235.101
	payload.vbs	Get hash	malicious	Unknown	Browse	198.54.117.242
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	162.0.239.49
	salaries.vbs	Get hash	malicious	Unknown	Browse	198.54.115.214
	https://kolobrownsalesye-fong.com/v/hum.ps1	Get hash	malicious	Unknown	Browse	198.54.115.214
	skibidi1.vbs.txt.vbs	Get hash	malicious	Unknown	Browse	198.54.115.214
	https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwE	Get hash	malicious	PureLog Stealer	Browse	162.0.235.6

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	VJQyKuHEUe.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	nrGkqbCyKP.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Hki0FN5Nqr.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Hki0FN5Nqr.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	chrome11.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	chrome11.exe	Get hash	malicious	Unknown	Browse	104.26.13.205

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.000866871495782
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	cali.exe
File size:	240'128 bytes
MD5:	cae505e91242b082fefcf521b25d02f5
SHA1:	049fe643f4807770cee9d8163bd739763a693a8e
SHA256:	053eb54af528f36c930565abc0ae8888dc8ea7c8740dcb25e02cad88a26dfe34
SHA512:	af0ebee48424a0219a242fef737e9b842d345fbb94920284d8c83875e14319731c2bf1a2dba66bd45e57cb0e836ef2d5857832ec87f39768b2b19b1d1da8cd44
SSDEEP:	3072:BSy67Cmyuy/F168rR5bip59R/aAUaf8F5DGDdU1:BSykCmyuy/F168rLbipzv8yDW
TLSH:	0D340E037E48EB15E5A83E3782EF6C2413B2B0C71633C60B6F49AFA518516526D7E72D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....if................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43bf2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6669AC8A [Wed Jun 12 14:11:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bedc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39f34	0x3a000	5120cf2c6e8964d0fe78f83b92d7a348	False	0.35754815463362066	data	5.012325679197569	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x546	0x600	1248a83c033da12ca6a90a06556a6298	False	0.400390625	data	3.9930850355477427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	edfc139dfc1350a7bd4f23a3e58056c9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c0a0	0x2bc	data			0.44
RT_MANIFEST	0x3c35c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:38:54.220684052 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:54.220736027 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:54.220884085 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:54.231741905 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:54.231776953 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:55.452380896 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:55.453306913 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:55.458537102 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:55.458548069 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:55.458811045 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:55.504012108 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:55.867192984 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:55.907341003 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:56.204154015 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:56.204216003 CET	443	49707	104.26.13.205	192.168.2.9
Dec 18, 2024 13:38:56.204349995 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:56.228799105 CET	49707	443	192.168.2.9	104.26.13.205
Dec 18, 2024 13:38:57.035383940 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:57.162003040 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:57.162137985 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:58.469022989 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:58.470038891 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:58.589535952 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:58.848973989 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:58.849143028 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:58.970227957 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.229315996 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.229723930 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:59.443020105 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.703983068 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.704242945 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.704257965 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.704467058 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:59.704751015 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.704766035 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:38:59.704933882 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:59.722970009 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:38:59.843266010 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:00.103774071 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:00.107526064 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:00.227587938 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:00.487482071 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:00.488790035 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:00.608670950 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:00.868658066 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:00.869891882 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:00.989428043 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:01.250551939 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:01.250967026 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:01.370728970 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:01.631772041 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:01.635786057 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:01.756144047 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.060877085 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.061125994 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:02.206659079 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.451711893 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.452461004 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:02.452543020 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:02.452569962 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:02.452673912 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:39:02.576920033 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.577656031 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.577667952 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:02.577703953 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:03.130832911 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:39:03.175883055 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:40:36.817322016 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:40:36.937047958 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:40:37.197120905 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:40:37.197140932 CET	587	49708	198.54.122.135	192.168.2.9
Dec 18, 2024 13:40:37.197364092 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:40:37.198554993 CET	49708	587	192.168.2.9	198.54.122.135
Dec 18, 2024 13:40:37.318604946 CET	587	49708	198.54.122.135	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:38:54.075824976 CET	63350	53	192.168.2.9	1.1.1.1
Dec 18, 2024 13:38:54.213200092 CET	53	63350	1.1.1.1	192.168.2.9
Dec 18, 2024 13:38:56.801377058 CET	58058	53	192.168.2.9	1.1.1.1
Dec 18, 2024 13:38:57.034441948 CET	53	58058	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 13:38:54.075824976 CET	192.168.2.9	1.1.1.1	0xae37	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:38:56.801377058 CET	192.168.2.9	1.1.1.1	0xf527	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 13:38:54.213200092 CET	1.1.1.1	192.168.2.9	0xae37	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:38:54.213200092 CET	1.1.1.1	192.168.2.9	0xae37	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:38:54.213200092 CET	1.1.1.1	192.168.2.9	0xae37	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 18, 2024 13:38:57.034441948 CET	1.1.1.1	192.168.2.9	0xf527	No error (0)	mail.privateemail.com	198.54.122.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	104.26.13.205	443	7360	C:\Users\user\Desktop\cali.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 12:38:55 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-18 12:38:56 UTC	425	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 12:38:56 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8f3f367828b14339-EWR server-timing: cfL4;desc="?proto=TCP&rtt=4763&min_rtt=1588&rtt_var=2640&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1838790&cwnd=227&unsent_bytes=0&cid=04fe6c7181da226f&ts=762&x=0"
2024-12-18 12:38:56 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 18, 2024 13:38:58.469022989 CET	587	49708	198.54.122.135	192.168.2.9	220 PrivateEmail.com prod Mail Node
Dec 18, 2024 13:38:58.470038891 CET	49708	587	192.168.2.9	198.54.122.135	EHLO 632922
Dec 18, 2024 13:38:58.848973989 CET	587	49708	198.54.122.135	192.168.2.9	250-mta-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Dec 18, 2024 13:38:58.849143028 CET	49708	587	192.168.2.9	198.54.122.135	STARTTLS
Dec 18, 2024 13:38:59.229315996 CET	587	49708	198.54.122.135	192.168.2.9	220 Ready to start TLS

Target ID:	0
Start time:	07:38:52
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\cali.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cali.exe"
Imagebase:	0xf00000
File size:	240'128 bytes
MD5 hash:	CAE505E91242B082FEFCF521B25D02F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2623919463.000000000326B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.1377544914.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2623919463.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2623919463.000000000327F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0188DCC7 Relevance: 2.2, Instructions: 2218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14989cb9ff783d986105091fc9134bbf9ff976720af9304491e0f6db6727bc52
Instruction ID: 0edd880035698dfce1e8dcfd610f8e1e2a7fbc45ecad6875f0a8798826a7af06
Opcode Fuzzy Hash: 14989cb9ff783d986105091fc9134bbf9ff976720af9304491e0f6db6727bc52
Instruction Fuzzy Hash: 82232E31D10B198EDB11EF68C8946ADF7B1FF99300F14C79AE448A7251EB70AAC5CB81

Function 06D63520 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06D63BA7

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c38f8e067108f51e553a4fead2acba917aa719258b5ec460e4f71c45d051091e
Instruction ID: 04d325cf95c0e91fb027827bcb2630315af3d7e87e0c7f3b36f4797d9164120b
Opcode Fuzzy Hash: c38f8e067108f51e553a4fead2acba917aa719258b5ec460e4f71c45d051091e
Instruction Fuzzy Hash: B122C171F002158FDF64DBAAD4906AEBBB2EF85310F258469E406EB390DB35DC45CB90

Function 0188B9EE Relevance: 1.8, Instructions: 1772
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de1fe80626a5385789b5b89f28890abc927fa828eec20eacf3762349b1e86a5
Instruction ID: 57376bdebfa17607c68ca20d6d7670344722ee20016c95853b511d98899eabd7
Opcode Fuzzy Hash: 8de1fe80626a5385789b5b89f28890abc927fa828eec20eacf3762349b1e86a5
Instruction Fuzzy Hash: EF13E631C10B1A8ACB51EF68C9945A9F7B1FF99300F15C79AE458B7121FB70AAD4CB81

Function 06D602F8 Relevance: 1.0, Instructions: 1001COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2200f2ffd5a673577fec134858a9ae4f21868163fc578c62182368325675634
Instruction ID: 384475020abdf79db7e92fbc30ac26e3f9f8c9c9793ccf20afd347c4d28cb19f
Opcode Fuzzy Hash: d2200f2ffd5a673577fec134858a9ae4f21868163fc578c62182368325675634
Instruction Fuzzy Hash: FE925834E00204CFDB64DB69C688A9DBBF2EF49315F5584A9E4499B361DB35EC85CF80

Function 06D64570 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfcd1d7f46d81250a4655e1cbbfe8349456bfd760f440fd46bd9946ee5d266c
Instruction ID: 5dd2178dd12d4d3e5c3adbf115fafc6254e2b7349e039745a1d73e13c7398b07
Opcode Fuzzy Hash: 6dfcd1d7f46d81250a4655e1cbbfe8349456bfd760f440fd46bd9946ee5d266c
Instruction Fuzzy Hash: C2629C34B002049FDB54DB69D594AAEB7F2EF88314F24C569E806DB390DB35ED86CB90

Function 06D6A108 Relevance: .6, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781f2889e63b590fb9c50cf5187cc5e88672c3701d174ea4572fd961f80534db
Instruction ID: 744df86692295c3d9e351af831a228ff04e285945f78bcf98843fdf0451b31e3
Opcode Fuzzy Hash: 781f2889e63b590fb9c50cf5187cc5e88672c3701d174ea4572fd961f80534db
Instruction Fuzzy Hash: 9A329F74B00205CFDB54DB69E890BAEB7B6FB88310F148529E545EB350DB39EC82CB91

Function 06D691B0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b289f113dce5fa6d177c2f79824adaa573cd300878fbb17793b3e4f5f6bb939d
Instruction ID: a8c947f421a2f994e61f4783c04383df89d5bfbea1a92d14397433b3cbcff88e
Opcode Fuzzy Hash: b289f113dce5fa6d177c2f79824adaa573cd300878fbb17793b3e4f5f6bb939d
Instruction Fuzzy Hash: A1225070E1020A8FEF64CB69D5A47ADB7B6EB49310F648426F415EF391CA39DC81CB91

Function 06D60FE0 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea00873e775852a351b0ea6f4756bcff7d965990e06c1e0dfa9c4ba2757408a
Instruction ID: 601b43011f480ab7e971c6c9a86eb418a6cdae043269c34c32a0f6f40af347f8
Opcode Fuzzy Hash: bea00873e775852a351b0ea6f4756bcff7d965990e06c1e0dfa9c4ba2757408a
Instruction Fuzzy Hash: 36323134E10719CFDB14EBB9D89469DB7B6FF99300F50C65AE409AB250EB30AD85CB90

Function 06D63C6B Relevance: .4, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59035d9ce16355ab573e861d9e8052c7162536311ec2c59febea8ee1606aedd4
Instruction ID: 1f17e6d7099030ccda4a620f387aa3fc9d3460d963d07f975c8b8e7a0728b661
Opcode Fuzzy Hash: 59035d9ce16355ab573e861d9e8052c7162536311ec2c59febea8ee1606aedd4
Instruction Fuzzy Hash: 8EE1E231B101158FDB64DB6EC494AAEBBF2EF89310F26846AF406EB391CA35DC458791

Function 01884A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500b1a7ee4aa888b0dffd27d06e194dafbef0dc710dee281e3955129377ca8dc
Instruction ID: e02addc1aed42d587b87cc452b6451956b175aa92bc79dcedaa4b77ca22060c7
Opcode Fuzzy Hash: 500b1a7ee4aa888b0dffd27d06e194dafbef0dc710dee281e3955129377ca8dc
Instruction Fuzzy Hash: C1B15D72E0030ACFDB10DFA9D8857AEBBF2AF88314F148529D815E7394EB759945CB81

Function 01883E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab617df08284482bbd877aca2dfa1c0e677c1a754858c59b8f3a0d0af70a2278
Instruction ID: 81c765f9ca0b8cd761c1db087c08ea01368ab7c49d651172c2752f9c34b8ee02
Opcode Fuzzy Hash: ab617df08284482bbd877aca2dfa1c0e677c1a754858c59b8f3a0d0af70a2278
Instruction Fuzzy Hash: 12915B71E0020ACFDF10DFA9D98579EBBF2BF98714F148129E805E7294EB749946CB81

Function 0188867F Relevance: 1.9, Strings: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 01888696

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 6fb79e7878a6d161e6bd8bdce235dc7ee6c2ec8b1af8d96c0e820fdb1266c1bd
Instruction ID: c7ca6074bd8f5982116d6e5831d5fd57da9a8ca832780bd8284a18da4d338729
Opcode Fuzzy Hash: 6fb79e7878a6d161e6bd8bdce235dc7ee6c2ec8b1af8d96c0e820fdb1266c1bd
Instruction Fuzzy Hash: 3A22B570B013029BDB26A73CE85462C33A2FBCA314F504969D906CB355DE79DE87DB92

Function 06D6EA18 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 06D6EA87

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2417e9a6026f80f8b5c1973d0896b0e3c78f6688f083f6cb9c219e53d89bb412
Instruction ID: d82314a9eeb423f5c6ee968e4544d1e871b41c2bc67c03973a38a1592d4a5cb7
Opcode Fuzzy Hash: 2417e9a6026f80f8b5c1973d0896b0e3c78f6688f083f6cb9c219e53d89bb412
Instruction Fuzzy Hash: A31100B2C1065A9BDB10CF9AD544BDEFBF4AB48220F15816AE818B7640D378A944CFA1

Function 06D6EA20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 06D6EA87

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 946ac726ce7837dcb1d1597177030986621f75bc68aed446574b453814375daf
Instruction ID: 3754af2eacf20ee7d70164864dcabdeedc6b4cfa7aa98c3a52f8d9c038297431
Opcode Fuzzy Hash: 946ac726ce7837dcb1d1597177030986621f75bc68aed446574b453814375daf
Instruction Fuzzy Hash: BF1112B1C1065A9BDB10CF9AD544BDEFBF4BF48320F14816AE818A7240D378A944CFA1

Function 01880838 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 01880894

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 08a0108734f1ca0756464a3dc31e19c59c61e48a67675e931879bdf151aba24b
Instruction ID: 61690fd89424d4fef8882d32137f4afbaec9bc353a061988e533cce2a82dbc46
Opcode Fuzzy Hash: 08a0108734f1ca0756464a3dc31e19c59c61e48a67675e931879bdf151aba24b
Instruction Fuzzy Hash: 9911A73061530C9BEF226779DC103693764EB86314F20496AE956DF242EA25CFCA8BC2

Function 01880848 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ko, xrefs: 01880894

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 0f5f9341a860f489f668021b39e7919d25bcb53b863084d7cb2f0e0614dee817
Instruction ID: 6b32d431b2b37d39020be2cf100a948543165ceb30932c6b30f4738830ce07c4
Opcode Fuzzy Hash: 0f5f9341a860f489f668021b39e7919d25bcb53b863084d7cb2f0e0614dee817
Instruction Fuzzy Hash: AC118230B1020C8BEB66A77DDC147293355EB85314F204969E546DF352DA25CEC98BC2

Function 01888728 Relevance: .6, Instructions: 559
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903ae43a3c8dc94708e1b888cb2571c5597eaa529a908f09681f064ec614a308
Instruction ID: 9d93ec5614d308b3f3ee777e251fc85ce0c89c3432a3d7107121cccd569e8abc
Opcode Fuzzy Hash: 903ae43a3c8dc94708e1b888cb2571c5597eaa529a908f09681f064ec614a308
Instruction Fuzzy Hash: 7A1274707013029BDB26AB3CE45462C33A2FBCA354B604939D906CB355CF79DE879B92

Function 0188A22C Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7240a648ec75ca35fe1d88970c458e8e1ca1e52f4998fecb4e9f66dce65e3217
Instruction ID: 2250f7f519ccb6f33448692d44041116f26b8928698e8e29121c81a0f620de63
Opcode Fuzzy Hash: 7240a648ec75ca35fe1d88970c458e8e1ca1e52f4998fecb4e9f66dce65e3217
Instruction Fuzzy Hash: 71E16134B00215CFDF19EBACD594AADB7B2EB88310F24842AE506D7391DB35DE86CB51

Function 01884A8E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb1afe14b39f668d689af7abb78a16e2fe89e6cf275562d0fc048d7733251be
Instruction ID: 910809010243ab11784a4cec53270857dc855bc1c7e0a23b04e7fb63731236d7
Opcode Fuzzy Hash: dbb1afe14b39f668d689af7abb78a16e2fe89e6cf275562d0fc048d7733251be
Instruction Fuzzy Hash: EBB15D72E0030ACFDB10DFA8D8857DEBBF2AF48314F248529D815E7254EB759945CB81

Function 01883E74 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5362d397bac6e9c2f61f86290472871766f6ea66b8c77ad357403a2012bbb1
Instruction ID: 7826e30f196ecac87adebaf3a9f587595be40c2fbf1345e01bc4549d880a3ce3
Opcode Fuzzy Hash: ca5362d397bac6e9c2f61f86290472871766f6ea66b8c77ad357403a2012bbb1
Instruction Fuzzy Hash: 5CA16A71E0060ACFDB10EFA9D8857DEBBF1BF58714F148129E805E7254EB749A46CB81

Function 01886F06 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a0e07f5618cfaf6c79ddb5bd7ca6448da5d0093dfa65e511e2fae4cfb479d5
Instruction ID: 12a1ab36fba74d290ee16d46a5c630ac8536d26b6eccfe5b08935c58360a40a8
Opcode Fuzzy Hash: 88a0e07f5618cfaf6c79ddb5bd7ca6448da5d0093dfa65e511e2fae4cfb479d5
Instruction Fuzzy Hash: EF516934710219CFDB14EB68C858AAD7BF2BF89304F2040A9E406EB3A1DB75DD45CBA1

Function 01887D28 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f79f483e88d3be0d76a8fb31481ca96e96650764e029d389e72a60fec13c45
Instruction ID: 710a2440f1fd4666889051fa31fa61f0579d4511db8965ee01fd14618ecb94a6
Opcode Fuzzy Hash: 69f79f483e88d3be0d76a8fb31481ca96e96650764e029d389e72a60fec13c45
Instruction Fuzzy Hash: 01315070E00249DFDB15DFA9C45079EB7B1FF46700F24496AE502EB291EB759E42CB50

Function 0188A6C0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa6369fcafb1333e309b97b40a0ee318f240614bf743d9365bf8c04b915630a
Instruction ID: 6f5ac9238445e5b64fe5126c30c417c7a463a1c6b9077ad2635a09d0de8d612e
Opcode Fuzzy Hash: bfa6369fcafb1333e309b97b40a0ee318f240614bf743d9365bf8c04b915630a
Instruction Fuzzy Hash: 65514C75A00205DFDB04DFA9E884799FBB2FF88310F14C1AAE9089B396E771D945CB90

Function 01886CDD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893e67e42e5417aa7a57081185936e187b21289b7ec9c33b8979b96020713013
Instruction ID: 07c7c3c6b10c80e0accc86538cec024b471ae768b113d7b2577d1b42e6a663f3
Opcode Fuzzy Hash: 893e67e42e5417aa7a57081185936e187b21289b7ec9c33b8979b96020713013
Instruction Fuzzy Hash: A851F570D102188FEB14DFA9C884B9DBBB1BF48710F64852AD815AB391D774A944CB95

Function 01886CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6c534493abf904adbead6cfc1ed65be16c78440f844dd18759f4cceb4981b0
Instruction ID: c1a8a55740f7ca684b2e9c3bcf63f43d3c997b013a7b8d03aa877035ef171055
Opcode Fuzzy Hash: 0e6c534493abf904adbead6cfc1ed65be16c78440f844dd18759f4cceb4981b0
Instruction Fuzzy Hash: A8511471D002188FEB28DFADC884B9DBBB1BF48710F248529E815BB391E774A944CF95

Function 01881112 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0943ecb9cd2493dca7adb7e426065eb14130c96eb4ed32a83bc0c92833e7909b
Instruction ID: 0b64f7f344de9293ce4c068afbdc5c4102a120d0bfcf2a19ef392c6f155aa012
Opcode Fuzzy Hash: 0943ecb9cd2493dca7adb7e426065eb14130c96eb4ed32a83bc0c92833e7909b
Instruction Fuzzy Hash: 06513FB0216346CFCB05DB3AF9819583B71FB9A3043088599D4054B276DA7A6E8BCF82

Function 01881138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe899524009c17821c1805f4d97b7a188969487cc65fd23fdbcabd836beee09
Instruction ID: 316c6ffadd2717b633362f69494eb4ca08792f9b186c7f07c4a1901433109c3e
Opcode Fuzzy Hash: 3fe899524009c17821c1805f4d97b7a188969487cc65fd23fdbcabd836beee09
Instruction Fuzzy Hash: A451DCF1212346CFCB15DB3AF9819583B71F7DA3043089699D4054B276DA7A6E87CF82

Function 01886F72 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0862b0dfefe5d178e7fa161444abb795d6b32e7bef798421bfdcec3bf5a5bef
Instruction ID: 95ec71357894797e367ede9ce01b00c22ce59670bb0248a98b71f89b7beb7e99
Opcode Fuzzy Hash: f0862b0dfefe5d178e7fa161444abb795d6b32e7bef798421bfdcec3bf5a5bef
Instruction Fuzzy Hash: 65414638710514CFDB14EB69C598AA97BF2EF4D704F2040A9E902EB3A1DB76ED41CB91

Function 01887D98 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a0ec17ce0bf76fd8af9e3e6112791cd1c8c1a5e425d3d16b92aad09b4a8813
Instruction ID: 753f623bdd80745e7eaf69567dbdc55002c8b6bff0af634e8b52a6cba3584a8e
Opcode Fuzzy Hash: d3a0ec17ce0bf76fd8af9e3e6112791cd1c8c1a5e425d3d16b92aad09b4a8813
Instruction Fuzzy Hash: 68315031E00219DBDB15EFA9C4507AEB7B2FF85710F208526E906FB290EB719E42CB50

Function 018826DC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19783d70f3dc09f20db2b31ac4a48633c8ecdf03b08b62a59388907db70ce3a3
Instruction ID: e9b5750e47a54c852ff09aa20835dec0870553335940308c4c9c80d0bec51406
Opcode Fuzzy Hash: 19783d70f3dc09f20db2b31ac4a48633c8ecdf03b08b62a59388907db70ce3a3
Instruction Fuzzy Hash: 8241F0B4D00349DFEB10DFA9C984ADEBBB5FF48310F24802AE409AB254DB759A45CB90

Function 018826E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afef16b24faefe40270e6c9a7c20f7d052cf1409fce250608fd670b469064cc7
Instruction ID: 8d7e911675a64c7ced5efa460815d848c653b924563d44441e476bcc5ff399ea
Opcode Fuzzy Hash: afef16b24faefe40270e6c9a7c20f7d052cf1409fce250608fd670b469064cc7
Instruction Fuzzy Hash: 2141E0B1D003499FDB10DF99C484ADEBBB5EF48310F148029E409AB254DB759945CB90

Function 018817C0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7bcb5e0273a0f3a0892b4d03a8f354143a4081e7ea06ddbc6fe25df2c2a28b
Instruction ID: 780a6111a867219c46670761a1d8c5e21cb67f6d763a3f866e127ee828eebfff
Opcode Fuzzy Hash: 6a7bcb5e0273a0f3a0892b4d03a8f354143a4081e7ea06ddbc6fe25df2c2a28b
Instruction Fuzzy Hash: B3310475B013008FCB20FBB9D848A5E3BA5EB49740F100569E80AC7355EF35DE428B91

Function 01881488 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1825af5f2374964bca1282620d27547645f4076b9d09558e93eef785629c317
Instruction ID: 45c6134b0478a8ee85a1cfc4992a2b098370e8166fd19875f7646652b861dc4e
Opcode Fuzzy Hash: f1825af5f2374964bca1282620d27547645f4076b9d09558e93eef785629c317
Instruction Fuzzy Hash: 8E21C471A012168FDF32FBBCD4983AD77E5EB45314F140479E806D7241EB35DA428B95

Function 0188A070 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0474cf88b48561c5d2bee2f65d980628ef730c35dc0c91961bb5e7ef9c35758d
Instruction ID: 8d6329f55be35a181e8bf4a9ea1ffc99a8a38854cc7ecd7fdca4719f640caec4
Opcode Fuzzy Hash: 0474cf88b48561c5d2bee2f65d980628ef730c35dc0c91961bb5e7ef9c35758d
Instruction Fuzzy Hash: 77318434E0060ADBDB1ADF68D45469EFBB6FF85300F10851AE906FB381D7719986C751

Function 0188169F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e89a27531fb74516448199453e46a5ff7012a24872067eb2cab51ee8f7a744
Instruction ID: be0f5f6d79563b50f0d91e416da62ca2f44b8a041f3ec2c227a90b646ef5af1f
Opcode Fuzzy Hash: 38e89a27531fb74516448199453e46a5ff7012a24872067eb2cab51ee8f7a744
Instruction Fuzzy Hash: 9321FB702012045FEF21FB79E88875D3755E786304F144A69D456CB266EF38EE878FA2

Function 0188A080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928cf516ac15dfd47b6497967c49572307daafddd38ce8d2bfbb26b46512fb8f
Instruction ID: 6cb8ec9a8fab95276c88b23f89f16f51c9997ae2208fd6b748f3d40f3ee617bc
Opcode Fuzzy Hash: 928cf516ac15dfd47b6497967c49572307daafddd38ce8d2bfbb26b46512fb8f
Instruction Fuzzy Hash: 36216234E0060A9BDB19DF69D85469EF7B6FF89300F10C61AE906FB381DB719986CB50

Function 01889F70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b768c4a1f02b1c8b209b3c26c1e230a484bdf84bf01d0116aeb5f8b6b6ce94
Instruction ID: 2f6a6d4206d4d0d2af82e7e6dc678b0b940bd429dc98de04d1a6bc3851a7220e
Opcode Fuzzy Hash: b2b768c4a1f02b1c8b209b3c26c1e230a484bdf84bf01d0116aeb5f8b6b6ce94
Instruction Fuzzy Hash: 7C216D30E00609DBCB19DFA9C4505DEB7B2FF89314F20852AE815FB391EB71A946CB50

Function 0188A84E Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da70c8422eea3470d68a6e54e59e780fd82177b8c71e238d09ce72671b33151c
Instruction ID: c9efdceee1a4c301dd9b28a48513c27f2de07977f650c74e3b13fc98ae5ce078
Opcode Fuzzy Hash: da70c8422eea3470d68a6e54e59e780fd82177b8c71e238d09ce72671b33151c
Instruction Fuzzy Hash: F821C475A141058FEB189B68C854BAD7BF6AF88710F11806AE501EB3E4DA75CE008B91

Function 01881382 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4eac0b64b6bc17d34a54938de6b5f2f0ac1fba3fe403c371bf3488a46f29341
Instruction ID: bbd61990f3f18e8e3a0bd8f8bbb6180ba8d3770c7c502ba33be1343705da91be
Opcode Fuzzy Hash: a4eac0b64b6bc17d34a54938de6b5f2f0ac1fba3fe403c371bf3488a46f29341
Instruction Fuzzy Hash: 2F2193306013458FEF72672CD49C76D3762EB87319F14086DE50ACB296DE299E86CB82

Function 01884F8A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c19bc38e90558e2e7e96fb1a605ded9bc8b001328093577c2b8b0420db4ffe
Instruction ID: 64cc3813e755056f74c20931e06037a744897c59ec565bdf0215c5cab9d6b1b1
Opcode Fuzzy Hash: 85c19bc38e90558e2e7e96fb1a605ded9bc8b001328093577c2b8b0420db4ffe
Instruction Fuzzy Hash: F0211734B00205CFDB54EB78D558AAE77F1EF89305B1044A9E506EB3A4DB369E02CB91

Function 0183D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623552407.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_183d000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f238ad5de893d5962c030729f0bb1d2af3ca5ad72abe51d859fb21229967640
Instruction ID: a18de095660e9434ca033b9d5e5979d5e123096d176ac44baa5aa9c2794eb2e9
Opcode Fuzzy Hash: 7f238ad5de893d5962c030729f0bb1d2af3ca5ad72abe51d859fb21229967640
Instruction Fuzzy Hash: C82125715043049FDB11DF64C9D0B26FB65FBC4718F68C66DE8098B282C736D546CAA2

Function 01881878 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf1cb91e8cde2e4b891ffbb09716bdb7119c9db64897bbc6a8e22467283015c
Instruction ID: 2aa24c494577280168d4f8575e1520b5b54f4f91b1408e8d17daf764ae24a3a7
Opcode Fuzzy Hash: 1bf1cb91e8cde2e4b891ffbb09716bdb7119c9db64897bbc6a8e22467283015c
Instruction Fuzzy Hash: 35215A30A00255CFDB24EB68C9587AE77F1AB49304F5004A8C102EB254DF769E42CBA2

Function 01886BA1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ec178d31055ec116f01cb71146d6eaa68884b845721c2bc7512da685e1c2ba
Instruction ID: 3f8eb0e190e525d8eec6fae931061b768ebc6acfb750d1de08c48a24ca9c1199
Opcode Fuzzy Hash: 16ec178d31055ec116f01cb71146d6eaa68884b845721c2bc7512da685e1c2ba
Instruction Fuzzy Hash: 9C2126307042118FD716AB3CD4607AE7BB2FF8A300B1088AEC445DB396EB765D85C792

Function 01881888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9549ef6d691dcb81dfa4a91c629029966214a33c4c3efbd80c75f77dec30e440
Instruction ID: 4ca94cbddbd85d3ca3727108a40e6241cb128ed8a5375a07ae6f3aa709ff73ee
Opcode Fuzzy Hash: 9549ef6d691dcb81dfa4a91c629029966214a33c4c3efbd80c75f77dec30e440
Instruction Fuzzy Hash: 67213C34B00215CFDB24EB68C9587AE77F6AB49345F500468D506EB354DF369E42CBA2

Function 01889F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3ab9eaa2c7eb0e1fcbc7f9f4625cb4ddec7b6005feef6ca401991068975928
Instruction ID: e641df31ead622293efc5b4d1a9511e6281086e7baf681883c268791acb2ff1a
Opcode Fuzzy Hash: 2a3ab9eaa2c7eb0e1fcbc7f9f4625cb4ddec7b6005feef6ca401991068975928
Instruction Fuzzy Hash: 9D215330E00709DBCB19DFA9D45059EF7B2BF89304F10851AE815FB381EB70A946CB51

Function 018816B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4891bd0e05403053307181b005e83cd138dc189e4be44f8df433235a895688
Instruction ID: 6ae4d7e0b1c7e93b29838d64391acbb5da06437d72fd21d4a91322c4fbc1c922
Opcode Fuzzy Hash: 8f4891bd0e05403053307181b005e83cd138dc189e4be44f8df433235a895688
Instruction Fuzzy Hash: 5B2160702012045FEF21F739E888B593755EB89304F104A29D816CB26ADF38EE878F92

Function 01884F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ea85b2cce42164c8d172be673f8d3cb24bd6e42c6af35a451776d396bb9d1a
Instruction ID: 2b65b2deecae870dcb3edb434368f0aa76473136404e9e54908374f4a488c039
Opcode Fuzzy Hash: 44ea85b2cce42164c8d172be673f8d3cb24bd6e42c6af35a451776d396bb9d1a
Instruction Fuzzy Hash: FC212834700205CFDB54EB79C558AAE77F1EB8D304B1000A8E506EB3A4DF369E02CB91

Function 01881498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c894a5b4d08237086fc3c0081163facf2b823de0423f83d46a2bb99701f5e29c
Instruction ID: 87ea7ee496363174b1871c280d8774ef6bfcbacfa7fc62bfacc24c03371ec5b3
Opcode Fuzzy Hash: c894a5b4d08237086fc3c0081163facf2b823de0423f83d46a2bb99701f5e29c
Instruction Fuzzy Hash: 92014031A012169FCF21FFBC94941AEBBF5EF48364B144479E405E7341EB35DA428BA5

Function 0183D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623552407.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_183d000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 6ebe0ae2a1afc135c8c7fe8c0136ccf17532d983d1b4af25a4bc2f7eb1ba7655
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 4C11D075504644CFCB12CF54C5C4B15FF61FB84314F28C6A9D8498B692C33AD54ACF91

Function 0188A6B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882b5152bd828e5247028a5494692eae1256206ae7d89545efae5f5132f5a1ba
Instruction ID: 7d357db635adfa8d08792de459ec543b23807a365c7480ee0942abe4d04564cb
Opcode Fuzzy Hash: 882b5152bd828e5247028a5494692eae1256206ae7d89545efae5f5132f5a1ba
Instruction Fuzzy Hash: A601F970A002048BDB04EFA9DC4478ABBB6FF94311F54C164D9085B299DB71EE45C7A1

Function 01888F10 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9b009f57b49b73a31edf0b08678e4f0e68436cd8becb2b83004a1b8ff41c28
Instruction ID: 1afedc2d2d28cd5502d4a9186a63bd4fefdc4ceaa8322be8dbf026afb62df7bc
Opcode Fuzzy Hash: 0c9b009f57b49b73a31edf0b08678e4f0e68436cd8becb2b83004a1b8ff41c28
Instruction Fuzzy Hash: 3A01447090020DEFCB41EBB8FC506DD7BB1EB85304F5045A9C8059B261EF756E969BA2

Function 01887EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70234e123b091f99ff29d096d98048f423bc1dd4fd0cbe0e6df11e72f2a2c559
Instruction ID: 1aa67199c5379184d6b698c15fdc82e4a77a5b9ec4fd9d834cc02fa98d0691cf
Opcode Fuzzy Hash: 70234e123b091f99ff29d096d98048f423bc1dd4fd0cbe0e6df11e72f2a2c559
Instruction Fuzzy Hash: 10F0C435B41214CFD714EB68D5A8B6C77B2EF89715F6440A8E5069B3A4CB35AD42CF40

Function 01888F20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672cd427caf5fae50459bf922f11e3185c85c5c8da699294163234d325f5827b
Instruction ID: 21f1e9566e7b8c0b4b7682b3fd6ad92e42b74aad53c0d4f0b52066f71a4bbfb8
Opcode Fuzzy Hash: 672cd427caf5fae50459bf922f11e3185c85c5c8da699294163234d325f5827b
Instruction Fuzzy Hash: 23F01270A0020DEFDB41EBB9FD5069D7BB1FB84300F508668C8059B251EF756F969BA2

Non-executed Functions

Function 06D6C328 Relevance: 3.1, Strings: 2, Instructions: 576COMMON

Download Yara Rule

Strings

0o#p, xrefs: 06D6C3C0
Dq#p, xrefs: 06D6C3CC

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID: 0o#p$Dq#p
API String ID: 0-2938899007
Opcode ID: 1174a476bbcae825e90db03d691ee35c75fbf047e11b8f6496989dc167c74ce9
Instruction ID: bd802d1b43310622e5b69b16296f909632176db8cee91fa56d27c931b823dc05
Opcode Fuzzy Hash: 1174a476bbcae825e90db03d691ee35c75fbf047e11b8f6496989dc167c74ce9
Instruction Fuzzy Hash: BF229F30B202058FDB64DB69D494AAEB7F2FF89310F24856AE446DB361DB35EC41CB91

Function 06D65628 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2625860472.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65cea447009f0d222147d5eadd3154cdd0d1bb0b518b947dc6ac3af7468e1df
Instruction ID: 09e164f7b1b9121b1d064bee5fa69bff4018bf0f3a19dd8fa3b3f30b08b1ae14
Opcode Fuzzy Hash: e65cea447009f0d222147d5eadd3154cdd0d1bb0b518b947dc6ac3af7468e1df
Instruction Fuzzy Hash: 4E120C34E00219CFDB64DFA9D894A9EB7B2FF89300F218569E406AB254DB319D85CF91

Function 018841C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2623719018.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1880000_cali.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba190f133cf58f69b90bc5b92ed07476ed7bfb14d9e9e7e3c5384392afe7cfd4
Instruction ID: d95297085b57976537708653e83e4ceaf471192d78799889eb7c66dd847fdc8f
Opcode Fuzzy Hash: ba190f133cf58f69b90bc5b92ed07476ed7bfb14d9e9e7e3c5384392afe7cfd4
Instruction Fuzzy Hash: F9B14E71E0020ACFDF14DFA9C8857AEBBF2BF88314F148129E815E7294EB749945CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cali.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
cali.exe

Function 06D63520 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Function 0188B9EE Relevance: 1.8, Instructions: 1772
COMMON

Function 06D6A108 Relevance: .6, Instructions: 638
COMMON

Function 06D60FE0 Relevance: .5, Instructions: 545
COMMON

Function 06D63C6B Relevance: .4, Instructions: 426
COMMON

Function 0188867F Relevance: 1.9, Strings: 1, Instructions: 607
COMMON

Function 06D6EA18 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 06D6EA20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 01880838 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Function 01880848 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Function 01888728 Relevance: .6, Instructions: 559
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre