Edit tour

Windows Analysis Report
1dVtYIvfHz.exe

Overview

General Information

Sample name:	1dVtYIvfHz.exe renamed because original name is a hash value
Original sample name:	d0508d226f04b0503cfdc31bf103ac1f3cab29dc82a491563c4f2445205f54b9.exe
Analysis ID:	1588686
MD5:	dd166953bab4ff2e913a184718bd62e9
SHA1:	000643ef1830df120c108554f96f0c0118686940
SHA256:	d0508d226f04b0503cfdc31bf103ac1f3cab29dc82a491563c4f2445205f54b9
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1dVtYIvfHz.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\1dVtYIvfHz.exe" MD5: DD166953BAB4FF2E913A184718BD62E9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1dVtYIvfHz.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 1dVtYIvfHz.exe	ReversingLabs: Detection: 57%
Source: 1dVtYIvfHz.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Machine Learning detection for sample

Source: 1dVtYIvfHz.exe

Joe Sandbox ML: detected

Source: 1dVtYIvfHz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1dVtYIvfHz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 45.9.191.182 45.9.191.182

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Cxjokei.dat HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xianggrhen.com

Source: 1dVtYIvfHz.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003136000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 1dVtYIvfHz.exe	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003151000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000318C000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003136000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com
Source: 1dVtYIvfHz.exe, 00000000.00000002.3216503548.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.00000000030C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/salad/Cxjokei.dat
Source: 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003180000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003136000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/salad/Cxjokei.datl
Source: 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003186000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003178000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003196000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000315A000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003180000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000318C000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000317A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.comD
Source: 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003151000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.comd
Source: 1dVtYIvfHz.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Code function: 0_2_02F5E5F4	0_2_02F5E5F4
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Code function: 0_2_02F5F4F8	0_2_02F5F4F8
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Code function: 0_2_02F5F4E8	0_2_02F5F4E8

Source: 1dVtYIvfHz.exe

Static PE information: invalid certificate

Source: 1dVtYIvfHz.exe, 00000000.00000002.3216006053.000000000143E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 1dVtYIvfHz.exe
Source: 1dVtYIvfHz.exe, 00000000.00000000.1368042891.0000000000D3A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYbkkuyi.exe vs 1dVtYIvfHz.exe
Source: 1dVtYIvfHz.exe	Binary or memory string: OriginalFilenameYbkkuyi.exe vs 1dVtYIvfHz.exe

Source: 1dVtYIvfHz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Mutant created: NULL

Source: 1dVtYIvfHz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1dVtYIvfHz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1dVtYIvfHz.exe	ReversingLabs: Detection: 57%
Source: 1dVtYIvfHz.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: 1dVtYIvfHz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1dVtYIvfHz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Code function: 0_2_02F5EFC0 pushfd ; retf

0_2_02F5EFC1

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Window / User API: threadDelayed 886			Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Window / User API: threadDelayed 1019			Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe TID: 7384	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe TID: 7412	Thread sleep count: 886 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe TID: 7836	Thread sleep count: 1019 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe TID: 7384	Thread sleep time: -85656s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Thread delayed: delay time: 85656	Jump to behavior

Source: 1dVtYIvfHz.exe, 00000000.00000002.3216006053.000000000148C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Queries volume information: C:\Users\user\Desktop\1dVtYIvfHz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1dVtYIvfHz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1dVtYIvfHz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1dVtYIvfHz.exe	58%	ReversingLabs	Win32.Trojan.Jalapeno
1dVtYIvfHz.exe	38%	Virustotal		Browse
1dVtYIvfHz.exe	100%	Avira	TR/Dropper.Gen7
1dVtYIvfHz.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://xianggrhen.com/salad/Cxjokei.datl	0%	Avira URL Cloud	safe
http://xianggrhen.com/salad/Cxjokei.dat	0%	Avira URL Cloud	safe
http://xianggrhen.comD	0%	Avira URL Cloud	safe
http://xianggrhen.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
xianggrhen.com	45.9.191.182	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com/salad/Cxjokei.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com/salad/Cxjokei.datl	1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003180000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003136000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xianggrhen.com	1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003151000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000318C000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003136000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003136000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xianggrhen.comD	1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003186000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003178000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003196000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000315A000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003180000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000318C000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000317A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xianggrhen.comd	1dVtYIvfHz.exe, 00000000.00000002.3216503548.0000000003151000.00000004.00000800.00020000.00000000.sdmp, 1dVtYIvfHz.exe, 00000000.00000002.3216503548.000000000318C000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.9.191.182	xianggrhen.com	Germany		47583	AS-HOSTINGERLT	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588686
Start date and time:	2025-01-11 04:17:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1dVtYIvfHz.exe renamed because original name is a hash value
Original Sample Name:	d0508d226f04b0503cfdc31bf103ac1f3cab29dc82a491563c4f2445205f54b9.exe
Detection:	MAL
Classification:	mal64.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 10 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.9.191.182	oe8KMVNFEG.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/salad/Ekaopt.mp4
	oe8KMVNFEG.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/salad/Ekaopt.mp4
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/basket/Snobzw.vdf
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/basket/Snobzw.vdf
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Fvrbzpfzrm.vdf
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Fvrbzpfzrm.vdf
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Netnoyfq.mp3
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/composure/Emmaj.vdf
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/composure/Vuglyxyuvio.pdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	FJRUb5lb9m.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	02Eh1ah35H.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1297823757234143258.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	4N4nldx1wW.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1487427797195518826.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
xianggrhen.com	oe8KMVNFEG.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	oe8KMVNFEG.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	45.9.191.182

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-HOSTINGERLT	oe8KMVNFEG.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	oe8KMVNFEG.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	92.249.45.121
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	45.9.191.182

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.671888719535908
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1dVtYIvfHz.exe
File size:	351'976 bytes
MD5:	dd166953bab4ff2e913a184718bd62e9
SHA1:	000643ef1830df120c108554f96f0c0118686940
SHA256:	d0508d226f04b0503cfdc31bf103ac1f3cab29dc82a491563c4f2445205f54b9
SHA512:	3b50152dc512a3512e9ec4db1abeb3664cfe8157062d6ee31f79b4285b71e352e498e24871f97a3b08226874cc100b3b79537d6cb625cb8f59ef575da80bf933
SSDEEP:	6144:yPswcSsJbPusU/NRaHreSnX7beS/bCfgH4e5:yEJbbUnqtygYy
TLSH:	3E7408C4EFD5C46AC69801F4E05D1A05D2B0A0C963B38F462AAB97BC16E774DDCCE2E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.Og.................j............... ........@.. ....................................`................................

File Icon


Icon Hash:	3b5bdb2b1b0b0b0b

Static PE Info

General

Entrypoint:	0x42888e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FDA55 [Wed Dec 4 04:28:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	24/08/2022 15:29:13 06/11/2025 13:58:18
Subject Chain	E=info@globosoft.it, CN=Globosoft S.R.L., O=Globosoft S.R.L., STREET=VIA CARLO BERNARI 87, L=Roma, S=Roma, C=IT, OID.1.3.6.1.4.1.311.60.2.1.3=IT, SERIALNUMBER=12054021006, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	7CCFAD288E8558FC98E706899C386B07
Thumbprint SHA-1:	71613B85A7BED5AA589F5F6E24D5283BDAEA4766
Thumbprint SHA-256:	B70F6F6379A71B36BB4D65649E37F9B5D3C8208E54DCFDF4AB540983B6A42B76
Serial:	58342CE46C494F63BA76D6CA

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2883c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x2be00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x52c00	0x32e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x26894	0x26a00	fd7428a84afc2861092516c164797326	False	0.4367604672330097	data	6.04358717296077	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x2be00	0x2be00	607bbc1e956ba482122f1658cc6c19c0	False	0.20788817663817663	data	4.316122179837868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	9fe0d546fed06858ee5710f8c2133575	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2a2b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	0.4698581560283688
RT_ICON	0x2a718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m	0.34098360655737703
RT_ICON	0x2b0a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.2701688555347092
RT_ICON	0x2c148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	0.199896265560166
RT_ICON	0x2e6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	0.16219886632026453
RT_ICON	0x32918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 11811 x 11811 px/m	0.14852125693160814
RT_ICON	0x37da0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 11811 x 11811 px/m	0.11598696657557284
RT_ICON	0x41248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m	0.0959718443156276
RT_ICON	0x51a70	0x3abf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9932841279340382
RT_GROUP_ICON	0x55530	0x84	data	0.7272727272727273
RT_VERSION	0x555b4	0x57c	data	0.27136752136752135
RT_MANIFEST	0x55b30	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:18:03.966133118 CET	49740	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:03.971066952 CET	80	49740	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:03.971143961 CET	49740	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:03.972212076 CET	49740	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:03.977015972 CET	80	49740	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:25.336638927 CET	80	49740	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:25.336757898 CET	49740	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:25.378597021 CET	49740	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:25.382755041 CET	49880	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:25.383548021 CET	80	49740	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:25.387703896 CET	80	49880	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:25.387957096 CET	49880	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:25.387957096 CET	49880	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:25.392811060 CET	80	49880	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:46.776443958 CET	80	49880	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:46.776546955 CET	49880	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:46.777363062 CET	49880	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:46.782262087 CET	80	49880	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:46.788254023 CET	49977	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:46.793387890 CET	80	49977	45.9.191.182	192.168.2.9
Jan 11, 2025 04:18:46.793483973 CET	49977	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:46.793664932 CET	49977	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:18:46.798552036 CET	80	49977	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:08.178216934 CET	80	49977	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:08.178334951 CET	49977	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:08.179230928 CET	49977	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:08.179898024 CET	49979	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:08.184047937 CET	80	49977	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:08.184802055 CET	80	49979	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:08.184901953 CET	49979	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:08.185122967 CET	49979	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:08.189902067 CET	80	49979	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:29.558516026 CET	80	49979	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:29.558598042 CET	49979	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:29.559590101 CET	49979	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:29.562326908 CET	49980	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:29.564378023 CET	80	49979	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:29.567212105 CET	80	49980	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:29.567295074 CET	49980	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:29.567584991 CET	49980	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:29.572384119 CET	80	49980	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:50.912497044 CET	80	49980	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:50.912576914 CET	49980	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:50.913225889 CET	49980	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:50.914338112 CET	49981	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:50.918097973 CET	80	49980	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:50.919255972 CET	80	49981	45.9.191.182	192.168.2.9
Jan 11, 2025 04:19:50.919460058 CET	49981	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:50.919572115 CET	49981	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:19:50.924366951 CET	80	49981	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:12.291785955 CET	80	49981	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:12.291852951 CET	49981	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:12.292489052 CET	49981	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:12.296214104 CET	49982	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:12.297276974 CET	80	49981	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:12.301098108 CET	80	49982	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:12.301199913 CET	49982	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:12.301425934 CET	49982	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:12.306246996 CET	80	49982	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:33.680649996 CET	80	49982	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:33.680747032 CET	49982	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:33.681672096 CET	49982	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:33.682825089 CET	49983	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:33.686552048 CET	80	49982	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:33.687849998 CET	80	49983	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:33.687951088 CET	49983	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:33.688123941 CET	49983	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:33.693042994 CET	80	49983	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:55.069922924 CET	80	49983	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:55.070218086 CET	49983	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:55.071000099 CET	49983	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:55.073896885 CET	49984	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:55.075881958 CET	80	49983	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:55.078820944 CET	80	49984	45.9.191.182	192.168.2.9
Jan 11, 2025 04:20:55.078910112 CET	49984	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:55.079094887 CET	49984	80	192.168.2.9	45.9.191.182
Jan 11, 2025 04:20:55.083940983 CET	80	49984	45.9.191.182	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:18:03.943640947 CET	62601	53	192.168.2.9	1.1.1.1
Jan 11, 2025 04:18:03.953931093 CET	53	62601	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 04:18:03.943640947 CET	192.168.2.9	1.1.1.1	0xa7fe	Standard query (0)	xianggrhen.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:17:57.522486925 CET	1.1.1.1	192.168.2.9	0x858c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:17:57.522486925 CET	1.1.1.1	192.168.2.9	0x858c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:18:03.953931093 CET	1.1.1.1	192.168.2.9	0xa7fe	No error (0)	xianggrhen.com		45.9.191.182	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xianggrhen.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49740	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:18:03.972212076 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49880	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:18:25.387957096 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49977	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:18:46.793664932 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49979	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:19:08.185122967 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49980	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:19:29.567584991 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49981	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:19:50.919572115 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49982	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:20:12.301425934 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49983	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:20:33.688123941 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49984	45.9.191.182	80	7312	C:\Users\user\Desktop\1dVtYIvfHz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:20:55.079094887 CET	81	OUT	GET /salad/Cxjokei.dat HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 1dVtYIvfHz.exePID: 7312, Parent PID: 3504

General

Target ID:	0
Start time:	22:18:02
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\1dVtYIvfHz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1dVtYIvfHz.exe"
Imagebase:	0xd10000
File size:	351'976 bytes
MD5 hash:	DD166953BAB4FF2E913A184718BD62E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1dVtYIvfHz.exePID: 7312, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	2

Executed Functions

Function 02F5A488 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02F5A6DE

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3bbfbfb528fd638472507c205880fff87aaff163d8dd2ca26a81db58f6ae7f7e
Instruction ID: d449c5e8e9b33fecea04e35386c19e3993c63e663286d840c4fe911158e9ad14
Opcode Fuzzy Hash: 3bbfbfb528fd638472507c205880fff87aaff163d8dd2ca26a81db58f6ae7f7e
Instruction Fuzzy Hash: DB814470A00B158FD724CF69D454B5ABBF2BF88244F008A2EDA86DBB40DB74E855CF91

Function 02F5C710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F5CD26,?,?,?,?,?), ref: 02F5CDE7

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d90d5f6e3acac36621508a61ebedfd7849c598401dfb3aa474ecc16339055c69
Instruction ID: f3d14341d9d1b716d8ddd18329336d320ecb3dcbf83d91559182fe889c3e3fad
Opcode Fuzzy Hash: d90d5f6e3acac36621508a61ebedfd7849c598401dfb3aa474ecc16339055c69
Instruction Fuzzy Hash: 8921E3B5900358AFDB10CF9AD884AEEBFF4FB48310F14806AE955A7350D374A954CFA5

Function 02F5CD58 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F5CD26,?,?,?,?,?), ref: 02F5CDE7

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9103f5585cd3b92fe29a256ae48b1608842a190c9e9dfac1f6464c7e7ce43c90
Instruction ID: 8a218b3b3eb5bb8c11857a1f8bed410f8c01a7ef722f4b5c5a6a05ba864f64e4
Opcode Fuzzy Hash: 9103f5585cd3b92fe29a256ae48b1608842a190c9e9dfac1f6464c7e7ce43c90
Instruction Fuzzy Hash: DD2103B5D00208DFDB10CF99D984ADEBBF4EB08320F14802AE914A7210D378A944CFA0

Function 02F5A678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02F5A6DE

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19902fa74f9ec2a1b29c74b4b0cae9efbb0a49a1657e4e33809bad01f19b592b
Instruction ID: ede46dfc73006f4ccb46fc1e56311be54487a79d9ba473f2ec3c9dbf99aad6c8
Opcode Fuzzy Hash: 19902fa74f9ec2a1b29c74b4b0cae9efbb0a49a1657e4e33809bad01f19b592b
Instruction Fuzzy Hash: A81110B5C006498FCB10CF9AC844BDEFBF4AB88314F10852AD968A7310C379A545CFA1

Function 0163D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216226456.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaecba610117cd8af3141b151b7a7bf85d000a6d291bdfdae4d31e6f812d6a4b
Instruction ID: 64a1c590cda194db5c600062f7bd91d9a5cf459951465beff4eb0061e44cc4e0
Opcode Fuzzy Hash: eaecba610117cd8af3141b151b7a7bf85d000a6d291bdfdae4d31e6f812d6a4b
Instruction Fuzzy Hash: FE21F1B1544200EFDB05DF94D9C0B26BF65FBC8328F60C169E90A0A297C336D456CBA2

Function 0164D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216257821.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2223449b67492b214b1992c830feda72ad5933201c36602d012273d08b1cfa
Instruction ID: d5ccd679f1f5b602aa14121f462a0526c88750532e7e7c3f3391cf4f1fc6650c
Opcode Fuzzy Hash: ab2223449b67492b214b1992c830feda72ad5933201c36602d012273d08b1cfa
Instruction Fuzzy Hash: 59213471A04300DFDB15DF94D8C4B26BB61FB98B14F20C56DD80A0B382C33AD447CA62

Function 0163D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216226456.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 685b7c187fc622ed98c73801cc018067d6f0f339accf4869bb8a3dddaa2684f3
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 6B11AF76904240DFDB16CF54D9C4B16BF72FB84324F24C5A9D9090B657C336D45ACBA2

Function 0164D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216257821.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction ID: 8bbcdf8f0ff8f5ad5442e634d67f1b195862174169dad54986788a7c9fdd8102
Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction Fuzzy Hash: 9D11BB75904280CFCB16CF54D9C4B15BBA2FB84714F24C6AAD8494B796C33AD44ACBA2

Function 0163D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216226456.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c840b7f12a97d97013cc55913555576ef1a6456cd309180ae6b9eb3d4a79263
Instruction ID: d2781fb6afa46b477f20d011758b97b75c57e68d4723b878e1c9646bb19ad6e6
Opcode Fuzzy Hash: 1c840b7f12a97d97013cc55913555576ef1a6456cd309180ae6b9eb3d4a79263
Instruction Fuzzy Hash: 3501DB31508384DFE7164A95DC84B76FBE8DF81624F54C459ED490A282C7789941CA72

Function 0163D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216226456.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb03a705281e9befa94e4f9eeee46a6230cc6c441071207613d02b70f0bd3c3
Instruction ID: 50e92a0f6d8bb5c8eac103f56763b9a005666dc52bb70223f1b2edb36035fe9a
Opcode Fuzzy Hash: 8bb03a705281e9befa94e4f9eeee46a6230cc6c441071207613d02b70f0bd3c3
Instruction Fuzzy Hash: E6F06D71408384AEE7128A1ADC84B62FFA8EF81624F18C45AED484B287C3799844CAB1

Non-executed Functions

Function 02F5F4F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116fbc64e0ee1248f0426ad9cfc2769b386eb950fb78267afe3208ad92c9ad97
Instruction ID: 294c9c860250851ae365172aa92a2e7cb73138bab2155cfb2799370c74e856c0
Opcode Fuzzy Hash: 116fbc64e0ee1248f0426ad9cfc2769b386eb950fb78267afe3208ad92c9ad97
Instruction Fuzzy Hash: 241287B24227458BD710CF65E86E189BFB1BB45318F90421AE2612F2E1FFB4164EEF44

Function 02F5E5F4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16549a418184939bb188139aa067e3fb051ed669e65e39fa1801fa17bc772223
Instruction ID: c47e5a97b0587f8f127368fb49327caa3e0b9b499807963e2d7d53196a559813
Opcode Fuzzy Hash: 16549a418184939bb188139aa067e3fb051ed669e65e39fa1801fa17bc772223
Instruction Fuzzy Hash: F0A16F32E10219CFCF05DFA4C85459EBBF2FF89340B15456AEA06AB261DB31EA56CF50

Function 02F5F4E8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3216458535.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f50000_1dVtYIvfHz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d861b32d435532935be2e4f76dea318eaa6d6b90a5bd425099046e20347180d
Instruction ID: 32c8440d9b6a07300a626513b5e24a63bf62924540c6c9a5641648d1eee24b79
Opcode Fuzzy Hash: 7d861b32d435532935be2e4f76dea318eaa6d6b90a5bd425099046e20347180d
Instruction Fuzzy Hash: B7C1EBB28217458BD710CF65E86A299BFB1BB85324F50421AF1612F2D0FFB4264EEF44

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1dVtYIvfHz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
1dVtYIvfHz.exe

Function 02F5A488 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 02F5C710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02F5CD58 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02F5A678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON