Edit tour

Windows Analysis Report
LZUCldA1ro.exe

Overview

General Information

Sample name:	LZUCldA1ro.exe
Analysis ID:	1584671
MD5:	801b1a0d107611d7467df2470f1cd20f
SHA1:	e2ea349f9ab2a9f0f492024266351350d3563e3c
SHA256:	58f0cc4abe20d42c84ea7bd1287e5fd4ce6f888a20f49073d80329d5b7804858
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

LZUCldA1ro.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\LZUCldA1ro.exe" MD5: 801B1A0D107611D7467DF2470F1CD20F)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LZUCldA1ro.exe PID: 6696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T07:57:27.375858+0100	2028371	3	Unknown Traffic	192.168.11.30	50116	23.45.46.210	443	TCP
2025-01-06T07:58:30.893804+0100	2028371	3	Unknown Traffic	192.168.11.30	50120	23.45.46.210	443	TCP

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T07:57:29.587384+0100	2035595	1	Domain Observed Used for C2 Detected	207.231.107.137	56001	192.168.11.30	50117	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LZUCldA1ro.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: LZUCldA1ro.exe	Virustotal: Detection: 70%			Perma Link
Source: LZUCldA1ro.exe	ReversingLabs: Detection: 63%

Machine Learning detection for sample

Source: LZUCldA1ro.exe

Joe Sandbox ML: detected

Source: LZUCldA1ro.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LZUCldA1ro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 207.231.107.137:56001 -> 192.168.11.30:50117

Source: global traffic

TCP traffic: 192.168.11.30:50117 -> 207.231.107.137:56001

Source: Joe Sandbox View

ASN Name: AS40676US AS40676US

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:50120 -> 23.45.46.210:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:50116 -> 23.45.46.210:443

Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137
Source: unknown	TCP traffic detected without corresponding DNS query: 207.231.107.137

Source: LZUCldA1ro.exe, 00000002.00000002.2319206395436.00000000055B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: LZUCldA1ro.exe, 00000002.00000002.2319206395436.00000000055B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: LZUCldA1ro.exe, 00000002.00000002.2319200252637.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: LZUCldA1ro.exe, 00000002.00000002.2319200252637.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

System Summary

.NET source code contains very large array initializations

Source: LZUCldA1ro.exe, FilteredPolicy.cs

Large array initialization: ImplementModularPolicy: array initializer size 306176

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Code function: 2_2_02CF47C0	2_2_02CF47C0
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Code function: 2_2_02CF47A7	2_2_02CF47A7
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Code function: 2_2_02CF1DC8	2_2_02CF1DC8
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Code function: 2_2_02CF1DB8	2_2_02CF1DB8

Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZvnlwvfe.dll" vs LZUCldA1ro.exe
Source: LZUCldA1ro.exe, 00000002.00000002.2319204007387.0000000003E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZvnlwvfe.dll" vs LZUCldA1ro.exe
Source: LZUCldA1ro.exe, 00000002.00000000.2316746868009.000000000080C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAlrzys.exe" vs LZUCldA1ro.exe
Source: LZUCldA1ro.exe, 00000002.00000002.2319205149046.0000000005310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameZvnlwvfe.dll" vs LZUCldA1ro.exe
Source: LZUCldA1ro.exe, 00000002.00000002.2319200252637.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LZUCldA1ro.exe
Source: LZUCldA1ro.exe	Binary or memory string: OriginalFilenameAlrzys.exe" vs LZUCldA1ro.exe

Source: LZUCldA1ro.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LZUCldA1ro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LZUCldA1ro.exe, FilteredPolicy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: LZUCldA1ro.exe, DefinitionRequest.cs	Cryptographic APIs: 'CreateDecryptor'
Source: LZUCldA1ro.exe, DefinitionRequest.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Mutant created: \Sessions\1\BaseNamedObjects\b73b56eba7d5

Source: LZUCldA1ro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LZUCldA1ro.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LZUCldA1ro.exe	Virustotal: Detection: 70%
Source: LZUCldA1ro.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LZUCldA1ro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LZUCldA1ro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: LZUCldA1ro.exe, DefinitionRequest.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: LZUCldA1ro.exe

Static PE information: 0xE222BDD2 [Thu Mar 23 04:47:14 2090 UTC]

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Code function: 2_2_02CF1907 push ss; iretd

2_2_02CF1912

Source: LZUCldA1ro.exe

Static PE information: section name: .text entropy: 7.874303869633843

Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Window / User API: threadDelayed 9939

Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe TID: 7060	Thread sleep count: 9939 > 30			Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: LZUCldA1ro.exe, 00000002.00000002.2319200252637.0000000000E24000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Process Stats: CPU usage > 5% for more than 60s

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000003174000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000003124000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000003174000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000003174000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000003124000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe

Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Queries volume information: C:\Users\user\Desktop\LZUCldA1ro.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\LZUCldA1ro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q com.liberty.jaxx
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\LZUCldA1ro.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LZUCldA1ro.exe PID: 6696, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	442 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	442 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LZUCldA1ro.exe	100%	Avira	HEUR/AGEN.1323341
LZUCldA1ro.exe	70%	Virustotal		Browse
LZUCldA1ro.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
LZUCldA1ro.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
https://stackoverflow.com/q/14436606/23354	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, LZUCldA1ro.exe, 00000002.00000002.2319201596194.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	LZUCldA1ro.exe, 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
207.231.107.137	unknown	United States		40676	AS40676US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584671
Start date and time:	2025-01-06 07:55:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LZUCldA1ro.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.157.12, 52.111.243.29, 204.79.197.237
Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com, login.live.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com, api.msn.com
Execution Graph export aborted for target LZUCldA1ro.exe, PID 6696 because it is empty
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:57:28	API Interceptor	12698272x Sleep call for process: LZUCldA1ro.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS40676US	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138
	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138
	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138
	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	41.216.189.243
	armv6l.elf	Get hash	malicious	Mirai	Browse	23.179.122.63
	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138
	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138
	download.ps1	Get hash	malicious	Unknown	Browse	45.61.136.138

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.858889367025201
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	LZUCldA1ro.exe
File size:	367'104 bytes
MD5:	801b1a0d107611d7467df2470f1cd20f
SHA1:	e2ea349f9ab2a9f0f492024266351350d3563e3c
SHA256:	58f0cc4abe20d42c84ea7bd1287e5fd4ce6f888a20f49073d80329d5b7804858
SHA512:	7bd4abc2849dc9d97104e88858b15860263eec86da23b157e4a6f1978df9ea7c1ecef5c62c4187773278a73111b55b4813d6eae12c0c28bf0bdd00be967b59d3
SSDEEP:	6144:A2nXZ8Q9bZl3Y2Nzq6XGTazlqwv6gwDdxKxjFYAY2we2LR3l:A2J8Q9bZW2Nzq6qazl1ildQxjFYVeoR1
TLSH:	D674015036C99B61C00846B5CDE7D91502F2EB572A37CB2ABD8D46C00FA3792EE877C9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45ae0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE222BDD2 [Thu Mar 23 04:47:14 2090 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5adc0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x58e14	0x59000	bdef609fb0fb350f03e81cab37f1aeee	False	0.9208463175912921	data	7.874303869633843	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x560	0x600	ee5f09bcbbe001bb3a41934f1cd24d9f	False	0.4010416666666667	data	3.9235272008999935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	39b3e6a587a021cee42a99289ab8dad4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x2d4	data			0.43370165745856354
RT_MANIFEST	0x5c374	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T07:57:27.375858+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.30	50116	23.45.46.210	443	TCP
2025-01-06T07:57:29.587384+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	207.231.107.137	56001	192.168.11.30	50117	TCP
2025-01-06T07:58:30.893804+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.30	50120	23.45.46.210	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 07:57:28.960395098 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:29.099713087 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:29.099956989 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:29.100764990 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:29.287616968 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:29.287786007 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:29.443008900 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:29.443087101 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:29.443301916 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:29.445874929 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:29.587383986 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:29.634938002 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:31.200109005 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:31.381438017 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:31.381692886 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:31.569096088 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:57.630374908 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:57.819518089 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:57.819856882 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:57.960361958 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:58.003602028 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:58.142724991 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:58.147351027 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:58.335033894 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:57:58.335248947 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:57:58.522521019 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:25.638427973 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:25.820146084 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:25.820503950 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:25.960757971 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:26.012813091 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:26.151978016 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:26.153706074 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:26.335908890 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:26.336062908 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:26.523242950 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:51.007437944 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:51.195532084 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:51.195704937 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:51.336914062 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:51.382087946 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:51.521218061 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:51.523102045 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:51.711158991 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:58:51.711442947 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:58:51.898634911 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:19.016940117 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:19.211532116 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:19.211709976 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:19.356930971 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:19.406879902 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:19.546010017 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:19.549884081 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:19.742814064 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:19.742961884 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:19.930264950 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:47.028412104 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:47.212141037 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:47.212382078 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:47.352611065 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:47.400496960 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:47.539383888 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:47.541158915 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:47.727802038 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 07:59:47.727960110 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 07:59:47.915235043 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:15.039370060 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:15.228229046 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:15.228432894 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:15.368638992 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:15.409809113 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:15.548830986 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:15.550815105 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:15.743815899 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:15.743983984 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:15.931437969 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:43.050803900 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:43.244379997 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:43.244518995 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:43.384351969 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:43.434624910 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:43.573635101 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:43.575836897 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:43.760025978 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:00:43.760226011 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:00:43.947508097 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:11.061805964 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:11.244946957 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:11.245102882 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:11.385302067 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:11.428212881 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:11.567203999 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:11.571182966 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:11.760615110 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:11.760941982 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:11.948110104 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:29.673247099 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:29.854737997 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:29.854954958 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:29.995104074 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:30.049063921 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:30.188206911 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:30.188817978 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:30.370218039 CET	56001	50117	207.231.107.137	192.168.11.30
Jan 6, 2025 08:01:30.370424032 CET	50117	56001	192.168.11.30	207.231.107.137
Jan 6, 2025 08:01:30.557729959 CET	56001	50117	207.231.107.137	192.168.11.30

Target ID:	2
Start time:	01:57:22
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\LZUCldA1ro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LZUCldA1ro.exe"
Imagebase:	0x7b0000
File size:	367'104 bytes
MD5 hash:	801B1A0D107611D7467DF2470F1CD20F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2319201596194.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02CF2041 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26091a65cc34dac77c4fec76a991fd950077de5af9ea83a50d580a7081b4f52c
Instruction ID: 1581298c4416258bc7d02e285e13cb3059bcfc18221308c8966f00ff860e0304
Opcode Fuzzy Hash: 26091a65cc34dac77c4fec76a991fd950077de5af9ea83a50d580a7081b4f52c
Instruction Fuzzy Hash: F4A1DD35A002009FD794EF69D494AAEBBF6FF88710F118169E905EB3A4DB30EC01CB91

Function 02CF1A8A Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a249b449b876a5166ed651cc8ca4b3a38665093bf18313650c70483b79ad626d
Instruction ID: 46552592299390269e225ca883d6608b4cf4ea71111f5e28075bb2c99c39a88d
Opcode Fuzzy Hash: a249b449b876a5166ed651cc8ca4b3a38665093bf18313650c70483b79ad626d
Instruction Fuzzy Hash: 41512A74B00104CFDB84DFA9C498AADBBF2BF89B10F658069E50AEB365CB719C01DB54

Function 02CF1A98 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7191939133e618f95709d65770291aec67e2cd8342f1ca33cf3fb58d92d9e03
Instruction ID: bc83a559e6bb46a45eaff0b27c5165f6cbf7151140fb115f43181c745c021a81
Opcode Fuzzy Hash: b7191939133e618f95709d65770291aec67e2cd8342f1ca33cf3fb58d92d9e03
Instruction Fuzzy Hash: 6C510974B00104CFDB84DFA9C598AADBBF2BF89B10F658069E50AEB365CE719C01DB54

Function 02CF198F Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a749eceeff758adde1dee9a4122b17bd77ad1af10ecbf8c459bc7173a0a19c4b
Instruction ID: 50951f53839943388eba63a5478a5abfd4628c8a60cf2dd493dd16dec9526cdd
Opcode Fuzzy Hash: a749eceeff758adde1dee9a4122b17bd77ad1af10ecbf8c459bc7173a0a19c4b
Instruction Fuzzy Hash: 9011E3317002419FC780EB79E8A9E6A7BE6EFC8A50705416AEA0ACB354DF74DC01CBD0

Function 02CF19A0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c618fa2225bf9d927fd1335393b7308b8bfee247501b925075233a723e4985f
Instruction ID: 9659773e00b616e4f2c4133a1142e51c01f50bc5b9665e3ec073606cfc147b1a
Opcode Fuzzy Hash: 4c618fa2225bf9d927fd1335393b7308b8bfee247501b925075233a723e4985f
Instruction Fuzzy Hash: FD11A5357001019FC384EB69E498E6B77D9EFC8A50755406AEA09CB354DF70DC01CBD0

Function 012BD7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319200866975.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12bd000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9f30160998acc3d95e57e547546d4919229381eb4dfe2debb3eefa545138f5
Instruction ID: 79a9599f170d25e96ba19f8a446a29a3885edca8683d818579d17c1357a82ff8
Opcode Fuzzy Hash: aa9f30160998acc3d95e57e547546d4919229381eb4dfe2debb3eefa545138f5
Instruction Fuzzy Hash: 2C01F7315143489BF7104A59CCC4BE7BF98EF407A9F088419FE8D4A183C3799842CBB1

Function 012BD7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319200866975.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12bd000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527822af7df2213cfef428b8ff58d4aef5b4dd77afe54d4b04bbbbea29b9e90e
Instruction ID: 6110926e49368d7d1c3248364adff7e8ccbed195a94b71dda38750b91d7b57ea
Opcode Fuzzy Hash: 527822af7df2213cfef428b8ff58d4aef5b4dd77afe54d4b04bbbbea29b9e90e
Instruction Fuzzy Hash: 2DF0C271404344AEE7108A0ADCC4BA3FFA8EB40779F18C55AFE4C0F283C2799841CA71

Function 02CF0BC5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdd6a090089d07ff9e8f951df1b75f3d67cc5ee00f9a66102a615010bee71bf
Instruction ID: 4b36a15f093d7353f5bf6f1946648bd64db918e90c4fb474f6e4715487549e4c
Opcode Fuzzy Hash: 4cdd6a090089d07ff9e8f951df1b75f3d67cc5ee00f9a66102a615010bee71bf
Instruction Fuzzy Hash: 56F0F678A18142CFD385AF61E0483A637B1FB75B41F0A82FACE099B34AEB34C901C741

Function 02CF089A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495367d17bda0289b58da873e75413ad0988566ac43d3a6eeaf0130f13b18b4f
Instruction ID: 4f02062e2cf47f95d532daf02618454e17dbdbde22e0ee6132a07e5cc8b133d8
Opcode Fuzzy Hash: 495367d17bda0289b58da873e75413ad0988566ac43d3a6eeaf0130f13b18b4f
Instruction Fuzzy Hash: 4AF022B1A19348EFCF41DBB0E9188AC7F79FF06204B0109CAEA00DB242E6317E00C7A1

Function 02CF2B31 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd10c137b17f3f99fca7a0b1e0aeb040717d65007689c96e0d9a2921887a83c1
Instruction ID: 535f39bf93a028318204112f2eb262316d0c0f9f26761f2e79aa0cf50fdaa86f
Opcode Fuzzy Hash: fd10c137b17f3f99fca7a0b1e0aeb040717d65007689c96e0d9a2921887a83c1
Instruction Fuzzy Hash: 8AE04F79624105AFDB909BB5E9589BEBB73EF44310F108526FF06D7390CE32C84A9B01

Function 02CF08A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ded87e8c0dbb7ef2f067e668350456ed0aeba022345d402f989f6b256bc9c99
Instruction ID: 18beeea4b0b1919013d194452ebaf0842e8c241c0cb09bf995155a17451fedb3
Opcode Fuzzy Hash: 4ded87e8c0dbb7ef2f067e668350456ed0aeba022345d402f989f6b256bc9c99
Instruction Fuzzy Hash: DFE08C70A0520DEFCB80EFA1EA098ACB7B5FF486047004999DA05DB205EA31BE00DBC1

Function 02CF1A60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e01429406e359f050311c2f898c60b2af6e60b28ab433a1493ed80df39c0bac
Instruction ID: 4b2c4ddb21ac2c123ce43cd5b93fc1cb6318d4104fea55e17797cd8b2df415cd
Opcode Fuzzy Hash: 4e01429406e359f050311c2f898c60b2af6e60b28ab433a1493ed80df39c0bac
Instruction Fuzzy Hash: 38D012764483D94FCF031370186D1843F59DA6310478508CFD4848FA42E40535465711

Function 02CF0930 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2654f386ecec22319624541693b56cd4e7a7ff3827e13efdc575a46a0485992b
Instruction ID: 8d35c99b0587b089ab40fea2ea6fef81f62c836d3407732aa34c558c040f34fd
Opcode Fuzzy Hash: 2654f386ecec22319624541693b56cd4e7a7ff3827e13efdc575a46a0485992b
Instruction Fuzzy Hash: 1BD012328A4349AFD7520F6564094F53F70DB5325A71281EFD445C9953C27B08078B21

Function 02CF0880 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf1c5d07b4f93abd890199e6e5c029d9f75b2367140aecb2c033d726be9de1a
Instruction ID: 28a51a77961b962ad3153acfb2b8a8c1914f37e1369d91e3fea4e385fc66a188
Opcode Fuzzy Hash: cdf1c5d07b4f93abd890199e6e5c029d9f75b2367140aecb2c033d726be9de1a
Instruction Fuzzy Hash: 00C048B64892C10ECF1392B0343C0C47F30AA33220B661C83C281CA45AA022264A8226

Function 02CF0940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324198211259a7d0140641df98efb70993b60f680a1a9e9b77a9575b4621cce0
Instruction ID: 0d7ce5ae0496ef811e2d5c6ab1fe20ba400b3cb78b6f144303c5994c105c50ac
Opcode Fuzzy Hash: 324198211259a7d0140641df98efb70993b60f680a1a9e9b77a9575b4621cce0
Instruction Fuzzy Hash: A690023344460D9F4550279B740D556B75C95445557818061A60E41A065AA764104697

Non-executed Functions

Function 02CF47C0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ae057655976a975a19feba3592640405fc17fe3749a4964aa858bfadad567e
Instruction ID: 48e97f24101a50c343054ddc33c08ec91be22feef2aec82b700a19deabdc1021
Opcode Fuzzy Hash: 08ae057655976a975a19feba3592640405fc17fe3749a4964aa858bfadad567e
Instruction Fuzzy Hash: 7BB18171E006698BDB98CBA8C8806AEF7F1FF88300F248669D565E7305D334ED52CB94

Function 02CF47A7 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3c83b3aaeece3d1c8ce713e2ebd5047d1db670e642ed1c88d33713e5b465c3
Instruction ID: cefa437500ffccdf15be01cdc62e756adbbbdc0b8ad5d54e493b43c14748719b
Opcode Fuzzy Hash: ba3c83b3aaeece3d1c8ce713e2ebd5047d1db670e642ed1c88d33713e5b465c3
Instruction Fuzzy Hash: 10818271E046698FDB98CFA9C8806AEFBF1FF88310F148169D665E7205D334E956CB90

Function 02CF1DB8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b834da88ccd1e6065799408946721adee5733e79980fa712787bd678b514b5d6
Instruction ID: 8c19aacb0ed091242d65d60c0d49a7caa797e5f8c565a766377540777bd34533
Opcode Fuzzy Hash: b834da88ccd1e6065799408946721adee5733e79980fa712787bd678b514b5d6
Instruction Fuzzy Hash: F8613C76A102448FE749EF7AF45569ABBF3BFE8340B14C52AD5049B368EB315806CB50

Function 02CF1DC8 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2319201343857.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cf0000_LZUCldA1ro.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fed102ae01b353bc8f7d6da1260d26a38b600f31222465a2924a10d363e81e
Instruction ID: c340a15679e84b530ff02c83d5460edb466df4a0945f55b36099c46568a822b2
Opcode Fuzzy Hash: d8fed102ae01b353bc8f7d6da1260d26a38b600f31222465a2924a10d363e81e
Instruction Fuzzy Hash: 2B512976A102448FE749EF6AF45569ABBF3BFE8340B14C52AD5089B368EF315806CB50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LZUCldA1ro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: LZUCldA1ro.exePID: 6696, Parent PID: 1300

General

Windows Analysis Report
LZUCldA1ro.exe