Windows
Analysis Report
3vLKNycnrz.exe
Overview
General Information
Sample name: | 3vLKNycnrz.exerenamed because original name is a hash value |
Original sample name: | 78b4d3e1df367155161b0ca24d08b157.exe |
Analysis ID: | 1581190 |
MD5: | 78b4d3e1df367155161b0ca24d08b157 |
SHA1: | e0b63eb3c6858c7cb8e3754b67264b8a861b1d86 |
SHA256: | 10c9f5d51b36a62a32560a1e9912a28c781f9723fa23c2f778a86e8e94aef2fb |
Tags: | exeLummaStealeruser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
3vLKNycnrz.exe (PID: 7360 cmdline:
"C:\Users\ user\Deskt op\3vLKNyc nrz.exe" MD5: 78B4D3E1DF367155161B0CA24D08B157) 3vLKNycnrz.exe (PID: 7452 cmdline:
"C:\Users\ user\Deskt op\3vLKNyc nrz.exe" MD5: 78B4D3E1DF367155161B0CA24D08B157)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{
"C2 url": [
"sordid-snaked.cyou",
"effecterectz.xyz",
"awake-weaves.cyou",
"debonairnukk.xyz",
"peelyitemsn.click",
"immureprech.biz",
"deafeninggeh.biz",
"diffuculttan.xyz",
"wrathful-jammy.cyou"
],
"Build id": "Lb9dkQ--Jora"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-27T08:13:07.399283+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | TCP |
2024-12-27T08:13:09.017586+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49707 | 104.21.62.151 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-27T08:13:08.134997+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-27T08:13:08.134997+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | TCP |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 2_2_0043A320 | |
Source: | Code function: | 2_2_0043CCE0 | |
Source: | Code function: | 2_2_0040BD61 | |
Source: | Code function: | 2_2_00427040 | |
Source: | Code function: | 2_2_0040D076 | |
Source: | Code function: | 2_2_00429820 | |
Source: | Code function: | 2_2_004230D0 | |
Source: | Code function: | 2_2_004230D0 | |
Source: | Code function: | 2_2_004230D0 | |
Source: | Code function: | 2_2_0043A8FB | |
Source: | Code function: | 2_2_0041709A | |
Source: | Code function: | 2_2_0043D8A0 | |
Source: | Code function: | 2_2_0041895F | |
Source: | Code function: | 2_2_0041895F | |
Source: | Code function: | 2_2_0041895F | |
Source: | Code function: | 2_2_00428160 | |
Source: | Code function: | 2_2_0042A96A | |
Source: | Code function: | 2_2_0042A972 | |
Source: | Code function: | 2_2_0042A972 | |
Source: | Code function: | 2_2_0040D1C7 | |
Source: | Code function: | 2_2_0040D1C7 | |
Source: | Code function: | 2_2_0041F990 | |
Source: | Code function: | 2_2_0041CA02 | |
Source: | Code function: | 2_2_0041CA19 | |
Source: | Code function: | 2_2_00408230 | |
Source: | Code function: | 2_2_004212C0 | |
Source: | Code function: | 2_2_0040E2CF | |
Source: | Code function: | 2_2_004162D6 | |
Source: | Code function: | 2_2_004142E0 | |
Source: | Code function: | 2_2_00432A90 | |
Source: | Code function: | 2_2_0043CA90 | |
Source: | Code function: | 2_2_00439340 | |
Source: | Code function: | 2_2_00439340 | |
Source: | Code function: | 2_2_00439340 | |
Source: | Code function: | 2_2_00429360 | |
Source: | Code function: | 2_2_00438B00 | |
Source: | Code function: | 2_2_004263C1 | |
Source: | Code function: | 2_2_0043B3E5 | |
Source: | Code function: | 2_2_004223EF | |
Source: | Code function: | 2_2_00423386 | |
Source: | Code function: | 2_2_00423386 | |
Source: | Code function: | 2_2_0040E39C | |
Source: | Code function: | 2_2_00427C3A | |
Source: | Code function: | 2_2_0042843A | |
Source: | Code function: | 2_2_0040E39C | |
Source: | Code function: | 2_2_00435CA0 | |
Source: | Code function: | 2_2_0040D555 | |
Source: | Code function: | 2_2_00422D70 | |
Source: | Code function: | 2_2_00422D70 | |
Source: | Code function: | 2_2_00422D70 | |
Source: | Code function: | 2_2_00428D00 | |
Source: | Code function: | 2_2_0043BD10 | |
Source: | Code function: | 2_2_0040A539 | |
Source: | Code function: | 2_2_00415538 | |
Source: | Code function: | 2_2_004365C0 | |
Source: | Code function: | 2_2_0041C5E0 | |
Source: | Code function: | 2_2_0041C5E0 | |
Source: | Code function: | 2_2_00414DB0 | |
Source: | Code function: | 2_2_00408E70 | |
Source: | Code function: | 2_2_00426608 | |
Source: | Code function: | 2_2_0043CE10 | |
Source: | Code function: | 2_2_00426E19 | |
Source: | Code function: | 2_2_00419620 | |
Source: | Code function: | 2_2_0040C6E5 | |
Source: | Code function: | 2_2_0040C6E5 | |
Source: | Code function: | 2_2_00429EF8 | |
Source: | Code function: | 2_2_0040DE8A | |
Source: | Code function: | 2_2_00438EB0 | |
Source: | Code function: | 2_2_0040CF45 | |
Source: | Code function: | 2_2_00438F60 | |
Source: | Code function: | 2_2_00414713 | |
Source: | Code function: | 2_2_00414713 | |
Source: | Code function: | 2_2_00414713 | |
Source: | Code function: | 2_2_0041B7C6 | |
Source: | Code function: | 2_2_0042B7AD | |
Source: | Code function: | 2_2_0042B7AD | |
Source: | Code function: | 2_2_0040D7B4 | |
Source: | Code function: | 2_2_0040D7B4 | |
Source: | Code function: | 2_2_0040D7B4 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: | 2_2_00430740 |
Source: | Code function: | 2_2_00430740 |
Source: | Code function: | 0_2_03292B30 | |
Source: | Code function: | 0_2_03292B29 |
Source: | Code function: | 0_2_032975F0 | |
Source: | Code function: | 0_2_03293A28 | |
Source: | Code function: | 0_2_0609A678 | |
Source: | Code function: | 0_2_06099430 | |
Source: | Code function: | 0_2_0609BFDB | |
Source: | Code function: | 0_2_06095659 | |
Source: | Code function: | 0_2_06095668 | |
Source: | Code function: | 0_2_0609A66A | |
Source: | Code function: | 0_2_06095667 | |
Source: | Code function: | 0_2_06095081 | |
Source: | Code function: | 0_2_060950AF | |
Source: | Code function: | 0_2_060950C0 | |
Source: | Code function: | 0_2_06095BEA | |
Source: | Code function: | 0_2_06095BF8 | |
Source: | Code function: | 0_2_06C8E758 | |
Source: | Code function: | 0_2_06C70040 | |
Source: | Code function: | 0_2_06C70007 | |
Source: | Code function: | 2_2_0040A970 | |
Source: | Code function: | 2_2_0040CAAA | |
Source: | Code function: | 2_2_00408620 | |
Source: | Code function: | 2_2_0040B63E | |
Source: | Code function: | 2_2_00422040 | |
Source: | Code function: | 2_2_00408850 | |
Source: | Code function: | 2_2_00436850 | |
Source: | Code function: | 2_2_00416856 | |
Source: | Code function: | 2_2_0043C060 | |
Source: | Code function: | 2_2_00425070 | |
Source: | Code function: | 2_2_00422022 | |
Source: | Code function: | 2_2_0043D030 | |
Source: | Code function: | 2_2_004370C2 | |
Source: | Code function: | 2_2_004350C0 | |
Source: | Code function: | 2_2_004230D0 | |
Source: | Code function: | 2_2_0041709A | |
Source: | Code function: | 2_2_0043D8A0 | |
Source: | Code function: | 2_2_00403940 | |
Source: | Code function: | 2_2_0041895F | |
Source: | Code function: | 2_2_0042A96A | |
Source: | Code function: | 2_2_00405970 | |
Source: | Code function: | 2_2_00417971 | |
Source: | Code function: | 2_2_0042A972 | |
Source: | Code function: | 2_2_0042717D | |
Source: | Code function: | 2_2_00409100 | |
Source: | Code function: | 2_2_00435930 | |
Source: | Code function: | 2_2_0043C130 | |
Source: | Code function: | 2_2_0040D1C7 | |
Source: | Code function: | 2_2_0042B9CD | |
Source: | Code function: | 2_2_004061D0 | |
Source: | Code function: | 2_2_0042698C | |
Source: | Code function: | 2_2_0041F990 | |
Source: | Code function: | 2_2_004219A3 | |
Source: | Code function: | 2_2_004249BC | |
Source: | Code function: | 2_2_0041BF2B | |
Source: | Code function: | 2_2_00422250 | |
Source: | Code function: | 2_2_004342C3 | |
Source: | Code function: | 2_2_004212C0 | |
Source: | Code function: | 2_2_004162D6 | |
Source: | Code function: | 2_2_004142E0 | |
Source: | Code function: | 2_2_004042F0 | |
Source: | Code function: | 2_2_00417AFA | |
Source: | Code function: | 2_2_00434A93 | |
Source: | Code function: | 2_2_0043D2B0 | |
Source: | Code function: | 2_2_0042BABA | |
Source: | Code function: | 2_2_00439340 | |
Source: | Code function: | 2_2_00411357 | |
Source: | Code function: | 2_2_0042335E | |
Source: | Code function: | 2_2_0041BB70 | |
Source: | Code function: | 2_2_0042BB03 | |
Source: | Code function: | 2_2_00438B00 | |
Source: | Code function: | 2_2_0042BB12 | |
Source: | Code function: | 2_2_00435320 | |
Source: | Code function: | 2_2_00423386 | |
Source: | Code function: | 2_2_00402BA0 | |
Source: | Code function: | 2_2_00407440 | |
Source: | Code function: | 2_2_00416C7C | |
Source: | Code function: | 2_2_00404C20 | |
Source: | Code function: | 2_2_00421CCF | |
Source: | Code function: | 2_2_00427CD4 | |
Source: | Code function: | 2_2_0043C490 | |
Source: | Code function: | 2_2_00435CA0 | |
Source: | Code function: | 2_2_00409560 | |
Source: | Code function: | 2_2_00422D70 | |
Source: | Code function: | 2_2_0043BD10 | |
Source: | Code function: | 2_2_0041E520 | |
Source: | Code function: | 2_2_00415538 | |
Source: | Code function: | 2_2_00425DC1 | |
Source: | Code function: | 2_2_0041CDF0 | |
Source: | Code function: | 2_2_00420590 | |
Source: | Code function: | 2_2_0043D590 | |
Source: | Code function: | 2_2_0041D5A0 | |
Source: | Code function: | 2_2_00417DA0 | |
Source: | Code function: | 2_2_00406660 | |
Source: | Code function: | 2_2_00408E70 | |
Source: | Code function: | 2_2_0043BE00 | |
Source: | Code function: | 2_2_00419620 | |
Source: | Code function: | 2_2_0042262A | |
Source: | Code function: | 2_2_00405E30 | |
Source: | Code function: | 2_2_0042A63F | |
Source: | Code function: | 2_2_0042CECB | |
Source: | Code function: | 2_2_00420EE0 | |
Source: | Code function: | 2_2_00411E90 | |
Source: | Code function: | 2_2_0042A69A | |
Source: | Code function: | 2_2_0040AEB0 | |
Source: | Code function: | 2_2_00402F40 | |
Source: | Code function: | 2_2_00438F60 | |
Source: | Code function: | 2_2_0041077E | |
Source: | Code function: | 2_2_00414713 | |
Source: | Code function: | 2_2_0041BF2B | |
Source: | Code function: | 2_2_0042673E | |
Source: | Code function: | 2_2_00408780 | |
Source: | Code function: | 2_2_0043B781 | |
Source: | Code function: | 2_2_00433798 | |
Source: | Code function: | 2_2_0043BFA0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Task registration methods: | ||
Source: | Task registration methods: | ||
Source: | Task registration methods: | ||
Source: | Task registration methods: |
Source: | Base64 encoded string: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Classification label: |
Source: | Code function: | 2_2_0042CAFB |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_0329C479 | |
Source: | Code function: | 0_2_06C76DAF | |
Source: | Code function: | 2_2_0044184D | |
Source: | Code function: | 2_2_00442A55 | |
Source: | Code function: | 2_2_0043BCA2 | |
Source: | Code function: | 2_2_00441E89 | |
Source: | Code function: | 2_2_00438EBF |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Anti Debugging |
---|
Source: | Code function: | 0_2_03291320 |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_0043A5B0 |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 11 Process Injection | 3 Virtualization/Sandbox Evasion | OS Credential Dumping | 211 Security Software Discovery | Remote Services | 11 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | 1 DLL Side-Loading | 1 Scheduled Task/Job | 1 Disable or Modify Tools | LSASS Memory | 3 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Clipboard Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 111 Deobfuscate/Decode Files or Information | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 31 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
57% | Virustotal | Browse | ||
53% | ReversingLabs | Win32.Trojan.Lumma | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
peelyitemsn.click | 104.21.62.151 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
false | high | ||
false | high | ||
false | high | ||
true |
| unknown | |
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.62.151 | peelyitemsn.click | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1581190 |
Start date and time: | 2024-12-27 08:12:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 3vLKNycnrz.exerenamed because original name is a hash value |
Original Sample Name: | 78b4d3e1df367155161b0ca24d08b157.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@3/0@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Report size getting too big, t
oo many NtAllocateVirtualMemor y calls found. - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
02:13:07 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.62.151 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Vidar | Browse |
| |
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Gozi, Ursnif | Browse |
| ||
Get hash | malicious | NetSupport RAT, LummaC, LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
File type: | |
Entropy (8bit): | 7.807765755196678 |
TrID: |
|
File name: | 3vLKNycnrz.exe |
File size: | 3'635'712 bytes |
MD5: | 78b4d3e1df367155161b0ca24d08b157 |
SHA1: | e0b63eb3c6858c7cb8e3754b67264b8a861b1d86 |
SHA256: | 10c9f5d51b36a62a32560a1e9912a28c781f9723fa23c2f778a86e8e94aef2fb |
SHA512: | d78bbd14cfd7b6af5f13e8d40072963d36a2d9059e586d3837e476f25d458056d44ff3a25713139f83d7f550861c213dc9ac7a1e18335069f10d656380ed4a06 |
SSDEEP: | 98304:E3CrFD9UPyyHBhwPFiVupq1ME+2KPv193iD:E38B948FB6M2KHji |
TLSH: | A2F5F1B4AFEC9FC4E77C667EC3E128355139905818B7E32729485ABC0549BB0E38D61E |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................p7...........7.. ........@.. ........................7...........`................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x778dfe |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6761321C [Tue Dec 17 08:11:08 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
aaa |
test dword ptr [ecx], ebx |
rol byte ptr [eax], 1 |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x378dac | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37a000 | 0x600 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x37c000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x376e08 | 0x377000 | 2c7f957da1b8f2dbce38b2a8835b1272 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x37a000 | 0x600 | 0x600 | 9edb7b38ba1086eb179db3a2760060de | False | 0.408203125 | data | 3.986737529851491 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x37c000 | 0xc | 0x200 | 4304d922d1d1d01b3bcd855cce4612af | False | 0.041015625 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x37a0a0 | 0x2ec | data | 0.4344919786096257 | ||
RT_MANIFEST | 0x37a38c | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-27T08:13:07.399283+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | TCP |
2024-12-27T08:13:08.134997+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | TCP |
2024-12-27T08:13:08.134997+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | TCP |
2024-12-27T08:13:09.017586+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49707 | 104.21.62.151 | 443 | TCP |
- Total Packets: 15
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 27, 2024 08:13:05.765031099 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:05.765065908 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:05.765147924 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:05.771680117 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:05.771692038 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:07.399205923 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:07.399282932 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:07.402235985 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:07.402241945 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:07.402578115 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:07.446098089 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:07.455682039 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:07.455781937 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:07.455791950 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:08.134979010 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:08.135082006 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:08.135171890 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:08.137268066 CET | 49706 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:08.137281895 CET | 443 | 49706 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:08.148371935 CET | 49707 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:08.148425102 CET | 443 | 49707 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:08.148494959 CET | 49707 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:08.148742914 CET | 49707 | 443 | 192.168.2.8 | 104.21.62.151 |
Dec 27, 2024 08:13:08.148761988 CET | 443 | 49707 | 104.21.62.151 | 192.168.2.8 |
Dec 27, 2024 08:13:09.017585993 CET | 49707 | 443 | 192.168.2.8 | 104.21.62.151 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 27, 2024 08:13:05.187879086 CET | 51779 | 53 | 192.168.2.8 | 1.1.1.1 |
Dec 27, 2024 08:13:05.507018089 CET | 53 | 51779 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 27, 2024 08:13:05.187879086 CET | 192.168.2.8 | 1.1.1.1 | 0xecf | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 27, 2024 08:13:05.507018089 CET | 1.1.1.1 | 192.168.2.8 | 0xecf | No error (0) | 104.21.62.151 | A (IP address) | IN (0x0001) | false | ||
Dec 27, 2024 08:13:05.507018089 CET | 1.1.1.1 | 192.168.2.8 | 0xecf | No error (0) | 172.67.136.183 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49706 | 104.21.62.151 | 443 | 7452 | C:\Users\user\Desktop\3vLKNycnrz.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-27 07:13:07 UTC | 264 | OUT | |
2024-12-27 07:13:07 UTC | 8 | OUT | |
2024-12-27 07:13:08 UTC | 1132 | IN | |
2024-12-27 07:13:08 UTC | 7 | IN | |
2024-12-27 07:13:08 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 02:13:02 |
Start date: | 27/12/2024 |
Path: | C:\Users\user\Desktop\3vLKNycnrz.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 3'635'712 bytes |
MD5 hash: | 78B4D3E1DF367155161B0CA24D08B157 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 02:13:03 |
Start date: | 27/12/2024 |
Path: | C:\Users\user\Desktop\3vLKNycnrz.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb10000 |
File size: | 3'635'712 bytes |
MD5 hash: | 78B4D3E1DF367155161B0CA24D08B157 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 8.7% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 22.9% |
Total number of Nodes: | 48 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 3.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 27.1% |
Total number of Nodes: | 59 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|