Edit tour
Windows
Analysis Report
X7qGiXszrq.dll
Overview
General Information
| Sample name: | X7qGiXszrq.dllrenamed because original name is a hash value |
| Original sample name: | 8F60B2218139D38978B4263244BFA4C9.dll |
| Analysis ID: | 1581116 |
| MD5: | 8f60b2218139d38978b4263244bfa4c9 |
| SHA1: | 80324b76dc1f4688c775e47d8b9d1c313d212319 |
| SHA256: | 9e4eb613a93a8b79faca6ed56bd73f3f04ef6fcf52473cd0ffd6724a656cf46b |
| Tags: | dllGh0stRATuser-abuse_ch |
| Infos: |  |
 | |
Detection
GhostRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 6460 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\X7q GiXszrq.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 6476 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6596 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\X7q GiXszrq.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 6700 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\X7qG iXszrq.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6788 cmdline:
rundll32.e xe C:\User s\user\Des ktop\X7qGi Xszrq.dll, MainRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6652 cmdline:
rundll32.e xe C:\User s\user\Des ktop\X7qGi Xszrq.dll, FirstRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6764 cmdline:
rundll32.e xe C:\User s\user\Des ktop\X7qGi Xszrq.dll, MainRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7012 cmdline:
rundll32.e xe C:\User s\user\Des ktop\X7qGi Xszrq.dll, MainRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 732 cmdline:
rundll32.e xe C:\User s\user\Des ktop\X7qGi Xszrq.dll, ServiceMai n MD5: 889B99C52A60DD49227C5E485A016679) 
WerFault.exe (PID: 5016 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 32 -s 656 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 1780 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\X7qG iXszrq.dll ",FirstRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4444 cmdline:
rundll32.e xe C:\User s\user\Des ktop\X7qGi Xszrq.dll, MainRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2032 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\X7qG iXszrq.dll ",MainRun MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5316 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\X7qG iXszrq.dll ",ServiceM ain MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7024 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 316 -s 660 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 1052 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\X7qG iXszrq.dll ",TestFun MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7004 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 052 -s 656 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T01:26:55.011885+0100 | 2016922 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:26:55.013356+0100 | 2016922 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49731 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:26:57.854874+0100 | 2016922 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49732 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:27:04.312547+0100 | 2016922 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49736 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:27:04.325180+0100 | 2016922 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 82.157.76.20 | 9907 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T01:26:56.699773+0100 | 2048478 | 1 | A Network Trojan was detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49731 | TCP |
| 2024-12-27T01:26:56.702900+0100 | 2048478 | 1 | A Network Trojan was detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49730 | TCP |
| 2024-12-27T01:26:59.543244+0100 | 2048478 | 1 | A Network Trojan was detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49732 | TCP |
| 2024-12-27T01:27:05.954186+0100 | 2048478 | 1 | A Network Trojan was detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49736 | TCP |
| 2024-12-27T01:27:05.959491+0100 | 2048478 | 1 | A Network Trojan was detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49735 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T01:26:56.699773+0100 | 2808814 | 1 | Malware Command and Control Activity Detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49731 | TCP |
| 2024-12-27T01:26:56.702900+0100 | 2808814 | 1 | Malware Command and Control Activity Detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49730 | TCP |
| 2024-12-27T01:26:59.543244+0100 | 2808814 | 1 | Malware Command and Control Activity Detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49732 | TCP |
| 2024-12-27T01:27:05.954186+0100 | 2808814 | 1 | Malware Command and Control Activity Detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49736 | TCP |
| 2024-12-27T01:27:05.959491+0100 | 2808814 | 1 | Malware Command and Control Activity Detected | 82.157.76.20 | 9907 | 192.168.2.4 | 49735 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 5_2_6CC73640 | |
| Source: | Code function: | 5_2_6CC72E66 | |
| Source: | Code function: | 5_2_6CC738E0 | |
| Source: | Code function: | 5_2_6CC8C2C5 | |
| Source: | Code function: | 5_2_6CC73B10 | |
| Source: | Code function: | 5_2_6CC73460 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Network Connect: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 5_2_6CC71990 | |
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 5_2_6CC77590 | |
| Source: | Code function: | 5_2_6CC77590 | |
| Source: | Code function: | 5_2_6CC77590 | |
E-Banking Fraud | |
|---|
| Source: | Code function: | 5_2_6CC74DA0 | |
| Source: | Code function: | 5_2_6CC73EF0 | |
| Source: | Code function: | 5_2_6CC75760 | |
| Source: | Code function: | 5_2_6CC80450 | |
| Source: | Code function: | 5_2_6CC7FD50 | |
| Source: | Code function: | 5_2_6CC81D10 | |
| Source: | Code function: | 5_2_6CC936E5 | |
| Source: | Code function: | 5_2_6CC8E6F0 | |
| Source: | Code function: | 5_2_6CC7BF50 | |
| Source: | Code function: | 5_2_6CC91F34 | |
| Source: | Code function: | 5_2_6CC92058 | |
| Source: | Code function: | 5_2_6CC879A4 | |
| Source: | Code function: | 5_2_6CC7C9B0 | |
| Source: | Code function: | 5_2_6CC8EB88 | |
| Source: | Code function: | 14_2_02D0B7C7 | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 5_2_6CC75450 | |
| Source: | Code function: | 5_2_6CC795D0 | |
| Source: | Code function: | 5_2_6CC75760 | |
| Source: | Code function: | 5_2_6CC79310 | |
| Source: | Code function: | 5_2_6CC73460 | |
| Source: | Code function: | 5_2_6CC79C70 | |
| Source: | Code function: | 5_2_6CC78B30 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 5_2_6CC75450 | |
| Source: | Code function: | 5_2_6CC7D6DD | |
| Source: | Code function: | 5_2_6CC93E26 | |
| Source: | Code function: | 5_2_6CC83359 | |
| Source: | Code function: | 8_2_028ECB45 | |
| Source: | Code function: | 8_2_028F683A | |
| Source: | Code function: | 8_2_028F5472 | |
| Source: | Code function: | 14_2_02CFDB02 | |
| Source: | Code function: | 14_2_02CFDA92 | |
| Source: | Code function: | 14_2_02D079CA | |
| Source: | Code function: | 14_2_02CFDA5A | |
| Source: | Code function: | 14_2_02CFCB21 | |
| Source: | Code function: | 14_2_02D079CA | |
| Source: | Code function: | 5_2_6CC78B30 | |
| Source: | Code function: | 5_2_6CC74FF0 | |
| Source: | Code function: | 5_2_6CC75450 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 5_2_6CC7A7A0 | |
| Source: | Code function: | 5_2_6CC78090 | |
| Source: | Section loaded: | ||
| Source: | Code function: | 5_2_6CC78680 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | |||
| Source: | Window / User API: | |||
| Source: | Window / User API: | |||
| Source: | Window / User API: | |||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | |||
| Source: | Window / User API: | |||
| Source: | Decision node followed by non-executed suspicious API: | graph_5-15416 | ||
| Source: | Code function: | 5_2_6CC78090 | |
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 5_2_6CC73640 | |
| Source: | Code function: | 5_2_6CC72E66 | |
| Source: | Code function: | 5_2_6CC738E0 | |
| Source: | Code function: | 5_2_6CC8C2C5 | |
| Source: | Code function: | 5_2_6CC73B10 | |
| Source: | Code function: | 5_2_6CC73460 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | |||
| Source: | Thread delayed: | |||
| Source: | Thread delayed: | |||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | |||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 5_2_6CC77590 | |
| Source: | Code function: | 5_2_6CC86466 | |
| Source: | Code function: | 5_2_6CC75450 | |
| Source: | Code function: | 5_2_6CC8A4DE | |
| Source: | Code function: | 5_2_6CC8A524 | |
| Source: | Code function: | 5_2_6CC8894D | |
| Source: | Code function: | 5_2_6CC76510 | |
| Source: | Code function: | 5_2_6CC7B0C0 | |
| Source: | Code function: | 5_2_6CC824A5 | |
| Source: | Code function: | 5_2_6CC86466 | |
| Source: | Code function: | 5_2_6CC830AC | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | ||
| Source: | Code function: | 5_2_6CC75450 | |
| Source: | Code function: | 5_2_6CC77B50 | |
| Source: | Code function: | 5_2_6CC77B50 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 5_2_6CC75E60 | |
| Source: | Code function: | 5_2_6CC75E60 | |
| Source: | Code function: | 5_2_6CC8335B | |
| Source: | Code function: | 5_2_6CC76010 | |
| Source: | Code function: | 5_2_6CC7ACA0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 12 Service Execution | 11 Windows Service | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 System Service Discovery | Remote Desktop Protocol | 3 Clipboard Data | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Windows Service | 2 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 212 Process Injection | 1 DLL Side-Loading | NTDS | 14 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 121 Virtualization/Sandbox Evasion | LSA Secrets | 151 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Access Token Manipulation | Cached Domain Credentials | 121 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 212 Process Injection | DCSync | 11 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Rundll32 | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 Indicator Removal | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 79% | ReversingLabs | Win32.Backdoor.Farfli | ||
| 75% | Virustotal | Browse | ||
| 100% | Avira | BDS/Backdoor.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 82.157.76.20 | unknown | China | 12513 | ECLIPSEGB | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1581116 |
| Start date and time: | 2024-12-27 01:26:04 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 57s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 25 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | X7qGiXszrq.dllrenamed because original name is a hash value |
| Original Sample Name: | 8F60B2218139D38978B4263244BFA4C9.dll |
| Detection: | MAL |
| Classification: | mal100.bank.troj.evad.winDLL@29/13@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.190.181.5, 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target rundll32.exe, PID 5316 because there are no executed function
- Execution Graph export aborted for target rundll32.exe, PID 732 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
| Time | Type | Description |
|---|---|---|
| 19:26:53 | API Interceptor | |
| 19:27:02 | API Interceptor | |
| 19:27:32 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ECLIPSEGB | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26a67898946df8cd7879fcf65642466ed07e12_7522e4b5_70e4fd71-13fe-4d60-9d7f-63a045af65b8\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8914991867990453 |
| Encrypted: | false |
| SSDEEP: | 192:NP8iROxH0BU/wjeTLLzuiFkZ24IO8dci:V8ioxUBU/wjeTzuiFkY4IO8dci |
| MD5: | 7621965E5E754FB499A14F3DE5A1A94D |
| SHA1: | E2F45FF1D8F2DD9D8542DA394A669E5F413FA76B |
| SHA-256: | 6EE001E113A619488A3C5142296ED29B3183484E2ACE22D2179DF5CD194FE7E8 |
| SHA-512: | 7790FE5AD0D9E84DB21EB89180468E7D529CE00C1FDD2EB430DEE4467AC31AF1F35E5930C0A8E512BE34A3BE6D7E53FB63B82C214488AD459534FE9AFB74A91E |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_26a67898946df8cd7879fcf65642466ed07e12_7522e4b5_9202bffe-b83e-455e-a4a2-48e27a682c9d\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8914520697323963 |
| Encrypted: | false |
| SSDEEP: | 96:WPFBZ6i9nhVynjsj94sR7ifmQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNlG:EUiVOjH0BU/wjeTmezuiFkZ24IO8dci |
| MD5: | 99B6150118433636C42E6FB55D7B912A |
| SHA1: | 23761D2DD3AF056E40965A704489615F298790F2 |
| SHA-256: | F242147BE693F546A8D4080593D7796E0282A6E670DDA65B07EB318DFB538095 |
| SHA-512: | 25EEDD299196546B955D8ECDD9034F094631277BF614AC34A6D2072AD7E544F440E1F73BB304EC3D9116B6353291F0D9F17AC23B041C6A9D8825EE16C71A3613 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6e27b41365c35c573789b1cc3865f957bf2a54_7522e4b5_3d1832b8-3231-4d87-a53d-dff582db6ccb\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8914345474437483 |
| Encrypted: | false |
| SSDEEP: | 192:bejiDOGh0BU/wjeTLLzuiFkZ24IO8dcim:KjiKGiBU/wjeTzuiFkY4IO8dci |
| MD5: | 7D7774A58F32F85BDD09B078CC45AC20 |
| SHA1: | A48E5313D0F5ACFF9301F1E89B367AE68E9B7EB1 |
| SHA-256: | C9F6469BD9431F9A7C414F2B10C6DD1782231E588071A4CCAF2D27C1560649D3 |
| SHA-512: | DD30B886C58F3603B8281330BAB29942A827B95D517055A6ED5AC73B71F666FCA02B32C712D96EA7119825BD572A2B72BD79EB30A85D78E4101511F579B4F373 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43338 |
| Entropy (8bit): | 2.006086483761336 |
| Encrypted: | false |
| SSDEEP: | 192:21cr21302vFd3rO5H4d3U6UyX86wFN96lugKu:Ku2JjvFdi5HjYM6wF8uBu |
| MD5: | F4704375A3685962BBDD7A41625DBBE7 |
| SHA1: | 34CA81EAFE71B91A0253128A55F2BFD0B795F297 |
| SHA-256: | 8DF1C72015B154B68B22A175D3E3924082F69EEE5FB1F36DA0477C61207C388C |
| SHA-512: | E16E243DA93D0EA4E0C200BE35C59501A291C822C4C97E172B63C86554445D301E0A57C4B09BEFE84E43D6A18681758E5105742142E9285C58230595B0F45452 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8258 |
| Entropy (8bit): | 3.6938210104178593 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ7S6IWN6Y+f6EPgmfT5++prO89b5LEsfBTzm:R6lXJe6IWN6Y26EPgmfT5+M5L3fVq |
| MD5: | E948B1BF5BC2140D3E0C5BDE7DBE3C87 |
| SHA1: | 994E45F7F3A5F61BF65E216629746FD80439B5A8 |
| SHA-256: | BFFFCE5CB34AA31CC76E533FC65C7208BE3A99DC7E4EFA2165763DCA8CE66DCA |
| SHA-512: | CA5F95154DEF459DA42633A07C57FFF8297A1DF0390948F2026399723B9EFEF2C1A738E8176E8A27A79953614AC4717A2BCFD2DAD031C744DAF8A37DA42D7581 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4650 |
| Entropy (8bit): | 4.468401853708542 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsmJg77aI96lWpW8VYvcYm8M4JCdPmvFh+q8/8nDHGScSNd:uIjf8I7wU7Vm5Jb5J3Nd |
| MD5: | 779B84E31AABF26F06A4841FCEE40DEC |
| SHA1: | 5AA5E21A02764EECA8B7871381F307D77F3E7AC9 |
| SHA-256: | 0DEE8FEA12F18902D30EB9EBAD1A236627CA332637E70397A62FC2733F476A49 |
| SHA-512: | 99F0E008CD6A43FD6E361837B532E5B645AB8CCE55EE40CBD03D50418354643708B33D6563194E279115553F51AB019EF3F1199A3239FB8121AE3A2E0458031B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 45694 |
| Entropy (8bit): | 1.9280257141294073 |
| Encrypted: | false |
| SSDEEP: | 96:5o8B+M6cUTUqwfw12P3Y32pSLg4BHu1LAoi75I4v44haL9nNV3R5B2IbezxNnWIf:x4cr213yug4dWO5H4RXrYVwBtMXf3 |
| MD5: | 647A16E7FD7D3935608F6CFA2A501A7F |
| SHA1: | 3E29974BF18DE3CEB6F36734BC1C262834DCBF7D |
| SHA-256: | 83CEBD0F57FD5DBD7F1783C796F00782C3E59FC326AABEC278AC179F768C1220 |
| SHA-512: | FD76677922A066AD2B2680D137F4062C576B38E9548FA8AEE26346F6EEB821C9F3E3C78F77E6C319B579BB56374ED4FFB0DC4F78BDCB0823092813F30383F994 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43714 |
| Entropy (8bit): | 1.9876926717638022 |
| Encrypted: | false |
| SSDEEP: | 192:xccr213Lug4dDOO5H4ptMHUojLFcfrwMdHT6epNsLTdf:Su2JSg4dV5HZXyfrwMRWrTd |
| MD5: | FC0B73D88310D3077BB1F639FFEA77A6 |
| SHA1: | 7D41D2C96F8A419B5CA1F3B6035DCE00525A169B |
| SHA-256: | 132D622943524B32EDE94232BD873B0A0223CDACA9DD04FCC9A8EDBA52092696 |
| SHA-512: | 54640A11B02A41DE4688DA54961E0AEA0D8C50BD7D00F1FA37F2AD6A4C67D65814E8368F28B69FC08770949FDFD6E3B04E40E00E2B87F17CD1F49C78D3AF667E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8252 |
| Entropy (8bit): | 3.6962309848566153 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMKe6IWyh6Yux6KKgmfTP++prM89b5Qesf+TWm:R6lXJMb6IWc6YI6KKgmfTP+S5Qdf6f |
| MD5: | EE62CF80DE4E2749BB25B1F31B9C230F |
| SHA1: | 76C94F7497D17794C0928020A54DD028ED63EAFC |
| SHA-256: | 47551C5D76E0CFE7A0F482D1334FFDB5F4D82FD418FA94BEDAA04B02CCC10F93 |
| SHA-512: | 0F17CC2A306B6714F089FD7A6EE5A7A9C70F18FCEED989155BC0F430295DC8465B35FED69625892ABBCA77830B0B55464D5A1789F854B929034B5A6A8C79329F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8256 |
| Entropy (8bit): | 3.6946700262701664 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ0I6IWW6Yu76KKgmfT5++pry89b5QTsf82TWm:R6lXJD6IWW6YC6KKgmfT5+Q5Q4f8if |
| MD5: | C38EB8BCC671EFDCF9607FE4457AD28E |
| SHA1: | DE51B1FB25F2DE5111D4B12CB315C1CF4F4C23DF |
| SHA-256: | 0BF5DDFD1F0440D2773C08E683489D46E9F2BEEE24F8D680F2B90AB03289687B |
| SHA-512: | 7D31D593E55D1D300C0396B90C417F16F1F1D293175FCD7653C2586D17F02DD44FE08CEC06925E929D6DF1C01239EC8BF27EF5F8C309BEA8680CC2D608EB84EB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4650 |
| Entropy (8bit): | 4.4647521548064955 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsmJg77aI96lWpW8VYCYm8M4JCdPmTFu+q8/8nHGScS1d:uIjf8I7wU7VKJ49J31d |
| MD5: | 8AA2D154EDB24CD174CF2DE880E9B825 |
| SHA1: | 37511B926E46B652FD756B7E5AAE9F0DAE2A52EE |
| SHA-256: | E6B998C788906DF8C44D234A8469B207714215E6ECF15F8F90238234237F7BE8 |
| SHA-512: | 3F14DDEBAA3D984CBC556813915A19B7C69C98BB399FB91CEEDAC254009D833E5EDB8FEE2CB53788414116356E05A2745457A8EFB98B4EEAD84C7743921F479D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4650 |
| Entropy (8bit): | 4.467713778402247 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsmJg77aI96lWpW8VYKYm8M4JCdPmvFUU+q8/8nbGScSvd:uIjf8I7wU7VmJCURJ3vd |
| MD5: | B8105E225508F0C2ED8D0CE3CE2364F5 |
| SHA1: | 07DD8EAC24B2EFC4ED516F093715AD1E41128DFD |
| SHA-256: | F5E7760BAC3E321CC63884226AF8987CD2ED30E7715F1D355CB5E02A1F2A278B |
| SHA-512: | 411CEDDACFB4DCC3B0161B362199EEDDD042DC22A7E03387A734AF16BBB2A41CC13EA7423E467AA5EB65F4AD887F8572D8CC6495CA8B8D581EF91842186115A1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.4662349128717835 |
| Encrypted: | false |
| SSDEEP: | 6144:UIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:pXD94+WlLZMM6YFHT+G |
| MD5: | 3F25C7CFA959B1B02F73E10ADAE64C97 |
| SHA1: | E97889101D79B2970AEBAABDD8E0442780C13D7A |
| SHA-256: | 13F3B970C897F501C17F5CD36F9FC5CAA4EDCCD124970C141A391C910206595D |
| SHA-512: | 891813E6AD5161DEFE2761EC436EE73E29B5D3273A4DB37AF493B1B4582904DC3B3D2FCCE7EE462E2666E69FEB38D3C4295CCE9C990B5CC471ECBCF95530CE10 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.65982581309569 |
| TrID: |
|
| File name: | X7qGiXszrq.dll |
| File size: | 213'504 bytes |
| MD5: | 8f60b2218139d38978b4263244bfa4c9 |
| SHA1: | 80324b76dc1f4688c775e47d8b9d1c313d212319 |
| SHA256: | 9e4eb613a93a8b79faca6ed56bd73f3f04ef6fcf52473cd0ffd6724a656cf46b |
| SHA512: | 249baac74806f4a07e73cc11a9dfe6bbf73a8c50ba99aec1ed31625f5dfc76b366a50aaed4d1bd6bbbc7ed073031e861a049e72eff3ec773f5cbc7364bffff88 |
| SSDEEP: | 6144:b1TyRICfzZQVG5zLD45eEhIv5KTBIUXuTyEGVa:bQRvfzZQVCHD4kEW5KTC0u2E1 |
| TLSH: | BA249E117580D833D6FE013044E7DB6A663D79340BA8E8DBE3DCAF790D745C26A34A9A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..b3..13..13..1V..0?..1V..0...1V..0!..1..611..1a..0...1a..0<..1a..0&..1V..0(..13..1p..1...09..1...02..1...0+..1...02..1...12.. |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x10012b73 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x5F2E4920 [Sat Aug 8 06:41:36 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | ecea502ae8d6b6cf637b892f3a6b808d |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007FAC6081A387h |
| call 00007FAC6081AA20h |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+0Ch] |
| push dword ptr [ebp+08h] |
| call 00007FAC6081A238h |
| add esp, 0Ch |
| pop ebp |
| retn 000Ch |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| push ebx |
| xor edi, edi |
| mov eax, dword ptr [esp+14h] |
| or eax, eax |
| jnl 00007FAC6081A396h |
| inc edi |
| mov edx, dword ptr [esp+10h] |
| neg eax |
| neg edx |
| sbb eax, 00000000h |
| mov dword ptr [esp+14h], eax |
| mov dword ptr [esp+10h], edx |
| mov eax, dword ptr [esp+1Ch] |
| or eax, eax |
| jnl 00007FAC6081A396h |
| inc edi |
| mov edx, dword ptr [esp+18h] |
| neg eax |
| neg edx |
| sbb eax, 00000000h |
| mov dword ptr [esp+1Ch], eax |
| mov dword ptr [esp+18h], edx |
| or eax, eax |
| jne 00007FAC6081A39Ah |
| mov ecx, dword ptr [esp+18h] |
| mov eax, dword ptr [esp+14h] |
| xor edx, edx |
| div ecx |
| mov ebx, eax |
| mov eax, dword ptr [esp+10h] |
| div ecx |
| mov edx, ebx |
| jmp 00007FAC6081A3C3h |
| mov ebx, eax |
| mov ecx, dword ptr [esp+18h] |
| mov edx, dword ptr [esp+14h] |
| mov eax, dword ptr [esp+10h] |
| shr ebx, 1 |
| rcr ecx, 1 |
| shr edx, 1 |
| rcr eax, 1 |
| or ebx, ebx |
| jne 00007FAC6081A376h |
| div ecx |
| mov esi, eax |
| mul dword ptr [esp+1Ch] |
| mov ecx, eax |
| mov eax, dword ptr [esp+18h] |
| mul esi |
| add edx, ecx |
| jc 00007FAC6081A390h |
| cmp edx, dword ptr [esp+14h] |
| jnbe 00007FAC6081A38Ah |
| jc 00007FAC6081A389h |
| cmp eax, dword ptr [esp+10h] |
| jbe 00007FAC6081A383h |
| dec esi |
| xor edx, edx |
| mov eax, esi |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x302a0 | 0x84 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x30324 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x34000 | 0xf8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x35000 | 0x2064 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2e900 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x2ea10 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2e970 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x25000 | 0x4ac | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x23c0b | 0x23e00 | 22f9d3ff98348b3c88a1f907c5e48343 | False | 0.5676856489547039 | data | 6.636804258074074 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x25000 | 0xccb8 | 0xce00 | 48e054a29558fa7b381b4f48b7450167 | False | 0.550439927184466 | data | 5.985634918572682 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x32000 | 0x1f88 | 0xe00 | cbb9f4531dbf7b8f2c84bd6fe5d023b0 | False | 0.19670758928571427 | data | 2.8965536616297585 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x34000 | 0xf8 | 0x200 | d6c64ce0f44f661d13f0af67e8b4d484 | False | 0.3359375 | data | 2.5312981004807127 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x35000 | 0x2064 | 0x2200 | 942a5ec83872d12e971eada6913059dd | False | 0.7635569852941176 | data | 6.546808814766869 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x34060 | 0x91 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.8689655172413793 |
| DLL | Import |
|---|---|
| WININET.dll | InternetCloseHandle, InternetOpenA, InternetReadFile, InternetOpenUrlA |
| SHLWAPI.dll | SHDeleteKeyA |
| KERNEL32.dll | HeapAlloc, GetLocalTime, CreateFileMappingA, GetProcessHeap, MapViewOfFile, LocalSize, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, GlobalSize, OutputDebugStringA, CreatePipe, GetStartupInfoA, TerminateProcess, DisconnectNamedPipe, PeekNamedPipe, WaitForMultipleObjects, lstrcmpiA, QueryDosDeviceA, K32GetProcessImageFileNameA, CreateToolhelp32Snapshot, Process32First, Process32Next, GetCurrentProcessId, GetCurrentThreadId, SetUnhandledExceptionFilter, CreateMutexA, SetErrorMode, OpenEventA, ReleaseMutex, FreeConsole, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetStringTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, HeapFree, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetFileType, GetStdHandle, HeapReAlloc, LCMapStringW, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EncodePointer, InterlockedFlushSList, RaiseException, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, CreateEventW, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, MoveFileExA, GetTickCount, GetSystemDirectoryA, CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, OpenProcess, GetCurrentProcess, SetLastError, GetModuleFileNameA, CreateDirectoryA, GetDiskFreeSpaceExA, WriteConsoleW, CreateProcessA, LocalReAlloc, RemoveDirectoryA, GetFileSize, LocalFree, GetLogicalDriveStringsA, DeleteFileA, CreateFileA, GetFileAttributesA, GetLastError, LocalAlloc, GetVolumeInformationA, FindClose, SetFilePointer, FindNextFileA, GetDriveTypeA, WriteFile, FindFirstFileA, MoveFileA, ReadFile, GetVersionExA, WideCharToMultiByte, MultiByteToWideChar, FreeLibrary, GetProcAddress, LoadLibraryA, lstrlenA, lstrcatA, DeleteCriticalSection, InitializeCriticalSection, LeaveCriticalSection, VirtualAlloc, VirtualFree, EnterCriticalSection, ResetEvent, lstrcpyA, Sleep, CancelIo, ResumeThread, CreateThread, WaitForSingleObject, SetEvent, CloseHandle, TerminateThread, CreateEventA, GetConsoleCP, IsProcessorFeaturePresent, UnhandledExceptionFilter, GetConsoleMode, DecodePointer, UnmapViewOfFile, CreateFileW, GetCPInfo |
| USER32.dll | SetWindowsHookExA, GetKeyNameTextA, GetActiveWindow, CallNextHookEx, LoadCursorA, DestroyCursor, BlockInput, SystemParametersInfoA, SendMessageA, wsprintfA, SetCapture, WindowFromPoint, UnhookWindowsHookEx, keybd_event, MapVirtualKeyA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, GetClipboardData, GetSystemMetrics, GetCursorInfo, DispatchMessageA, TranslateMessage, GetMessageA, GetWindowTextA, mouse_event, ReleaseDC, SetRect, CharNextA, GetDC, SetCursorPos, GetThreadDesktop, GetCursorPos, SetProcessWindowStation, OpenWindowStationA, GetProcessWindowStation, CreateWindowExA, GetUserObjectInformationA, SetThreadDesktop, ExitWindowsEx, CloseDesktop, OpenDesktopA, OpenInputDesktop, InternalGetWindowText, IsWindow, ShowWindow, PostMessageA, EnumWindows, GetWindowThreadProcessId, IsWindowVisible, GetDesktopWindow |
| GDI32.dll | CreateDIBSection, SelectObject, DeleteDC, GetDIBits, CreateCompatibleBitmap, BitBlt, DeleteObject, CreateCompatibleDC |
| ADVAPI32.dll | RegOpenKeyExA, RegisterServiceCtrlHandlerA, SetServiceStatus, UnlockServiceDatabase, ChangeServiceConfigA, LockServiceDatabase, StartServiceA, QueryServiceConfigA, EnumServicesStatusA, RegQueryInfoKeyA, RegDeleteKeyA, RegCreateKeyExA, RegEnumValueA, RegEnumKeyExA, SetSecurityDescriptorDacl, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, AddAccessAllowedAce, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CloseEventLog, ClearEventLogA, OpenEventLogA, RegQueryValueExA, RegOpenKeyA, RegSetValueExA, CloseServiceHandle, DeleteService, ControlService, QueryServiceStatus, OpenServiceA, OpenSCManagerA, RegCloseKey, RegQueryValueA |
| SHELL32.dll | SHGetFileInfoA |
| WINMM.dll | waveInReset, waveOutWrite, waveInGetNumDevs, waveInOpen, waveInUnprepareHeader, waveInClose, waveOutReset, waveOutUnprepareHeader, waveInStop, waveInPrepareHeader, waveInAddBuffer, waveInStart, waveOutGetNumDevs, waveOutOpen, waveOutPrepareHeader, waveOutClose |
| WS2_32.dll | select, socket, ntohs, connect, recv, htons, setsockopt, WSAStartup, gethostbyname, closesocket, WSAIoctl, WSACleanup, gethostname, getsockname, send |
| IMM32.dll | ImmGetContext, ImmReleaseContext, ImmGetCompositionStringA |
| AVICAP32.dll | capGetDriverDescriptionA, capCreateCaptureWindowA |
| MSVFW32.dll | ICClose, ICCompressorFree, ICSeqCompressFrameEnd, ICSendMessage, ICOpen, ICSeqCompressFrame, ICSeqCompressFrameStart |
| Name | Ordinal | Address |
|---|---|---|
| FirstRun | 1 | 0x1000bae0 |
| MainRun | 2 | 0x1000b9e0 |
| ServiceMain | 3 | 0x1000b7b0 |
| TestFun | 4 | 0x1000b950 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T01:26:55.011885+0100 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 192.168.2.4 | 49730 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:26:55.013356+0100 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 192.168.2.4 | 49731 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:26:56.699773+0100 | 2048478 | ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49731 | TCP |
| 2024-12-27T01:26:56.699773+0100 | 2808814 | ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49731 | TCP |
| 2024-12-27T01:26:56.702900+0100 | 2048478 | ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49730 | TCP |
| 2024-12-27T01:26:56.702900+0100 | 2808814 | ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49730 | TCP |
| 2024-12-27T01:26:57.854874+0100 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 192.168.2.4 | 49732 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:26:59.543244+0100 | 2048478 | ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49732 | TCP |
| 2024-12-27T01:26:59.543244+0100 | 2808814 | ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49732 | TCP |
| 2024-12-27T01:27:04.312547+0100 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 192.168.2.4 | 49736 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:27:04.325180+0100 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 192.168.2.4 | 49735 | 82.157.76.20 | 9907 | TCP |
| 2024-12-27T01:27:05.954186+0100 | 2048478 | ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49736 | TCP |
| 2024-12-27T01:27:05.954186+0100 | 2808814 | ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49736 | TCP |
| 2024-12-27T01:27:05.959491+0100 | 2048478 | ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49735 | TCP |
| 2024-12-27T01:27:05.959491+0100 | 2808814 | ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response | 1 | 82.157.76.20 | 9907 | 192.168.2.4 | 49735 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 01:26:54.852246046 CET | 49731 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:54.852261066 CET | 49730 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:54.972049952 CET | 9907 | 49731 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:54.972069979 CET | 9907 | 49730 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:54.972141027 CET | 49731 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:54.972179890 CET | 49730 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:55.011884928 CET | 49730 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:55.013355970 CET | 49731 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:55.131519079 CET | 9907 | 49730 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:55.132904053 CET | 9907 | 49731 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:56.699773073 CET | 9907 | 49731 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:56.702899933 CET | 9907 | 49730 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:56.743994951 CET | 49730 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:56.744153976 CET | 49731 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:57.721566916 CET | 49732 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:57.841660023 CET | 9907 | 49732 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:57.841767073 CET | 49732 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:57.854873896 CET | 49732 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:26:57.974481106 CET | 9907 | 49732 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:59.543243885 CET | 9907 | 49732 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:26:59.587753057 CET | 49732 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:03.837132931 CET | 49735 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:03.861867905 CET | 49736 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:04.297383070 CET | 9907 | 49735 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:27:04.297480106 CET | 49735 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:04.297485113 CET | 9907 | 49736 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:27:04.297547102 CET | 49736 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:04.312546968 CET | 49736 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:04.325180054 CET | 49735 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:04.432106018 CET | 9907 | 49736 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:27:04.444789886 CET | 9907 | 49735 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:27:05.954185963 CET | 9907 | 49736 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:27:05.959491014 CET | 9907 | 49735 | 82.157.76.20 | 192.168.2.4 |
| Dec 27, 2024 01:27:06.009648085 CET | 49736 | 9907 | 192.168.2.4 | 82.157.76.20 |
| Dec 27, 2024 01:27:06.009650946 CET | 49735 | 9907 | 192.168.2.4 | 82.157.76.20 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x290000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 6 |
| Start time: | 19:26:53 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 7 |
| Start time: | 19:26:56 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 8 |
| Start time: | 19:26:59 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 19:26:59 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x3f0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 19:27:02 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 19:27:02 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 14 |
| Start time: | 19:27:02 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 19:27:02 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 16 |
| Start time: | 19:27:02 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x170000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 19:27:03 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x3f0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 19:27:03 |
| Start date: | 26/12/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x3f0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.1% |
| Total number of Nodes: | 1245 |
| Total number of Limit Nodes: | 30 |
Graph
Function 6CC7B0C0 Relevance: 93.1, APIs: 49, Strings: 4, Instructions: 335sleepstringsynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7ACA0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 200registrystringnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC76510 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8A4DE Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC746F0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99sleepfilestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC767E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7B9E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7BBE0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 53registrysleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8A051 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC727B0 Relevance: 4.6, APIs: 3, Instructions: 79memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC72890 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC86CBF Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC79BA0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC72710 Relevance: 3.8, APIs: 3, Instructions: 73COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC726A0 Relevance: 3.8, APIs: 3, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8B8DD Relevance: 3.1, APIs: 2, Instructions: 66COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC86B61 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC89FA6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC89808 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7B680 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75450 Relevance: 78.9, APIs: 30, Strings: 15, Instructions: 196libraryloaderstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC795D0 Relevance: 73.8, APIs: 39, Strings: 3, Instructions: 296stringmemoryprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC78680 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 320memorystringserviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC79310 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 190sleepwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC77590 Relevance: 33.2, APIs: 22, Instructions: 209clipboardkeyboardthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75760 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 189sleepshutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC76010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 199filestringtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC738E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 144filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC73640 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7A7A0 Relevance: 16.7, APIs: 11, Instructions: 210sleepsynchronizationwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74DA0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 158registrystringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC73460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 136stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC73EF0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86servicesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC79C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50processstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8C2C5 Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74FF0 Relevance: 4.6, APIs: 3, Instructions: 118COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8E6F0 Relevance: 3.5, APIs: 2, Instructions: 452COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7C9B0 Relevance: 2.2, Strings: 1, Instructions: 907COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC879A4 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7BF50 Relevance: .7, Instructions: 733COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC80450 Relevance: .4, Instructions: 402COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC81D10 Relevance: .4, Instructions: 368COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7FD50 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC92058 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC91F34 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8A524 Relevance: .0, Instructions: 23COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC799E0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 142stringthreadmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC78D30 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 207pipesleepprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC73190 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193registrystringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC79030 Relevance: 27.1, APIs: 18, Instructions: 64pipethreadsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7A1F0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 109windowlibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7B7B0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 102sleepsynchronizationregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74050 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 190registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75C98 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 145stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75CE0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 109stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC71390 Relevance: 18.1, APIs: 12, Instructions: 69synchronizationnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74890 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125sleepsynchronizationmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC765C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 119filememorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC77A20 Relevance: 16.6, APIs: 11, Instructions: 90keyboardwindowsleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74490 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC76E10 Relevance: 15.2, APIs: 10, Instructions: 200registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC89A90 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7AA20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC762E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74BA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC72140 Relevance: 13.6, APIs: 9, Instructions: 149synchronizationsleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC724C0 Relevance: 13.6, APIs: 9, Instructions: 107threadsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC77FB7 Relevance: 13.6, APIs: 9, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC77FD0 Relevance: 13.6, APIs: 9, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74A80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC771B0 Relevance: 12.1, APIs: 8, Instructions: 135synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC73740 Relevance: 10.6, APIs: 7, Instructions: 90stringfilememoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75160 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC71110 Relevance: 10.6, APIs: 7, Instructions: 66windowsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC76460 Relevance: 10.6, APIs: 7, Instructions: 57fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7B950 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7BAE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57processCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC889D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC77880 Relevance: 7.6, APIs: 5, Instructions: 140sleepmemorysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC78560 Relevance: 7.6, APIs: 5, Instructions: 93windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC723B0 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC79DF0 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC71D90 Relevance: 7.5, APIs: 5, Instructions: 29sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC76AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75B38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC75280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8AF24 Relevance: 6.3, APIs: 4, Instructions: 321COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC8BF33 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC7A5F0 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC89349 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC74CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC72E1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|