Edit tour

Windows Analysis Report
NUGMrDcg4v.exe

Overview

General Information

Sample name:	NUGMrDcg4v.exe renamed because original name is a hash value
Original sample name:	7fdbb9aa555c42d32185cbdc7059b1523278212d0afb365c6d81abcbc545d047.exe
Analysis ID:	1588373
MD5:	a17417ef2831452553847ca8b9a934cb
SHA1:	09e726bb76d1932df35569d1d3e2c614b2ba7bfc
SHA256:	7fdbb9aa555c42d32185cbdc7059b1523278212d0afb365c6d81abcbc545d047
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NUGMrDcg4v.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\NUGMrDcg4v.exe" MD5: A17417EF2831452553847CA8B9A934CB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.solucionesmexico.mx", "Username": "mynewfile@solucionesmexico.mx", "Password": "dGG^ZYIxX5!B"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
00000000.00000002.2544569965.00000000030C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NUGMrDcg4v.exe PID: 7816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NUGMrDcg4v.exe PID: 7816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NUGMrDcg4v.exe PID: 7816	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.NUGMrDcg4v.exe.40c5590.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NUGMrDcg4v.exe.40c5590.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NUGMrDcg4v.exe.40c5590.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3274f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3284b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NUGMrDcg4v.exe.40c5590.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f939:$s2: GetPrivateProfileString 0x2ef82:$s3: get_OSFullName 0x30618:$s5: remove_Key 0x307f2:$s5: remove_Key 0x31764:$s6: FtpWebRequest 0x32731:$s7: logins 0x32ca3:$s7: logins 0x359b4:$s7: logins 0x35a66:$s7: logins 0x373b9:$s7: logins 0x36600:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.NUGMrDcg4v.exe.7610000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NUGMrDcg4v.exe.7610000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NUGMrDcg4v.exe.7610000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3274f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3284b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NUGMrDcg4v.exe.7610000.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f939:$s2: GetPrivateProfileString 0x2ef82:$s3: get_OSFullName 0x30618:$s5: remove_Key 0x307f2:$s5: remove_Key 0x31764:$s6: FtpWebRequest 0x32731:$s7: logins 0x32ca3:$s7: logins 0x359b4:$s7: logins 0x35a66:$s7: logins 0x373b9:$s7: logins 0x36600:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.NUGMrDcg4v.exe.4089970.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NUGMrDcg4v.exe.4089970.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NUGMrDcg4v.exe.4089970.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3274f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3284b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32947:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32adf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NUGMrDcg4v.exe.4089970.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f939:$s2: GetPrivateProfileString 0x2ef82:$s3: get_OSFullName 0x30618:$s5: remove_Key 0x307f2:$s5: remove_Key 0x31764:$s6: FtpWebRequest 0x32731:$s7: logins 0x32ca3:$s7: logins 0x359b4:$s7: logins 0x35a66:$s7: logins 0x373b9:$s7: logins 0x36600:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3454f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7016f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x701e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3464b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7026b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x702fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34747:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x70367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x703d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3484f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7046f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x704ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31739:$s2: GetPrivateProfileString 0x6d359:$s2: GetPrivateProfileString 0x30d82:$s3: get_OSFullName 0x6c9a2:$s3: get_OSFullName 0x32418:$s5: remove_Key 0x325f2:$s5: remove_Key 0x6e038:$s5: remove_Key 0x6e212:$s5: remove_Key 0x33564:$s6: FtpWebRequest 0x6f184:$s6: FtpWebRequest 0x34531:$s7: logins 0x34aa3:$s7: logins 0x377b4:$s7: logins 0x37866:$s7: logins 0x391b9:$s7: logins 0x70151:$s7: logins 0x706c3:$s7: logins 0x733d4:$s7: logins 0x73486:$s7: logins 0x74dd9:$s7: logins 0x38400:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NUGMrDcg4v.exe

Avira: detected

Found malware configuration

Source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.solucionesmexico.mx", "Username": "mynewfile@solucionesmexico.mx", "Password": "dGG^ZYIxX5!B"}

Multi AV Scanner detection for submitted file

Source: NUGMrDcg4v.exe	ReversingLabs: Detection: 71%
Source: NUGMrDcg4v.exe	Virustotal: Detection: 75%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NUGMrDcg4v.exe

Joe Sandbox ML: detected

Source: NUGMrDcg4v.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NUGMrDcg4v.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: NUGMrDcg4v.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: NUGMrDcg4v.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.000000000313C000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.000000000313C000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: NUGMrDcg4v.exe	String found in binary or memory: http://localhost/calculator_server/requests.php
Source: NUGMrDcg4v.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.000000000313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NUGMrDcg4v.exe, 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: NUGMrDcg4v.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_01713E28	0_2_01713E28
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_01716F90	0_2_01716F90
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0171DFB4	0_2_0171DFB4
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_05616CC8	0_2_05616CC8
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_05610040	0_2_05610040
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_05610006	0_2_05610006
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_05616C98	0_2_05616C98
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_07930E00	0_2_07930E00
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0793AC88	0_2_0793AC88
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0793B8A0	0_2_0793B8A0
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0793AFD0	0_2_0793AFD0
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_07934708	0_2_07934708
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_07933E98	0_2_07933E98
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_07933E88	0_2_07933E88
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_07935E30	0_2_07935E30
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_07930DF0	0_2_07930DF0
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_079342D0	0_2_079342D0
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_079359F8	0_2_079359F8
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B10E300	0_2_0B10E300
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B106AC8	0_2_0B106AC8
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B109010	0_2_0B109010
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B100040	0_2_0B100040
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B108928	0_2_0B108928
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B1039B9	0_2_0B1039B9
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B100007	0_2_0B100007
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Code function: 0_2_0B105CC8	0_2_0B105CC8

Source: NUGMrDcg4v.exe

Static PE information: invalid certificate

Source: NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004162000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000002.2548328749.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename1d2b2f51-e841-4af2-8893-cf0c11544dea.exe0 vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000002.2547134145.0000000005B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000002.2544569965.000000000318C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000002.2543376911.000000000143E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000000.1287254905.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameehGbG.exe" vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1d2b2f51-e841-4af2-8893-cf0c11544dea.exe0 vs NUGMrDcg4v.exe
Source: NUGMrDcg4v.exe	Binary or memory string: OriginalFilenameehGbG.exe" vs NUGMrDcg4v.exe

Source: NUGMrDcg4v.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: NUGMrDcg4v.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Mutant created: NULL

Source: NUGMrDcg4v.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NUGMrDcg4v.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003174000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003186000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NUGMrDcg4v.exe	ReversingLabs: Detection: 71%
Source: NUGMrDcg4v.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: NUGMrDcg4v.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NUGMrDcg4v.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Code function: 0_2_01715E00 push eax; iretd

0_2_01715E09

Source: NUGMrDcg4v.exe

Static PE information: section name: .text entropy: 7.7884153381917445

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NUGMrDcg4v.exe PID: 7816, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NUGMrDcg4v.exe, 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003158000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: 5080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: 9060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Memory allocated: A210000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: NUGMrDcg4v.exe, 00000000.00000002.2544569965.00000000030C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: NUGMrDcg4v.exe, 00000000.00000002.2547764879.00000000062F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Code function: 0_2_07939380 CheckRemoteDebuggerPresent,

0_2_07939380

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Users\user\Desktop\NUGMrDcg4v.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NUGMrDcg4v.exe PID: 7816, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\NUGMrDcg4v.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2544569965.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NUGMrDcg4v.exe PID: 7816, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.40c5590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.7610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NUGMrDcg4v.exe.4089970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NUGMrDcg4v.exe PID: 7816, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	24 Virtualization/Sandbox Evasion	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NUGMrDcg4v.exe	71%	ReversingLabs	ByteCode-MSIL.Hacktool.Mimikatz
NUGMrDcg4v.exe	75%	Virustotal		Browse
NUGMrDcg4v.exe	100%	Avira	HEUR/AGEN.1357257
NUGMrDcg4v.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	NUGMrDcg4v.exe, 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.000000000313C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	NUGMrDcg4v.exe	false	high
http://localhost/calculator_server/requests.php	NUGMrDcg4v.exe	false	high
http://ip-api.com	NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.000000000313C000.00000004.00000800.00020000.00000000.sdmp, NUGMrDcg4v.exe, 00000000.00000002.2544569965.0000000003158000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588373
Start date and time:	2025-01-11 01:30:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NUGMrDcg4v.exe renamed because original name is a hash value
Original Sample Name:	7fdbb9aa555c42d32185cbdc7059b1523278212d0afb365c6d81abcbc545d047.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 34 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:31:07	API Interceptor	2x Sleep call for process: NUGMrDcg4v.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.784566897204724
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NUGMrDcg4v.exe
File size:	705'032 bytes
MD5:	a17417ef2831452553847ca8b9a934cb
SHA1:	09e726bb76d1932df35569d1d3e2c614b2ba7bfc
SHA256:	7fdbb9aa555c42d32185cbdc7059b1523278212d0afb365c6d81abcbc545d047
SHA512:	abadc517155bda890411574e089476363b9de4af819b8e7de2e80cad5385f599d581e396dd425276a3fed46fff5aa90887b806cec04aaac2971f2c0ce730c1f6
SSDEEP:	12288:8PG/Ggc0nFGnCBC2ooxzk23EH+rCWpsQJYg1xuIA87ikR:q50nYCBC2oqzT3EHPQJLOIX7R
TLSH:	E6E402A95A51DA03CA8157740BB1F2795BB82FDEB900D2279FEC7DEFB8A6F101C90141
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rg..............0..t............... ........@.. ....................................@................................

File Icon


Icon Hash:	04852062591b5659

Static PE Info

General

Entrypoint:	0x4a932e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6752AB8C [Fri Dec 6 07:45:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FE604CE4462h
je 00007FE604CE4462h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FE604CE4462h
imul eax, dword ptr [eax], 00610076h
je 00007FE604CE4462h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa92dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x13bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa8c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7354	0xa7400	abe31950983995a41a9c4217831f8fde	False	0.9319135953849028	data	7.7884153381917445	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x13bc	0x1400	0d8560284f742fbcb2f8906d5eb9fdf5	False	0.732421875	data	6.9438658117569405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	40017c928d7dfd5ce4871ed537cc6a11	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa100	0xd91	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8692772818888569
RT_GROUP_ICON	0xaaea4	0x14	data	1.05
RT_VERSION	0xaaec8	0x2f4	data	0.4312169312169312
RT_MANIFEST	0xab1cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:31:09.418811083 CET	49716	80	192.168.2.10	208.95.112.1
Jan 11, 2025 01:31:09.423691034 CET	80	49716	208.95.112.1	192.168.2.10
Jan 11, 2025 01:31:09.423758984 CET	49716	80	192.168.2.10	208.95.112.1
Jan 11, 2025 01:31:09.424947023 CET	49716	80	192.168.2.10	208.95.112.1
Jan 11, 2025 01:31:09.429778099 CET	80	49716	208.95.112.1	192.168.2.10
Jan 11, 2025 01:31:09.882195950 CET	80	49716	208.95.112.1	192.168.2.10
Jan 11, 2025 01:31:09.930608988 CET	49716	80	192.168.2.10	208.95.112.1
Jan 11, 2025 01:32:01.615937948 CET	80	49716	208.95.112.1	192.168.2.10
Jan 11, 2025 01:32:01.615998983 CET	49716	80	192.168.2.10	208.95.112.1
Jan 11, 2025 01:32:49.901407957 CET	49716	80	192.168.2.10	208.95.112.1
Jan 11, 2025 01:32:49.906274080 CET	80	49716	208.95.112.1	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:31:09.402955055 CET	54278	53	192.168.2.10	1.1.1.1
Jan 11, 2025 01:31:09.410446882 CET	53	54278	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:31:09.402955055 CET	192.168.2.10	1.1.1.1	0xf58	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:31:09.410446882 CET	1.1.1.1	192.168.2.10	0xf58	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49716	208.95.112.1	80	7816	C:\Users\user\Desktop\NUGMrDcg4v.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:31:09.424947023 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 01:31:09.882195950 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:31:09 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	19:31:07
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\NUGMrDcg4v.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NUGMrDcg4v.exe"
Imagebase:	0xce0000
File size:	705'032 bytes
MD5 hash:	A17417EF2831452553847CA8B9A934CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2548008530.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2544569965.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2545510674.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.8%
Total number of Nodes:	250
Total number of Limit Nodes:	11

Executed Functions

Function 05616C98 Relevance: 3.7, Strings: 1, Instructions: 2427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$2q, xrefs: 05616D15

Memory Dump Source

Source File: 00000000.00000002.2546797993.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID: $2q
API String ID: 0-3731487377
Opcode ID: b3da8bc58be0ecb1a910419cf61462630011ef6033b5dd57f879b9b065d8fc4b
Instruction ID: 3babb730e97156e8deffd3ad2e65753feea39c7d270182e84e5dc6187a017377
Opcode Fuzzy Hash: b3da8bc58be0ecb1a910419cf61462630011ef6033b5dd57f879b9b065d8fc4b
Instruction Fuzzy Hash: D2430674A11219CFDB25DF24C894BA9B3B5FF89300F1186E9E6096B361DB70AE85CF44

Function 05616CC8 Relevance: 3.7, Strings: 1, Instructions: 2412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$2q, xrefs: 05616D15

Memory Dump Source

Source File: 00000000.00000002.2546797993.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID: $2q
API String ID: 0-3731487377
Opcode ID: 5c861af4a9e93fe53bbca9ad97c4ee625101a15dc4a68f321e1b678fda349829
Instruction ID: 6b7ae7bcf1ff5a5ff0f18b0ea3da653c83a4193eeeccc2c3e0ce9f380e324030
Opcode Fuzzy Hash: 5c861af4a9e93fe53bbca9ad97c4ee625101a15dc4a68f321e1b678fda349829
Instruction Fuzzy Hash: E643F674A11219CFDB25DF24C894AA9B3B5FF89300F1186E9E6097B361DB70AE85CF44

Function 0B100040 Relevance: 2.7, Instructions: 2725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8c4d2793257661ff292dbae1c7a10fcab4dc9ae8b13e2261f948028be76135
Instruction ID: 2785d1bb2d86b632123fe144a740779faaf624af2c21d6c0f9b8191a8580d7d1
Opcode Fuzzy Hash: dc8c4d2793257661ff292dbae1c7a10fcab4dc9ae8b13e2261f948028be76135
Instruction Fuzzy Hash: 5853D631D10B1A8ACB51EF68C8846A9F7B1FF99300F11D79AE45977121EF70AAD4CB81

Function 0B1039B9 Relevance: 2.1, Instructions: 2071COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd5c764a4ba75eaa742feda06a73850798e27ed975fbb0d95ed7765ee960ac6
Instruction ID: 54b18b75f8e5f58bcd8272f84b271db4d86a47a9d21d82ad78dbb5582fe8c69b
Opcode Fuzzy Hash: 0fd5c764a4ba75eaa742feda06a73850798e27ed975fbb0d95ed7765ee960ac6
Instruction Fuzzy Hash: 6E231A31D10B198ADB11EF68C8946ADF7B1FF99300F50C79AE459B7261EB70AAC4CB41

Function 07939380 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 0793C687

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: c76e7913db98983b58ed3987c3c0dcaeaf5a287d877010749eafd9e3e4a56b66
Instruction ID: 37e5932f1c99a50762c3c2c9612f7c38bc6d760d0ccba520264843d025d49f82
Opcode Fuzzy Hash: c76e7913db98983b58ed3987c3c0dcaeaf5a287d877010749eafd9e3e4a56b66
Instruction Fuzzy Hash: 262178B180075A8FCB14CF9AD484BEEBBF4EF49214F14842AE859B7241D378A944CFA5

Function 0B100007 Relevance: 1.2, Instructions: 1230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7166951ec853ad2dcfcaa9fb2b0e633302ff0997aaff7a64e0de9b866a77d0
Instruction ID: 42f8ce96f5572b1de373db4257a8b1eb1dda0c7a795d010fa3a4e63d73c42757
Opcode Fuzzy Hash: da7166951ec853ad2dcfcaa9fb2b0e633302ff0997aaff7a64e0de9b866a77d0
Instruction Fuzzy Hash: CDD2E731C10B5A8ACB51EB68C8845A9F7B1FF99300F15D79AE45877121EF70AAD4CF81

Function 0B105CC8 Relevance: 1.1, Instructions: 1059COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252e43c90adf5bab4f7b387f88247cdd4adb8609ef466d7a12bce1bc6fc1f3fc
Instruction ID: 86cf79b4a05973ac1460df7ae0bb03a4db4a3c79e6ddf38f4f3236d6d41a712d
Opcode Fuzzy Hash: 252e43c90adf5bab4f7b387f88247cdd4adb8609ef466d7a12bce1bc6fc1f3fc
Instruction Fuzzy Hash: 90A20234A102048FDB24DB68C584B9DBBF2FB49315F5584A9E409EB3A5DBB5EC85CF80

Function 0B106AC8 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041e9571a3e77a30fd38b45db0b22d6ff67be5355568edd1fc84f5c578e7b6f6
Instruction ID: 6b65c63db8948967e95a2afe1bcda191e4f1f0f01e49d02012d5c5e42cecd0ff
Opcode Fuzzy Hash: 041e9571a3e77a30fd38b45db0b22d6ff67be5355568edd1fc84f5c578e7b6f6
Instruction Fuzzy Hash: AA322F30E10619CFDB25EF69C89069DB7B2FF99300F51C6A9D409A7294EF70AD85CB90

Function 0B109010 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd85e1d25f275be5ca8e1f0c6aaa0449ab62c54bb31c1c6ea0261b887e0895f
Instruction ID: dac883fa8c85f7f83d77b32d7789dbff1cfddca8f9a374260f257ba608287ada
Opcode Fuzzy Hash: ecd85e1d25f275be5ca8e1f0c6aaa0449ab62c54bb31c1c6ea0261b887e0895f
Instruction Fuzzy Hash: C4028E30B102158FDB14DB69D564AAEBBE2FF85350F148569D405DB382DFB5EC82CB90

Function 0B10E300 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c29db35da2461974802e1fb1cc638bd7398aeb851381b7c2535e4a8d062605
Instruction ID: f36a459db26d36f429da5407c2cce7709dcef3f89c3cef9dd112a0f467fbc507
Opcode Fuzzy Hash: f3c29db35da2461974802e1fb1cc638bd7398aeb851381b7c2535e4a8d062605
Instruction Fuzzy Hash: A7F16E71E10209CFDB14DFA6C948B9DBBF1BF48304F258969E405AB2A5DBB4A945CF80

Function 0793B8A0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b139425555faf958596be524b322f4edf5b6941a6670b9cbb6ac51f7dd53fe6
Instruction ID: d68701780eee09e84fffcc80d80efd6040f7c9846cf4982985d2a845fa050bf9
Opcode Fuzzy Hash: 9b139425555faf958596be524b322f4edf5b6941a6670b9cbb6ac51f7dd53fe6
Instruction Fuzzy Hash: 74B170F0E0020ACFDB10CFA9D8957ADBBF6BF48318F148529D415E7254EB749845CB81

Function 0793AC88 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6307cad36f38e81cdf63d730542d2c90dec2f6fe424aeeb233212eaa3f7cee0
Instruction ID: d0fd658dbe8f95ac1309daf47055d9a7a9a4a92ce0d91e8ed9c39d3fb20ed3d0
Opcode Fuzzy Hash: e6307cad36f38e81cdf63d730542d2c90dec2f6fe424aeeb233212eaa3f7cee0
Instruction Fuzzy Hash: 8B916EB0E0020A9FDB14CFA9C98579EBBF6FF88318F14C529E455A7294EB749845CB41

Function 01716F90 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fa57f08c71568ae97b69ad706d61ad9b88b7b509b53c1451a37dcac15d18ad
Instruction ID: 875158c454fe3ff05944bd7912b678ee945636995c2b4d15cfe7ee463222c538
Opcode Fuzzy Hash: 19fa57f08c71568ae97b69ad706d61ad9b88b7b509b53c1451a37dcac15d18ad
Instruction Fuzzy Hash: 0D81C274E002189FDF08DFA9D994AEEBBB2FF88300F248129D415AB364DB755941CF90

Function 01713E28 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761917c304869540b85fcc4b10ad59938934723a8d3cd338ad67f65e8d9cc1a0
Instruction ID: a546a92e202da649b7f733b3a2ec68a26258a454dcbfe519409e5ef3a84417e9
Opcode Fuzzy Hash: 761917c304869540b85fcc4b10ad59938934723a8d3cd338ad67f65e8d9cc1a0
Instruction Fuzzy Hash: 5781B174E012189FDF08DFA9D994AEEBBB2FF89300F248129D415AB364DA755941CF90

Function 07930DF0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c0ce5b2af27e976477d0845a49dfc81c19a90da3731300847f74a54352c99e
Instruction ID: a008064621fa5868420455d71cf1b2a84c3cade2afcd99914c187b70520cd48d
Opcode Fuzzy Hash: b3c0ce5b2af27e976477d0845a49dfc81c19a90da3731300847f74a54352c99e
Instruction Fuzzy Hash: 052115B1E046088BEB18CF6BD9053DEBBF7AFC9310F04C46AD408B6264EB7409458F90

Function 07930E00 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7b918c6423a26ae79c51d3372734aa87448fac54a635a47607c99d8a18d22f
Instruction ID: c6128ea284525b8af8b4f0a70bf9277a54a4738246cde148b25914a503ab9b3e
Opcode Fuzzy Hash: 0a7b918c6423a26ae79c51d3372734aa87448fac54a635a47607c99d8a18d22f
Instruction Fuzzy Hash: 3C11C6B1E046188BEB18CF6BD9453DEFAF7AFC9304F04C56AD40976264EB7409468F90

Function 0171B1C8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0171B41E

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a1cb82f90776a787306464d5e5974664b949f6f1702463d4331a7b8baeff7f9a
Instruction ID: ed21820512fc7662eef61b4b41157027a9c0f517dc7755ecd81a09d8e745c0db
Opcode Fuzzy Hash: a1cb82f90776a787306464d5e5974664b949f6f1702463d4331a7b8baeff7f9a
Instruction Fuzzy Hash: 6C714670A00B058FE724CF6ED44579ABBF1FF48214F008A2ED48AD7A54DB74E949CB91

Function 0171590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017159C9

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e74ddcd81e2581c0ec07de08565a270a34bec664992a6899e1dee98ead304a10
Instruction ID: 5616c49abc3e8b9939314b24d94f0d23e40314389b48e589a2c9d339b77484bd
Opcode Fuzzy Hash: e74ddcd81e2581c0ec07de08565a270a34bec664992a6899e1dee98ead304a10
Instruction Fuzzy Hash: D541C171C00719CBEB28DFA9C884BDEFBB5BF49304F24815AD408AB255DBB56945CF50

Function 05611264 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05614381

Memory Dump Source

Source File: 00000000.00000002.2546797993.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_NUGMrDcg4v.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e4f37138e35995a6b61360300ea70185714f28c703082d9610e356a123e95abd
Instruction ID: ebbd87741d5af4d282d61b4b41e69a803a9d7caa6aa59f22182f39ff10a905f3
Opcode Fuzzy Hash: e4f37138e35995a6b61360300ea70185714f28c703082d9610e356a123e95abd
Instruction Fuzzy Hash: BE4149B59003098FCB14CF96C488BAEFBF5FF89311F288459E419AB321D734A841CBA4

Function 017144B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017159C9

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7b3acbc966430108a92c3a6144b9e127fc817344d5be15158cc73bb4cb728c61
Instruction ID: e20c43acb8b3baca162bc33e8d7d3fac2ce96c97d501c6e7053ab8176ad0ec7e
Opcode Fuzzy Hash: 7b3acbc966430108a92c3a6144b9e127fc817344d5be15158cc73bb4cb728c61
Instruction Fuzzy Hash: 1D41B271C00719CBEB28DFA9C884B9EFBB5FF49304F60816AD408AB255DBB56945CF90

Function 0793C608 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 0793C687

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: e49952d77688abd8940b892498b7180a9e8f9109952cb5c0ab1a78d1a769e83c
Instruction ID: b7bbef4bede6839e48fdfef0aeb49cb21f283a4d0d23d8928566fb509b7b7330
Opcode Fuzzy Hash: e49952d77688abd8940b892498b7180a9e8f9109952cb5c0ab1a78d1a769e83c
Instruction Fuzzy Hash: 682148B2C0075A8FCB14CF9AD5857EEBBF4AF49214F14842AE459B3241D378A944CF61

Function 0171B0B4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0171D66E,?,?,?,?,?), ref: 0171D72F

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c393ae0ccac495b4f65c474a5647ae4a22feafb6581d689e2ce464ec623211a4
Instruction ID: e9173927c71368ca560b91285f207e7bdb43d641301a54152ce29d01a3d0de28
Opcode Fuzzy Hash: c393ae0ccac495b4f65c474a5647ae4a22feafb6581d689e2ce464ec623211a4
Instruction Fuzzy Hash: A021E6B5900349AFDB10CF9AD484ADEFBF4FB48310F54841AE918A7310D378A944CFA5

Function 0171D6A1 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0171D66E,?,?,?,?,?), ref: 0171D72F

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2358e877e130b5909c5c5e769739d32c6640128b29ba88805749996085420bdf
Instruction ID: dd72c07226532e79f0515a2c0296791bf191836eb108c2245b4f8d5194682f19
Opcode Fuzzy Hash: 2358e877e130b5909c5c5e769739d32c6640128b29ba88805749996085420bdf
Instruction Fuzzy Hash: E821B3B59003499FDB10CF99D984AEEBBF5EB48320F54841AE918A7350D378A944CF65

Function 0171B3B8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0171B41E

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d861e3290ffec636beeb49e594255bb3460cd2d90506d0f728cbd18c27a3bd6b
Instruction ID: cc7b364f3fced726ea368e83c26b701dac3761b1b4f9de4acced5f25df43a38a
Opcode Fuzzy Hash: d861e3290ffec636beeb49e594255bb3460cd2d90506d0f728cbd18c27a3bd6b
Instruction Fuzzy Hash: 141110B6C003498FDB24CF9AD444BDEFBF4EB88224F14842AD828A7214C379A545CFA1

Function 0B10C758 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0B10DD3D

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8023b1d30c93247fe29127a1d8d226eb7b94e74ba12b5177c5a8a2b58fae04c6
Instruction ID: 3fad9bc7bad13b5143ce3fdbc6e2223e92be46118d582604fa8969a13125845e
Opcode Fuzzy Hash: 8023b1d30c93247fe29127a1d8d226eb7b94e74ba12b5177c5a8a2b58fae04c6
Instruction Fuzzy Hash: A21118B59003498FCB20DF9AD544BDEFBF4EB48310F108459D918A7240C7B4A944CFA5

Function 0B10DCE1 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0B10DD3D

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1c5801f5ca05d3973dfd15e9101d4adf55aca6e5f816975c64301c53ed3daf12
Instruction ID: 98b541cca1a545b480d7c62472f8243b7c297ca04563e09ad64e1cdd67e625f4
Opcode Fuzzy Hash: 1c5801f5ca05d3973dfd15e9101d4adf55aca6e5f816975c64301c53ed3daf12
Instruction Fuzzy Hash: 411115B5D003498FCB20DF9AD845BDEFBF4EB48320F248569D518A7240D774A544CFA5

Function 0164D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543814403.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c1a7884c981bbc90e5a1e94542b55efab3ca201483e306431fd292b2408050
Instruction ID: fd08b69c108db129f12f6bc60bf1e03a059e54ca0457155c825f26d8319391a0
Opcode Fuzzy Hash: b6c1a7884c981bbc90e5a1e94542b55efab3ca201483e306431fd292b2408050
Instruction Fuzzy Hash: 7A2128B5904204DFDB05DF54DDC0B5ABB65FBA4324F24C16DE90A0B356C33AE456CAA2

Function 0165D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543884964.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_165d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f459af5d0abdbadc7a9c6055d2dc58ae5778ccfbaab7b054f683858636aed40
Instruction ID: 28c901c816524091027660f338eb99896ec7c55d87aa54b32258e42e4175ecee
Opcode Fuzzy Hash: 6f459af5d0abdbadc7a9c6055d2dc58ae5778ccfbaab7b054f683858636aed40
Instruction Fuzzy Hash: 472122B1504300EFDB45DF94C9C0B26BBA1FB84324F24C56DEE0A4B386C376D846CA62

Function 0165D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543884964.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_165d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e74d5582a8a050dd66be0300173edb181ec14271af4f47dc034e10a7a55183d
Instruction ID: dc0bc6d4d5cb1ca202546f05ebc158879642cffc51640fd64fad6b050d09df4a
Opcode Fuzzy Hash: 1e74d5582a8a050dd66be0300173edb181ec14271af4f47dc034e10a7a55183d
Instruction Fuzzy Hash: 32212FB1604300DFDB55DF64D8C0B26BBA1EB88324F24C56DEC0A4B386C33AD847CA62

Function 0165D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543884964.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_165d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cada62b6f03a3efeb125db7ae30388dd2c983c7da5e9dccdce3e05e4bcfffefe
Instruction ID: 3d65b332e810719ce991894538d5c275b3582dee10c7ebea86f64deb7404a2b5
Opcode Fuzzy Hash: cada62b6f03a3efeb125db7ae30388dd2c983c7da5e9dccdce3e05e4bcfffefe
Instruction Fuzzy Hash: 03218E755083809FDB03CF64D994B15BF71EB46214F28C5EAD8498F2A7C33A980ACB62

Function 0164D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543814403.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 8e9b1ecea3471da23c10af705a87d196ba5bbe059c7271b93c2648579c120dac
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 2611CD76804240DFDB12CF54D9C0B56BF71FB94224F2482A9D8090A656C33AE456CBA1

Function 0165D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543884964.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_165d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: c7d1e6f87410f8c08ee618150bb5557f1cd04a786b01224f7b26cb37abae6200
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 5E11BB75504280DFDB12CF54C9C0B15BBB1FB84224F28C6AEDD494B796C33AD44ACB61

Function 0164D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543814403.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4a0e7fcd4662799097a53034307e21e2540be23139626babac362f6cb3c771
Instruction ID: fb37874dbb76c241b8610a6fe526cf2ee9fcbaa2160b6acf57beeba78b8ef51e
Opcode Fuzzy Hash: 7a4a0e7fcd4662799097a53034307e21e2540be23139626babac362f6cb3c771
Instruction Fuzzy Hash: 5E01F7718043809BF720DE55CD84B76BF98EF52234F18C55AED090B382D3799441CA71

Function 0164D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2543814403.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1606adf366ba4aa4845ed9199de661eac821a51cdd67ab160e8efcda3c115333
Instruction ID: 9001969b511c4c96ef8b7e06906e869d964fb8cc91365a5f3ce242de2fb2052b
Opcode Fuzzy Hash: 1606adf366ba4aa4845ed9199de661eac821a51cdd67ab160e8efcda3c115333
Instruction Fuzzy Hash: A5F04F714053849FE7248E19CD88B72FF98EB51634F18C55AED484B386C3799844CAA1

Non-executed Functions

Function 0B108928 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2549111742.000000000B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b100000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274bde7e2b3507ba55af66813eb6e268457b661f311012d375afe571f0d83ae
Instruction ID: 5e8bba2733f6c9848da841972111cbc4f078330ac08a7261f50120e7872fa3eb
Opcode Fuzzy Hash: 4274bde7e2b3507ba55af66813eb6e268457b661f311012d375afe571f0d83ae
Instruction Fuzzy Hash: 78124B30A14219CFDB28DF69C954B9EB7B2BF89301F2085A9D40AAB395DF709D81CF50

Function 05610040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546797993.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be11e49c41c9ae8f3abecd4af153394ee3beccf6a421e50b2ee2faaafb6a2f4c
Instruction ID: adde28c892a42deed47522f65f7246fdeb5c4cbc55cdac30c66a257f77fc9b84
Opcode Fuzzy Hash: be11e49c41c9ae8f3abecd4af153394ee3beccf6a421e50b2ee2faaafb6a2f4c
Instruction Fuzzy Hash: 741277B04A27858AE710CF6DE95E1893F71BB45318FD0431AE2A15B2E1EFB4164EEF44

Function 07934708 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8b8531664e35e20e90e69e8b2aa5ad76e09106badc926a25de538a59adb3e8
Instruction ID: 567f4c5f342111a15c43ed27550987eb99585dadac0a79409f934f3ed4796fb6
Opcode Fuzzy Hash: 2d8b8531664e35e20e90e69e8b2aa5ad76e09106badc926a25de538a59adb3e8
Instruction Fuzzy Hash: ABE119B4E002598FDB14CFA9C580AAEFBB6FF89304F2481A9D455AB359D734AD41CF60

Function 07933E98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3c1056564e2fbe34672ff5c3282ff76c470a0e127d2a89c524af755f61dcb0
Instruction ID: 3db1fe7073f14352ca54cd7f6c1a06dab28013681a922ad06ab126133016b307
Opcode Fuzzy Hash: 8d3c1056564e2fbe34672ff5c3282ff76c470a0e127d2a89c524af755f61dcb0
Instruction Fuzzy Hash: BFE108B4E002598FDB14CFA9C580AAEBBF6FF89304F248169D455AB359D734AD41CFA0

Function 07935E30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f3a8ba6d62321538cb1c8022bdf4eb36f94cdb414712bc5024aaaa288a50c3
Instruction ID: beabd90516664d67e5a0ff4acee26a24764385980c2af1a7f96a96c8cecb7156
Opcode Fuzzy Hash: d8f3a8ba6d62321538cb1c8022bdf4eb36f94cdb414712bc5024aaaa288a50c3
Instruction Fuzzy Hash: 09E109B4E002198FDB14CFA9C580AAEFBB6FF89304F248169E455AB359D734AD41CF61

Function 079342D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603bede1edfafbeafd3d298624e6e4806845065c1de67d8ef092b9de9f0f1253
Instruction ID: 1f02f13e9741487605a1d85f8f95d26ff914fefc53222f728ef2a90942502019
Opcode Fuzzy Hash: 603bede1edfafbeafd3d298624e6e4806845065c1de67d8ef092b9de9f0f1253
Instruction Fuzzy Hash: 2DE108B4E002598FDB14CFA9C580AAEBBF6FF89304F24816AD455AB359D734AD41CF60

Function 079359F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0349390bea364ce72ef9566e4c285db7bc8440133d844e8590dd667d49718a
Instruction ID: 5e78553ccfd8e2d2f68221dc63a97fbeab573ce669a589a03b3b83bb219bce15
Opcode Fuzzy Hash: 4b0349390bea364ce72ef9566e4c285db7bc8440133d844e8590dd667d49718a
Instruction Fuzzy Hash: D6E1F9B4E002198FDB14CFA9C580AAEFBB6FF89304F248169D455AB359D735AD41CFA0

Function 0793AFD0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0494a18fb420283e3b556f1b0a6b49c76f6aa539b52f2cde23e0ceea5aeb031a
Instruction ID: 442bba55a0570a00d43247b8bcc853a7e510366d81e44831e2673ff41d88429e
Opcode Fuzzy Hash: 0494a18fb420283e3b556f1b0a6b49c76f6aa539b52f2cde23e0ceea5aeb031a
Instruction Fuzzy Hash: 93B151F0E0025ACFDB14CFA9D885BAEBBF6BF48318F148529D415AB254EB749841CB81

Function 0171DFB4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2544201475.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4bb8cf9bcee569f1ded6703481b633cdc023c1b89e4cceff3ac2fd9ff90bb1
Instruction ID: 1ab9e14d76b6db0eb662ed7d966ee86337e35304910ca0c71565da7c24d1a2be
Opcode Fuzzy Hash: bf4bb8cf9bcee569f1ded6703481b633cdc023c1b89e4cceff3ac2fd9ff90bb1
Instruction Fuzzy Hash: 49A14F32E002168FCF09DFB9C94459EFBB2FF85300B25456AE905AB269DF71D95ACB40

Function 05610006 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2546797993.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30486c0af850c573553422b4027315c46e347c9c34f462ea2dcc10fc3c4235eb
Instruction ID: 153cbc5c916c6e998d043cf4d414e231af406994a608bf9a8c549625079d1905
Opcode Fuzzy Hash: 30486c0af850c573553422b4027315c46e347c9c34f462ea2dcc10fc3c4235eb
Instruction Fuzzy Hash: 24D13CB04A27858FE710CF6CE85A1893FB1BB81324F95431AE1616B2D1EFB4158EEF44

Function 07933E88 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2548503996.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7930000_NUGMrDcg4v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c15a72e5399b5ac619fc750a2978d8ab1f3e4257f3d500057094562465ffbbf
Instruction ID: 68df3ed0dcb7d1e654f59893e0400b5ad66b0012e909a30b62f0c1c6edbd2c93
Opcode Fuzzy Hash: 0c15a72e5399b5ac619fc750a2978d8ab1f3e4257f3d500057094562465ffbbf
Instruction Fuzzy Hash: 7D5129B5E002198FDB14CFA9C5809AEFBF6FF89304F2481AAD418AB255D7359941CFA0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NUGMrDcg4v.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
NUGMrDcg4v.exe

Function 05616C98 Relevance: 3.7, Strings: 1, Instructions: 2427
COMMON

Function 05616CC8 Relevance: 3.7, Strings: 1, Instructions: 2412
COMMON

Function 07939380 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 0171B1C8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 0171590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 05611264 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 017144B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0793C608 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 0171B0B4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0171D6A1 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0171B3B8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0B10C758 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Function 0B10DCE1 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON