Edit tour

Windows Analysis Report
fpY3HP2cnH.exe

Overview

General Information

Sample name:	fpY3HP2cnH.exe renamed because original name is a hash value
Original sample name:	e75baeba1dbbfe5b5d9cb8b865aa504329ec50c4df9ba56fb0dcb03278f9a3b0.exe
Analysis ID:	1589014
MD5:	68676f1fc74ca8f74a4822c9c0042eaf
SHA1:	0d7aa8fbbcf7a7babf7bddf3d4bac19884a1370e
SHA256:	e75baeba1dbbfe5b5d9cb8b865aa504329ec50c4df9ba56fb0dcb03278f9a3b0
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected potential unwanted application

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

fpY3HP2cnH.exe (PID: 4784 cmdline: "C:\Users\user\Desktop\fpY3HP2cnH.exe" MD5: 68676F1FC74CA8F74A4822C9C0042EAF)

RegAsm.exe (PID: 364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.horeca-bucuresti.ro", "Username": "biggiemma@horeca-bucuresti.ro", "Password": "e)rWKbKP8~mO"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4600404823.0000000003255000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fpY3HP2cnH.exe PID: 4784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fpY3HP2cnH.exe PID: 4784	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 364	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.fpY3HP2cnH.exe.2ad0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.fpY3HP2cnH.exe.2ad0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.fpY3HP2cnH.exe.2ad0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.fpY3HP2cnH.exe.2ad0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.fpY3HP2cnH.exe.2ad0000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31619:$s2: GetPrivateProfileString 0x30cdd:$s3: get_OSFullName 0x32362:$s5: remove_Key 0x32503:$s5: remove_Key 0x333f0:$s6: FtpWebRequest 0x34401:$s7: logins 0x34973:$s7: logins 0x37684:$s7: logins 0x37736:$s7: logins 0x39089:$s7: logins 0x382d0:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31619:$s2: GetPrivateProfileString 0x30cdd:$s3: get_OSFullName 0x32362:$s5: remove_Key 0x32503:$s5: remove_Key 0x333f0:$s6: FtpWebRequest 0x34401:$s7: logins 0x34973:$s7: logins 0x37684:$s7: logins 0x37736:$s7: logins 0x39089:$s7: logins 0x382d0:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.horeca-bucuresti.ro", "Username": "biggiemma@horeca-bucuresti.ro", "Password": "e)rWKbKP8~mO"}

Multi AV Scanner detection for submitted file

Source: fpY3HP2cnH.exe	Virustotal: Detection: 75%			Perma Link
Source: fpY3HP2cnH.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: fpY3HP2cnH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: fpY3HP2cnH.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: fpY3HP2cnH.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: fpY3HP2cnH.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: fpY3HP2cnH.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RegAsm.exe, 00000002.00000002.4600404823.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: fpY3HP2cnH.exe, 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4599576410.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegAsm.exe, 00000002.00000002.4599749553.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingl
Source: fpY3HP2cnH.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: fpY3HP2cnH.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: fpY3HP2cnH.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: fpY3HP2cnH.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: fpY3HP2cnH.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsm.exe, 00000002.00000002.4600404823.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fpY3HP2cnH.exe, 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: fpY3HP2cnH.exe	String found in binary or memory: https://sectigo.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Detected potential unwanted application

Source: fpY3HP2cnH.exe

PE Siganture Subject Chain: CN=Tim Kosse, O=Tim Kosse, S=Nordrhein-Westfalen, C=DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E84B490 __vbaFreeVar,NtSetInformationProcess,	0_2_7E84B490
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E6529DB NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_7E6529DB
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E652BA8 NtQueryInformationProcess,	0_2_7E652BA8
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC2D06 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC2D06
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC06BB NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC06BB
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC069B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC069B
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC06FF NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC06FF
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC02F0 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC02F0
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC06D9 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC06D9
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC024E NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC024E
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC1FB3 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC1FB3
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC07EE NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC07EE
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC17F7 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC17F7
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC0360 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC0360
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC075F NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC075F
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC0C98 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC0C98
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC2C91 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC2C91
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC1CE8 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC1CE8
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC20C4 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC20C4
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC2CDF NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC2CDF
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC01A0 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC01A0
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC012B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC012B
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC115C NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02AC115C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445C48 NtProtectVirtualMemory,	2_2_00445C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443065 NtClose,	2_2_00443065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445C68 NtProtectVirtualMemory,	2_2_00445C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444184 NtDelayExecution,	2_2_00444184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445373 NtAllocateVirtualMemory,	2_2_00445373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445B28 NtAllocateVirtualMemory,	2_2_00445B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444154 NtDelayExecution,	2_2_00444154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443D29 NtDelayExecution,	2_2_00443D29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443B0D NtClose,	2_2_00443B0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445B92 NtAllocateVirtualMemory,	2_2_00445B92

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0156A6BD	2_2_0156A6BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0156D890	2_2_0156D890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01564A88	2_2_01564A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01563E70	2_2_01563E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_015641B8	2_2_015641B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_069B1130	2_2_069B1130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_069B3A88	2_2_069B3A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_069B33A0	2_2_069B33A0

Source: fpY3HP2cnH.exe

Static PE information: invalid certificate

Source: fpY3HP2cnH.exe, 00000000.00000000.2125006842.000000007E8B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs fpY3HP2cnH.exe
Source: fpY3HP2cnH.exe, 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs fpY3HP2cnH.exe
Source: fpY3HP2cnH.exe, 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs fpY3HP2cnH.exe
Source: fpY3HP2cnH.exe, 00000000.00000002.2152629505.0000000000780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs fpY3HP2cnH.exe
Source: fpY3HP2cnH.exe, 00000000.00000002.2152942222.0000000002B0E000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs fpY3HP2cnH.exe
Source: fpY3HP2cnH.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exeH0 vs fpY3HP2cnH.exe

Source: fpY3HP2cnH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: fpY3HP2cnH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.4600404823.000000000331A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.000000000332C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: fpY3HP2cnH.exe	Virustotal: Detection: 75%
Source: fpY3HP2cnH.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\fpY3HP2cnH.exe "C:\Users\user\Desktop\fpY3HP2cnH.exe"
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: fpY3HP2cnH.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: fpY3HP2cnH.exe

Static PE information: Image base 0x7e650000 > 0x60000000

Source: fpY3HP2cnH.exe

Static file information: File size 2531400 > 1048576

Source: fpY3HP2cnH.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x262000

Source: fpY3HP2cnH.exe

Static PE information: real checksum: 0x279265 should be: 0x26eac5

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E660442 push cs; retf	0_2_7E66044C
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E65D130 push esp; iretd	0_2_7E65D131
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E65E330 push esp; iretd	0_2_7E65E331
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E65CFC8 pushad ; ret	0_2_7E65CFC9
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E65D190 push esp; iretd	0_2_7E65D191
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC57BA push esp; retf	0_2_02AC57BB
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC3FBB push eax; retf	0_2_02AC3FBC
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC3CE5 push ebx; iretd	0_2_02AC3CE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00442C9C push eax; retf	2_2_00442C9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444C9E push edx; iretd	2_2_00444CC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044449B push esp; retf	2_2_0044449C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044512E push ebx; ret	2_2_00445149
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004429C6 push ebx; iretd	2_2_004429C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_069BCA10 push es; ret	2_2_069BCA20

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fpY3HP2cnH.exe, 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.0000000003255000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.00000000032FC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1938			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8055			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6736	Thread sleep count: 1938 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6736	Thread sleep time: -1938000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6736	Thread sleep count: 8055 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6736	Thread sleep time: -8055000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed

Source: RegAsm.exe, 00000002.00000002.4600404823.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000002.00000002.4600404823.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegAsm.exe, 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegAsm.exe, 00000002.00000002.4601543206.0000000006500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_01567070 CheckRemoteDebuggerPresent,

2_2_01567070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E652C36 mov eax, dword ptr fs:[00000030h]	0_2_7E652C36
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E652CA8 mov eax, dword ptr fs:[00000030h]	0_2_7E652CA8
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E652CBC mov eax, dword ptr fs:[00000030h]	0_2_7E652CBC
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E652C93 mov eax, dword ptr fs:[00000030h]	0_2_7E652C93
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_7E652F91 mov eax, dword ptr fs:[00000030h]	0_2_7E652F91
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC2D06 mov eax, dword ptr fs:[00000030h]	0_2_02AC2D06
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC32D7 mov eax, dword ptr fs:[00000030h]	0_2_02AC32D7
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC67A6 mov eax, dword ptr fs:[00000030h]	0_2_02AC67A6
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC4384 mov ecx, dword ptr fs:[00000030h]	0_2_02AC4384
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC671F mov eax, dword ptr fs:[00000030h]	0_2_02AC671F
Source: C:\Users\user\Desktop\fpY3HP2cnH.exe	Code function: 0_2_02AC65B4 mov eax, dword ptr fs:[00000030h]	0_2_02AC65B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443065 mov ecx, dword ptr fs:[00000030h]	2_2_00443065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445400 mov eax, dword ptr fs:[00000030h]	2_2_00445400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445410 mov ecx, dword ptr fs:[00000030h]	2_2_00445410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445487 mov eax, dword ptr fs:[00000030h]	2_2_00445487
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004454B3 mov eax, dword ptr fs:[00000030h]	2_2_004454B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044552B mov eax, dword ptr fs:[00000030h]	2_2_0044552B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445E56 mov ecx, dword ptr fs:[00000030h]	2_2_00445E56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445639 mov eax, dword ptr fs:[00000030h]	2_2_00445639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004452CF mov ecx, dword ptr fs:[00000030h]	2_2_004452CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004452FA mov ecx, dword ptr fs:[00000030h]	2_2_004452FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445295 mov eax, dword ptr fs:[00000030h]	2_2_00445295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445327 mov ecx, dword ptr fs:[00000030h]	2_2_00445327

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F91008

Jump to behavior

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fpY3HP2cnH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpY3HP2cnH.exe PID: 4784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 364, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4600404823.0000000003255000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpY3HP2cnH.exe PID: 4784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 364, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.fpY3HP2cnH.exe.2ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpY3HP2cnH.exe PID: 4784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	25 Virtualization/Sandbox Evasion	LSASS Memory	25 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fpY3HP2cnH.exe	75%	Virustotal		Browse
fpY3HP2cnH.exe	79%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	fpY3HP2cnH.exe	false	high
https://sectigo.com/CPS0	fpY3HP2cnH.exe	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	fpY3HP2cnH.exe	false	high
https://account.dyn.com/	fpY3HP2cnH.exe, 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, fpY3HP2cnH.exe, 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	fpY3HP2cnH.exe	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	fpY3HP2cnH.exe	false	high
http://ocsp.sectigo.com0	fpY3HP2cnH.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.4600404823.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.0000000003221000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hostingl	RegAsm.exe, 00000002.00000002.4599749553.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ip-api.com	RegAsm.exe, 00000002.00000002.4600404823.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4600404823.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589014
Start date and time:	2025-01-11 08:25:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fpY3HP2cnH.exe renamed because original name is a hash value
Original Sample Name:	e75baeba1dbbfe5b5d9cb8b865aa504329ec50c4df9ba56fb0dcb03278f9a3b0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 40 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:26:55	API Interceptor	1267365x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	ip-api.com/json/
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	ip-api.com/line/?fields=hosting
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	208.95.112.1
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	208.95.112.1
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\fpY3HP2cnH.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	1.2701062923235522
Encrypted:	false
SSDEEP:	3:/l1PL3n:fPL3
MD5:	CD8FA61AD2906643348EEF98A988B873
SHA1:	0B10E2F323B5C73F3A6EA348633B62AE522DDF39
SHA-256:	49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
SHA-512:	1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.294386286837806
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	fpY3HP2cnH.exe
File size:	2'531'400 bytes
MD5:	68676f1fc74ca8f74a4822c9c0042eaf
SHA1:	0d7aa8fbbcf7a7babf7bddf3d4bac19884a1370e
SHA256:	e75baeba1dbbfe5b5d9cb8b865aa504329ec50c4df9ba56fb0dcb03278f9a3b0
SHA512:	cafa516c55d669e7bf37e52bd60fe53fe687defd5615a87480c7e2644569bce5039a20b41f2d1370ba2a02cfd95bf12dad6459209d0348049ed865b9c7a253d5
SSDEEP:	49152:l3AQbdYAm4zEbdYAm4zWbdYAm4z23Aw3AWbdYAm4zSbdYAm4zO3AWypvLe6mTPLc:hAadrWdr0drkAiA0dr4dr8AJTmbI
TLSH:	5CC5D003B2444FA8CB450730EDDF85F0B3125DDA6B169B9E738EB2025BFA186967E453
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....AOg................. &..@........%......0&...e~..........................&.....e.'....................................

File Icon


Icon Hash:	ab99b7abbbbfef6e

Static PE Info

General

Entrypoint:	0x7e8af4e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x7e650000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x674F41AC [Tue Dec 3 17:36:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d9578469d410b115a40f3477df2f6843

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/02/2022 01:00:00 18/02/2025 00:59:59
Subject Chain	CN=Tim Kosse, O=Tim Kosse, S=Nordrhein-Westfalen, C=DE
Version:	3
Thumbprint MD5:	D2F88AEA5C53DD7092E3CD7246907BE2
Thumbprint SHA-1:	E57CE01F6A5E1D4C522BC68488AF53D9BAD13AB7
Thumbprint SHA-256:	ED619A9A79713E12FFB757CF8A51BBA89FBB967EC6223C653F1F8932B0E2A25A
Serial:	31830C370AD7E497633B6EB3A02D69E6

Entrypoint Preview

Instruction
jmp 00007F461899E1BCh
add byte ptr [eax-4E1520D1h], ch
aad 34h
and ecx, dword ptr [edi]
mov ebp, 5562D7D3h
call 00007F45F1208A8Ch
out C5h, eax
aaa
xchg eax, ebx
ret
inc edx
push es
int 97h
or ecx, dword ptr [edx]
cmp dword ptr [ebx], esp
jc 00007F4618BFA2E8h
aam 9Eh
cmpsd
xchg eax, ebx
sbb ebp, esi
pop es
cmp eax, E04CF650h
mov edx, E5E2D6C2h
fucompp
cmp edx, ebx
jne 00007F4618BFA301h
mov cl, 72h
les esi, fword ptr [edx-5BDA81D8h]
rcr dword ptr [ecx], cl
insd
sbb dword ptr [edi-1Dh], esi
sub byte ptr [eax-312DC24Fh], cl
xor dword ptr [edi-7E0692E5h], ecx
sub esi, eax
lahf
inc ebx
aad 64h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2627c4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x268000	0x2898	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x267000	0x3048
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x261f10	0x262000	236cfe2c3f0e36e394ec783218e8ea7b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x263000	0x4c14	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x268000	0x2898	0x3000	9f1cb4ba3ff059fba627e8dda20f75d1	False	0.16015625	data	4.31958223772891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2680e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.16659751037344397
RT_GROUP_ICON	0x26a690	0x14	data			1.15
RT_VERSION	0x26a6a4	0x1f4	data	German	Germany	0.5

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, __vbaVarTstGt, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaLineInputStr, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:26:24.183528900 CET	49715	80	192.168.2.6	208.95.112.1
Jan 11, 2025 08:26:24.188410044 CET	80	49715	208.95.112.1	192.168.2.6
Jan 11, 2025 08:26:24.188551903 CET	49715	80	192.168.2.6	208.95.112.1
Jan 11, 2025 08:26:24.189555883 CET	49715	80	192.168.2.6	208.95.112.1
Jan 11, 2025 08:26:24.194314003 CET	80	49715	208.95.112.1	192.168.2.6
Jan 11, 2025 08:26:24.672301054 CET	80	49715	208.95.112.1	192.168.2.6
Jan 11, 2025 08:26:24.722290039 CET	49715	80	192.168.2.6	208.95.112.1
Jan 11, 2025 08:27:26.966502905 CET	80	49715	208.95.112.1	192.168.2.6
Jan 11, 2025 08:27:26.970578909 CET	49715	80	192.168.2.6	208.95.112.1
Jan 11, 2025 08:28:04.696120977 CET	49715	80	192.168.2.6	208.95.112.1
Jan 11, 2025 08:28:04.701244116 CET	80	49715	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:26:24.169389009 CET	59184	53	192.168.2.6	1.1.1.1
Jan 11, 2025 08:26:24.177768946 CET	53	59184	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:26:24.169389009 CET	192.168.2.6	1.1.1.1	0xdafa	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:26:24.177768946 CET	1.1.1.1	192.168.2.6	0xdafa	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	208.95.112.1	80	364	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:26:24.189555883 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 08:26:24.672301054 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:26:23 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	02:26:20
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\fpY3HP2cnH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fpY3HP2cnH.exe"
Imagebase:	0x7e650000
File size:	2'531'400 bytes
MD5 hash:	68676F1FC74CA8F74A4822C9C0042EAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2149863864.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2152942222.0000000002AD2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2149530518.0000000002B61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:26:22
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xd90000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4599419545.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4600404823.0000000003255000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	30%
Signature Coverage:	21.5%
Total number of Nodes:	367
Total number of Limit Nodes:	14

Executed Functions

Function 02AC069B Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: e52940c02b44e104ee3a3b25ea14b03d2f0e68b29b73a9f03bf7fd1b27a11845
Instruction ID: 15269b239c513ac5466fc419b204c132eb2b19b7ab3c4f9e9776f46b7798424c
Opcode Fuzzy Hash: e52940c02b44e104ee3a3b25ea14b03d2f0e68b29b73a9f03bf7fd1b27a11845
Instruction Fuzzy Hash: 02E147B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A85CF50

Function 02AC02F0 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: a36373ad2e5310e18fc03da1c3e73d632cf9b5787d89b21943ab7ba24ecfd4be
Instruction ID: 6b986a50d9c8ebecb4e1940ed2ba234da231cd91ebcfba9475de42d098a17355
Opcode Fuzzy Hash: a36373ad2e5310e18fc03da1c3e73d632cf9b5787d89b21943ab7ba24ecfd4be
Instruction Fuzzy Hash: 83E137B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7201DB349A95CF54

Function 02AC2C91 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 380
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02AC2EF2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC2F1F

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: 1fe3776fe771f3dfdabe874908b5a0c1143ef0ab3795bc9f32fb43960838373d
Instruction ID: 4d882d91e1576a3918df723c47313f41f309193b4863c385095a6f3f3bde143f
Opcode Fuzzy Hash: 1fe3776fe771f3dfdabe874908b5a0c1143ef0ab3795bc9f32fb43960838373d
Instruction Fuzzy Hash: 88E147B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7201DB349A95CF54

Function 02AC06FF Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 8228d97ba5e75433b2c31e1f0904fc7046173a7a3335c5e39ed262d6badd8588
Instruction ID: 7615abf332e94e90d81dea1ef41661e441cd84c3c0b0a1773ba0ee6f11ecb238
Opcode Fuzzy Hash: 8228d97ba5e75433b2c31e1f0904fc7046173a7a3335c5e39ed262d6badd8588
Instruction Fuzzy Hash: DCE148B2D00259AFDF11DFA4DD80AEDBBB9FF04314F2484AAE515AB201DB309A95CF54

Function 02AC01A0 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: c5a7bf3f7b015d140592472eafe8b17cbc776e3716947a90bcf411af2f49dca9
Instruction ID: 2a0c77f29144553a359d14e9d4252f87d7aee3725199f67856dfddaad18d9569
Opcode Fuzzy Hash: c5a7bf3f7b015d140592472eafe8b17cbc776e3716947a90bcf411af2f49dca9
Instruction Fuzzy Hash: DAE138B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB349A95CF50

Function 02AC06BB Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 134c417e4282c6295a72bee0faa0a432af82352440953f3df23f277074e276eb
Instruction ID: 593aab1a3b8cd65571a60a26432a8c4f7516952c3355881bd3b7c75021f5cbb4
Opcode Fuzzy Hash: 134c417e4282c6295a72bee0faa0a432af82352440953f3df23f277074e276eb
Instruction Fuzzy Hash: E9E139B2D00259AFDF11DFA4DD80AEDBBB5FF08314F2484AAE515A7201DB309A95CF54

Function 02AC0360 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: bc4cce3e52d33c5d4b164733d193f2c752b3e2d45a9d1745f7fc2090e33f6bbf
Instruction ID: 96add9bd975cf97a801f522d42d327e4b3dcfdb8474c06c964b0c3405b81d83c
Opcode Fuzzy Hash: bc4cce3e52d33c5d4b164733d193f2c752b3e2d45a9d1745f7fc2090e33f6bbf
Instruction Fuzzy Hash: 07E137B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A95CF54

Function 02AC1CE8 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 376
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02AC2EF2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC2F1F
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02AC30CA
NtGetContextThread.NTDLL(?,?), ref: 02AC30E9
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02AC310F
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02AC3139
NtUnmapViewOfSection.NTDLL(?,?), ref: 02AC3154
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC316D
NtSetContextThread.NTDLL(?,00010003), ref: 02AC319E
NtResumeThread.NTDLL(?,00000000), ref: 02AC31AB

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: a7876de07d5ad348493e458939affc936dcb46249d2fb4a7df1c66bba81792a9
Instruction ID: f3ada2b134616649dc47c7f069b6aab8d9a11682a7e9e128343817a2f488f2be
Opcode Fuzzy Hash: a7876de07d5ad348493e458939affc936dcb46249d2fb4a7df1c66bba81792a9
Instruction Fuzzy Hash: E1E148B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A95CF54

Function 02AC024E Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 2fc2077c7ad7907092174ded618c216a14186769ef1c28b9f96eb7ef214daea0
Instruction ID: 3da1ec46b4435549cc88a0b2fcfdc31bb5bad417c8f16eb594e3a1aca396c11f
Opcode Fuzzy Hash: 2fc2077c7ad7907092174ded618c216a14186769ef1c28b9f96eb7ef214daea0
Instruction Fuzzy Hash: 45E138B2D00259AFDF11DFA4DD80AEDBBB9FF04314F2484AAE515A7201DB309A95CF50

Function 02AC06D9 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 1dc2a362b87ad2d39c60852800c9d889547ed19660a126345e023749c8c5aea4
Instruction ID: ebe1b631431b78faec4d11cccff5ec8e4bde917b30d39e334cb0d2ed1c11a077
Opcode Fuzzy Hash: 1dc2a362b87ad2d39c60852800c9d889547ed19660a126345e023749c8c5aea4
Instruction Fuzzy Hash: D1E138B2D00259AFDF11DFA4DD80AEDBBB9FF04314F2484AAE515A7201DB309A95CF54

Function 02AC07EE Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 63054d0c8e892c1adb48c95d6363ace412f375d3d238f662ee97bf82abb7f58f
Instruction ID: 7409567e494edded71def02ec155d1146136425a365a5cc265b46d4dccfb5c4a
Opcode Fuzzy Hash: 63054d0c8e892c1adb48c95d6363ace412f375d3d238f662ee97bf82abb7f58f
Instruction Fuzzy Hash: 91E137B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A95CF54

Function 02AC0C98 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 8f7e58425d88959d612763d6fb43d0263cacee27f7726eade9dd205014e34f6d
Instruction ID: 02a7281730424e0d73ca83449c610f40a4ba87accc27e332db02839fb30c22fd
Opcode Fuzzy Hash: 8f7e58425d88959d612763d6fb43d0263cacee27f7726eade9dd205014e34f6d
Instruction Fuzzy Hash: FEE138B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7201DB349A95CF54

Function 02AC115C Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 72acc7db67e8a8a3f14a846a6f884e9cd4b50e9c66c3d713838c70737369f9a0
Instruction ID: a608f2d319585f35f695b7d9978167a6821df2c1fb10ca7c9eb6ff8f9a89b51b
Opcode Fuzzy Hash: 72acc7db67e8a8a3f14a846a6f884e9cd4b50e9c66c3d713838c70737369f9a0
Instruction Fuzzy Hash: E2E127B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A95CF54

Function 02AC075F Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 399a782b03df6b69f1b3adb00e789070ed9034e4c1ef35daa5869330bbd6db94
Instruction ID: ccc0f55419e2d2732ada34aa16a0597e68f10fc1a2656214420dd8ea8fd625bf
Opcode Fuzzy Hash: 399a782b03df6b69f1b3adb00e789070ed9034e4c1ef35daa5869330bbd6db94
Instruction Fuzzy Hash: 1EE138B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A95CF54

Function 02AC1FB3 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 371COMMON

Download Yara Rule

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: c11d16e35c8ddbe8aa9d564b90f02865ec1bd529ab3ace37a80ee9ac50e4c2bc
Instruction ID: 581a3b951eba01ad2aabba54f80218d6d173de9435508b8c4aa15c0ec60f9ea7
Opcode Fuzzy Hash: c11d16e35c8ddbe8aa9d564b90f02865ec1bd529ab3ace37a80ee9ac50e4c2bc
Instruction Fuzzy Hash: 2AE147B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7201DB309A95CF54

Function 02AC17F7 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 371COMMON

Download Yara Rule

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: e63d8900bee1e6888fd2d0b6fef9350bb3a698b6526d9974880eefaac9083743
Instruction ID: afe07c6b9f983da621dd049f289e67b8fdede8782ef45969ac9a98252a021236
Opcode Fuzzy Hash: e63d8900bee1e6888fd2d0b6fef9350bb3a698b6526d9974880eefaac9083743
Instruction Fuzzy Hash: 16E137B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7201DB349A95CF54

Function 02AC012B Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 371COMMON

Download Yara Rule

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 1726100f0a7944f9e071800c03af4a47d0c414425da52bf7404932ec35a1c1ee
Instruction ID: 5a265f776c394ca38e1676274d249c38f82c3b3ec896302ef703dd495edf4d2b
Opcode Fuzzy Hash: 1726100f0a7944f9e071800c03af4a47d0c414425da52bf7404932ec35a1c1ee
Instruction Fuzzy Hash: C4E127B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7201DB309A95CF54

Function 02AC20C4 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 370COMMON

Download Yara Rule

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: e6c0749d89e24c5319b546a662c51c185ff1c2a120229c4b4c71efa9ff22db79
Instruction ID: 8b98a150dc77f9f585e961e5c7cc9f31b34c9e2ad57364042ca69534456c7344
Opcode Fuzzy Hash: e6c0749d89e24c5319b546a662c51c185ff1c2a120229c4b4c71efa9ff22db79
Instruction Fuzzy Hash: 3DE137B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7201DB349A95CF54

Function 02AC2D06 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369nativethreadprocessCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02AC2EF2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC2F1F
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02AC30CA
NtGetContextThread.NTDLL(?,?), ref: 02AC30E9
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02AC310F
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02AC3139
NtUnmapViewOfSection.NTDLL(?,?), ref: 02AC3154
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC316D
NtSetContextThread.NTDLL(?,00010003), ref: 02AC319E
NtResumeThread.NTDLL(?,00000000), ref: 02AC31AB

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: a5ff1e2909e89c768d973b527ef73046bbd64cdc96237a007ab99087f4c72e33
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: A4E116B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE515A7200DB349A95CF54

Function 02AC2CDF Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 365nativethreadprocessCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02AC2EF2
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC2F1F
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02AC30CA
NtGetContextThread.NTDLL(?,?), ref: 02AC30E9
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02AC310F
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02AC3139
NtUnmapViewOfSection.NTDLL(?,?), ref: 02AC3154
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02AC316D
NtSetContextThread.NTDLL(?,00010003), ref: 02AC319E
NtResumeThread.NTDLL(?,00000000), ref: 02AC31AB

Strings

egas, xrefs: 02AC3026
e, xrefs: 02AC3034
m.ex, xrefs: 02AC302D
D, xrefs: 02AC30A5
\Microsoft.NET\Framework\, xrefs: 02AC303B

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: fadb8ee45684e55940828a746d8dba969003a9b897a4444178c65d01c4fec658
Instruction ID: 7a17c06fb20b6c780ded4a63667ad79aa590e1518409a592e02b773ffdd5c574
Opcode Fuzzy Hash: fadb8ee45684e55940828a746d8dba969003a9b897a4444178c65d01c4fec658
Instruction Fuzzy Hash: CFE147B2D00259AFDF11DFA4DD80AEDBBB9FF08314F2484AAE514A7241DB309A95CF54

Function 7E6529DB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,7E65173F,?,NtQueryInformationProcess,7E651759,?,NtQueryInformationProcess,7E651728,NtQueryInformationProcess), ref: 7E652A72
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,NtQueryInformationProcess,7E65173F,?,NtQueryInformationProcess,7E651759,?,NtQueryInformationProcess,7E651728,NtQueryInformationProcess,7E6517CA), ref: 7E652A9D
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,NtQueryInformationProcess,7E65173F,?,NtQueryInformationProcess,7E651759,?,NtQueryInformationProcess,7E651728,NtQueryInformationProcess,7E6517CA), ref: 7E652B99

Strings

NtQueryInformationProcess, xrefs: 7E6529FD, 7E652A12, 7E652A2A, 7E652A42

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: 37c4d548869026d4b1447d3183d347c17864294fe67c6895446152d6c5ccd549
Instruction ID: ad0dffdac434b37b9f037c47c14d09b0e67708faa9d930f09ab17e99cfd82f45
Opcode Fuzzy Hash: 37c4d548869026d4b1447d3183d347c17864294fe67c6895446152d6c5ccd549
Instruction Fuzzy Hash: 0851DE79A0450AAFDB01CFA9CC40B9EBBBBFF84314F10430AE510E63D4E3B496458B62

Function 7E652BA8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,00000022,?,?,?), ref: 7E652BED

Strings

", xrefs: 7E652BAB

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: InformationProcessQuery
String ID: "
API String ID: 1778838933-123907689
Opcode ID: f8a3bf583f533df3510b7bb5a4c0cb12b665dd011632cc013e315b81883adf6f
Instruction ID: dae836b30825074f43343f222d4766c7eb0be9f645514223a6dfe7d6762e4dae
Opcode Fuzzy Hash: f8a3bf583f533df3510b7bb5a4c0cb12b665dd011632cc013e315b81883adf6f
Instruction Fuzzy Hash: C9F01C7921120AEFDF028F51DD01B9A3B7BFF06358F008515FE169A6A0C776C5A1DB61

Function 7E84B490 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 7E84B4D6

Strings

0, xrefs: 7E84B4CA

Memory Dump Source

Source File: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: InformationProcess
String ID: 0
API String ID: 1801817001-4108050209
Opcode ID: 813e5d162c089125476380ee3ff570c6249d4e6f857f074f341f52f951960ca6
Instruction ID: 225ea98cec08df4f42dd0e2104dee42eb3c37c335fb5f50d95eb5d21161ab906
Opcode Fuzzy Hash: 813e5d162c089125476380ee3ff570c6249d4e6f857f074f341f52f951960ca6
Instruction Fuzzy Hash: 56E065B958464CBBDB20DFD98E09B99BBBCE705B14F600245FA00667C0C378190486B5

Function 7E846120 Relevance: 193.2, APIs: 105, Strings: 5, Instructions: 685
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(7E65E748,7E65E740,?,6D2E60EF), ref: 7E8461B5
__vbaStrMove.MSVBVM60(?,6D2E60EF), ref: 7E8461C2
__vbaStrCat.MSVBVM60(bvm,00000000,?,6D2E60EF), ref: 7E8461CA
__vbaStrMove.MSVBVM60(?,6D2E60EF), ref: 7E8461D1
__vbaStrCat.MSVBVM60(7E65E760,00000000,?,6D2E60EF), ref: 7E8461D9
__vbaStrMove.MSVBVM60(?,6D2E60EF), ref: 7E8461E0
#644.MSVBVM60(00000000,?,6D2E60EF), ref: 7E8461E3
GetModuleHandleW.KERNEL32(00000000,?,6D2E60EF), ref: 7E8461EA
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D2E60EF), ref: 7E846203
__vbaStrCat.MSVBVM60(lFunctionCal,7E65E76C), ref: 7E846216
__vbaStrMove.MSVBVM60 ref: 7E84621D
__vbaStrCat.MSVBVM60(7E65E798,00000000), ref: 7E846225
__vbaStrMove.MSVBVM60 ref: 7E84622C
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 7E846233
GetProcAddress.KERNEL32(00000000,00000000), ref: 7E846241
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 7E84625A
__vbaStrCat.MSVBVM60(eVrVnV,7E65E7A0), ref: 7E84626D
__vbaStrMove.MSVBVM60 ref: 7E846274
__vbaStrCat.MSVBVM60(eVlV3V2V,00000000), ref: 7E84627C

Part of subcall function 7E84A060: __vbaVarDup.MSVBVM60(6D1FD8B1,6D1EA323), ref: 7E84A0A0
Part of subcall function 7E84A060: #653.MSVBVM60(?,?), ref: 7E84A0AE
Part of subcall function 7E84A060: __vbaI4Var.MSVBVM60(?), ref: 7E84A0B8
Part of subcall function 7E84A060: __vbaFreeVar.MSVBVM60 ref: 7E84A0CE
Part of subcall function 7E84A060: #632.MSVBVM60(?,?,?,?), ref: 7E84A0FA
Part of subcall function 7E84A060: __vbaVarCat.MSVBVM60(?,?,?), ref: 7E84A10C
Part of subcall function 7E84A060: __vbaVarMove.MSVBVM60 ref: 7E84A117
Part of subcall function 7E84A060: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 7E84A123
Part of subcall function 7E84A060: __vbaFreeVar.MSVBVM60(7E84A168), ref: 7E84A161

__vbaStrVarVal.MSVBVM60(?,?,?), ref: 7E8462B6
#644.MSVBVM60(00000000), ref: 7E8462BD
GetModuleHandleW.KERNEL32(00000000), ref: 7E8462C4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 7E8462D9
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 7E8462EC
__vbaStrCat.MSVBVM60(7E65E7E0,7E65E7D8), ref: 7E8462FF
__vbaStrMove.MSVBVM60 ref: 7E846306
__vbaStrCat.MSVBVM60(7E65E7E8,00000000), ref: 7E84630E
__vbaStrMove.MSVBVM60 ref: 7E846315
__vbaStrCat.MSVBVM60(7E65E7F0,00000000), ref: 7E84631D
__vbaStrMove.MSVBVM60 ref: 7E846324
__vbaStrCat.MSVBVM60(7E65E7F8,00000000), ref: 7E84632C
__vbaStrMove.MSVBVM60 ref: 7E846333
__vbaStrCat.MSVBVM60(7E65E800,00000000), ref: 7E84633B
__vbaStrMove.MSVBVM60 ref: 7E846342
__vbaStrCat.MSVBVM60(7E65E798,00000000), ref: 7E84634A
__vbaStrMove.MSVBVM60 ref: 7E846351
__vbaStrCat.MSVBVM60(7E65E808,00000000), ref: 7E846359
__vbaStrMove.MSVBVM60 ref: 7E846360
__vbaStrCat.MSVBVM60(7E65E7E8,00000000), ref: 7E846368
__vbaStrMove.MSVBVM60 ref: 7E84636F
__vbaStrCat.MSVBVM60(7E65E810,00000000), ref: 7E846377
__vbaStrMove.MSVBVM60 ref: 7E84637E
__vbaStrCat.MSVBVM60(7E65E7F0,00000000), ref: 7E846386
__vbaStrMove.MSVBVM60 ref: 7E84638D
__vbaStrCat.MSVBVM60(7E65E818,00000000), ref: 7E846395
__vbaStrMove.MSVBVM60 ref: 7E84639C
__vbaStrCat.MSVBVM60(7E65E820,00000000), ref: 7E8463A4
__vbaStrMove.MSVBVM60 ref: 7E8463AB
__vbaStrCat.MSVBVM60(7E65E7F0,00000000), ref: 7E8463B3
__vbaStrMove.MSVBVM60 ref: 7E8463BA
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 7E8463C1
GetProcAddress.KERNEL32(00000000,00000000), ref: 7E8463CE
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 7E846413
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000), ref: 7E84642B
__vbaNew.MSVBVM60(7E65E844,7E65E854), ref: 7E84643E
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E846449
__vbaCastObj.MSVBVM60(00000000), ref: 7E846450
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E84645B
__vbaObjSetAddref.MSVBVM60(7E8B32D0,00000000), ref: 7E846468
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 7E846478
__vbaObjSetAddref.MSVBVM60(?), ref: 7E84648D
#644.MSVBVM60(00000000), ref: 7E846494
__vbaFreeObj.MSVBVM60 ref: 7E8464A0
#644.MSVBVM60(?), ref: 7E8464AA
__vbaAryLock.MSVBVM60(?,?), ref: 7E8464DA
#644.MSVBVM60(?), ref: 7E8464F2
__vbaAryUnlock.MSVBVM60(?), ref: 7E846502
__vbaObjSetAddref.MSVBVM60(?), ref: 7E846540
#644.MSVBVM60(00000000), ref: 7E846547
__vbaFreeObj.MSVBVM60 ref: 7E846553
#644.MSVBVM60(7E8B32CC), ref: 7E846563
__vbaAryLock.MSVBVM60(?,?), ref: 7E846583
#644.MSVBVM60(?), ref: 7E846598
__vbaAryUnlock.MSVBVM60(?), ref: 7E8465A8
#644.MSVBVM60(?), ref: 7E8465C1
__vbaRedim.MSVBVM60(00000080,00000004,7E8B3214,00000003,00000001,00000010,00000000), ref: 7E8465FD
#644.MSVBVM60(?), ref: 7E84660A
#644.MSVBVM60(?), ref: 7E846630
__vbaAryLock.MSVBVM60(?,00000000), ref: 7E84665C
__vbaStrCat.MSVBVM60(7E65E87C,7E65E874,?,00000040), ref: 7E846692
__vbaStrMove.MSVBVM60 ref: 7E846699
__vbaI4Str.MSVBVM60(00000000), ref: 7E84669C
VirtualProtect.KERNELBASE(?,00000000), ref: 7E8466B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65E854,0000002C,?,00000000), ref: 7E8466CC
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 7E8466D6
__vbaFreeStr.MSVBVM60(?,00000000), ref: 7E8466DF
#644.MSVBVM60(?,?,00000000), ref: 7E8466EF
__vbaAryLock.MSVBVM60(?,00000000,?,00000000), ref: 7E84672A
#644.MSVBVM60(?,?,00000000), ref: 7E846741
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 7E84674D
#644.MSVBVM60(00000040,?,00000000), ref: 7E846787
#644.MSVBVM60(0424448B,?,00000000), ref: 7E8467AD
#644.MSVBVM60(408B008B,?,00000000), ref: 7E8467D3
#644.MSVBVM60(20C4832C,?,00000000), ref: 7E8467F9
#644.MSVBVM60(E02474FF,?,00000000), ref: 7E84681F
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,?,?,00000000), ref: 7E846876
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65E854,00000020,?,00000000), ref: 7E846890
__vbaAryLock.MSVBVM60(?,00000000,?,00000000), ref: 7E8468BC
#644.MSVBVM60(?,?,00000000), ref: 7E8468D3
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 7E8468DF
#644.MSVBVM60(7E8B32CC,?,00000000), ref: 7E84690C
#644.MSVBVM60(00000000,?,00000000), ref: 7E846925
#644.MSVBVM60(-00000004,?,00000000), ref: 7E84693D
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 7E84695B
__vbaAryDestruct.MSVBVM60(00000000,?,7E8469E9,?,00000000), ref: 7E8469E2

Strings

eVlV3V2V, xrefs: 7E846277
@, xrefs: 7E846625
lFunctionCal, xrefs: 7E846211
eVrVnV, xrefs: 7E846268
bvm, xrefs: 7E8461C5

Memory Dump Source

Source File: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$#644$Move$Free$List$LockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
String ID: @$bvm$eVlV3V2V$eVrVnV$lFunctionCal
API String ID: 1415243137-1337920422
Opcode ID: a4c715c8e5b50ab387ae7f318a8e9db19b7e94f236d70215b0e1d9c99e0810c9
Instruction ID: 992e9bdbfe247293e43a5ecfb8f57e8dd7962804efd43e93ddc646fe7a8ae393
Opcode Fuzzy Hash: a4c715c8e5b50ab387ae7f318a8e9db19b7e94f236d70215b0e1d9c99e0810c9
Instruction Fuzzy Hash: 5A42B8B6A40219AFDB14DFA5CC88EEEBBB9FF48300F10855AE505E7344DA74A945CF60

Function 7E65BAF9 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaFreeVar.MSVBVM60 ref: 7E84B319
__vbaFreeVar.MSVBVM60(00000000), ref: 7E84B327

Part of subcall function 7E846120: __vbaStrCat.MSVBVM60(7E65E748,7E65E740,?,6D2E60EF), ref: 7E8461B5
Part of subcall function 7E846120: __vbaStrMove.MSVBVM60(?,6D2E60EF), ref: 7E8461C2
Part of subcall function 7E846120: __vbaStrCat.MSVBVM60(bvm,00000000,?,6D2E60EF), ref: 7E8461CA
Part of subcall function 7E846120: __vbaStrMove.MSVBVM60(?,6D2E60EF), ref: 7E8461D1
Part of subcall function 7E846120: __vbaStrCat.MSVBVM60(7E65E760,00000000,?,6D2E60EF), ref: 7E8461D9
Part of subcall function 7E846120: __vbaStrMove.MSVBVM60(?,6D2E60EF), ref: 7E8461E0
Part of subcall function 7E846120: #644.MSVBVM60(00000000,?,6D2E60EF), ref: 7E8461E3
Part of subcall function 7E846120: GetModuleHandleW.KERNEL32(00000000,?,6D2E60EF), ref: 7E8461EA
Part of subcall function 7E846120: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D2E60EF), ref: 7E846203
Part of subcall function 7E846120: __vbaStrCat.MSVBVM60(lFunctionCal,7E65E76C), ref: 7E846216
Part of subcall function 7E846120: __vbaStrMove.MSVBVM60 ref: 7E84621D
Part of subcall function 7E846120: __vbaStrCat.MSVBVM60(7E65E798,00000000), ref: 7E846225
Part of subcall function 7E846120: __vbaStrMove.MSVBVM60 ref: 7E84622C
Part of subcall function 7E846120: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 7E846233
Part of subcall function 7E846120: GetProcAddress.KERNEL32(00000000,00000000), ref: 7E846241

Part of subcall function 7E84B490: NtSetInformationProcess.NTDLL ref: 7E84B4D6

__vbaFreeVar.MSVBVM60(00000000), ref: 7E84B33A

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$Move$Free$#644AddressAnsiHandleInformationListModuleProcProcess
String ID:
API String ID: 115556252-0
Opcode ID: c627caf685b3f936fcd3761dc35067aa1d4c29c88f0e1378b341515b87ead3ce
Instruction ID: 61cf71c9cffd4c284e370245224c292c2245347dfeff7efd73bb6fda44aec335
Opcode Fuzzy Hash: c627caf685b3f936fcd3761dc35067aa1d4c29c88f0e1378b341515b87ead3ce
Instruction Fuzzy Hash: 2B0128B981462CEBCF10DFA5CD44EEEBB78FF09604F405529E50567354DB386A05CBA1

Non-executed Functions

Function 7E652C36 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

NtQueryInformationProcess, xrefs: 7E652C55, 7E652C76

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID: NtQueryInformationProcess
API String ID: 0-2781105232
Opcode ID: f88e251bd6240c739b11586f1affd826d0e22b120c2b2395e00a48deb75ff214
Instruction ID: 5f9e9f949a59730e3fb4e431708a1512881fcedcc9ae6c3436aa78fc6f2eeed8
Opcode Fuzzy Hash: f88e251bd6240c739b11586f1affd826d0e22b120c2b2395e00a48deb75ff214
Instruction Fuzzy Hash: 70F0303CB64605EED7A19624CA40F2527BBBB05B10F109890B886EA7EBEB14E8418E15

Function 7E652F91 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: 7f858a0d8d1d3b294386188b17463ae616b9b1ca142457894a5b8524f8a81929
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: 69018C7A7941068BD721AB09E040996B3B7FB63760B852062E806DBFDCE325A8C0C711

Function 02AC32D7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: 38acd6cdc99f8df1662cc8525de101ee6a3cd62b39974158c2241a3a351d82d5
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: 49F0C9322145249BCF21EB59D58096AF7F9EF84A7072588D9E5599BA00DB30FC408B90

Function 02AC4384 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5316810a94766b1ca050ebca0f5f5a24f2eea664af7019078f40900b5b38d693
Instruction ID: dc4fb84528e1b97e0c53be9808bb9982d85089d79ecbae11b63579dabae03a5c
Opcode Fuzzy Hash: 5316810a94766b1ca050ebca0f5f5a24f2eea664af7019078f40900b5b38d693
Instruction Fuzzy Hash: 6BD0A974119441DEC298BB2081B07B573B2AB4C758F71082C91038E180CF250882CF2D

Function 7E652CA8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction ID: 95dff2fb833417202495218693bf5b1a421dd4471ca0001524ddc04ad995461f
Opcode Fuzzy Hash: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction Fuzzy Hash: 46B0123F0716C44DDB13CF3442137E93B6593004C0F5404C1D0C04B66BC00C8687D556

Function 7E652C93 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
Instruction ID: 6d8b77ee072ee247f30958288c4a888cb08176c89a0772219baa462f0e89e92b
Opcode Fuzzy Hash: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
Instruction Fuzzy Hash: 48B09234342640CFC205CE29C180F1473E8BB04A90F0244D0B800CB662C228ED80DA10

Function 7E652CBC Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction ID: 75d8ee55a9432d655d400c20f764b696a43bdfdc0ccd3be24d65f6ea96f8add4
Opcode Fuzzy Hash: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction Fuzzy Hash: 0CB012241015C18EC9024F1041127A877A0D7019C0F0A00C494C04B513C11C8645A610

Function 02AC67A6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f67725e43095be341acf3cb58f55b81ea81c3134907c094f93d55dab3cd169
Instruction ID: c5ce0236b484b230147c8b687852133820aa994a246abfa6e232dd60afbbf360
Opcode Fuzzy Hash: 10f67725e43095be341acf3cb58f55b81ea81c3134907c094f93d55dab3cd169
Instruction Fuzzy Hash: 35B00231199444CFC295DB06C150A2173BCB780B41F5114D5E5028F962CB289D40CA41

Function 02AC65B4 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508d827342fb9c54924c299ec58ad6bb2905881a0450e60568b39fffeb4f8248
Instruction ID: 34334d61769847971a57047772451266c90fc2a63e4117caf10557b15150ae0a
Opcode Fuzzy Hash: 508d827342fb9c54924c299ec58ad6bb2905881a0450e60568b39fffeb4f8248
Instruction Fuzzy Hash: DBB0923015D580CFC241CB05C240A6033B8F780A00F6180E5E4064B9118A24D940CE01

Function 02AC671F Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152865518.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_fpY3HP2cnH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc72c3cadc4bb10c2534361e1a3ea77e35603b1f5884f74d7b5d37b040a1314
Instruction ID: 5d8e2ea369b8e2fd4ca8c601911afbe0df74c31b485a5cbac114bed1351ab287
Opcode Fuzzy Hash: 5bc72c3cadc4bb10c2534361e1a3ea77e35603b1f5884f74d7b5d37b040a1314
Instruction Fuzzy Hash: 18B00135266980CFC296CB0AC294F5073F8FB08A45F4614F0E4058BE62C338A900CA00

Function 7E65DA39 Relevance: 96.6, APIs: 46, Strings: 9, Instructions: 332COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E84AD36
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E84AD5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,00000058), ref: 7E84AD7F
#689.MSVBVM60(?,Options,Show Tips at Startup), ref: 7E84ADB3
__vbaStrMove.MSVBVM60 ref: 7E84ADC4
__vbaI4Str.MSVBVM60(00000000), ref: 7E84ADC7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 7E84ADD9
__vbaFreeObj.MSVBVM60 ref: 7E84ADE5
__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E84AE02
__vbaObjSetAddref.MSVBVM60(?,7E651408), ref: 7E84AE15
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000010), ref: 7E84AE33
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E84AE4C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65FF90,000000E4), ref: 7E84AE71
__vbaFreeObj.MSVBVM60 ref: 7E84AE7A
#594.MSVBVM60(?), ref: 7E84AE92
__vbaFreeVar.MSVBVM60 ref: 7E84AE9B
__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E84AEB4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E84AED9
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,00000050), ref: 7E84AEFD
__vbaStrCat.MSVBVM60(7E65F66C,?), ref: 7E84AF12
__vbaStrMove.MSVBVM60 ref: 7E84AF19
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000), ref: 7E84AF21
__vbaStrMove.MSVBVM60 ref: 7E84AF28
__vbaHresultCheckObj.MSVBVM60(00000000,7E651408,7E65FE6C,000006F8), ref: 7E84AF4B
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 7E84AF6D
__vbaFreeObj.MSVBVM60 ref: 7E84AF79
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E84AF98
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,That the ), ref: 7E84AFAD
__vbaStrMove.MSVBVM60 ref: 7E84AFB4
__vbaStrCat.MSVBVM60( file was not found? ,00000000), ref: 7E84AFBC
__vbaStrMove.MSVBVM60 ref: 7E84AFC3
__vbaStrCat.MSVBVM60(7E65FFEC,00000000), ref: 7E84AFCB
__vbaStrMove.MSVBVM60 ref: 7E84AFD2
__vbaStrCat.MSVBVM60(7E65FFEC,00000000), ref: 7E84AFDA
__vbaStrMove.MSVBVM60 ref: 7E84AFE1
__vbaStrCat.MSVBVM60(Create a text file named ,00000000), ref: 7E84AFE9
__vbaStrMove.MSVBVM60 ref: 7E84AFF0
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000), ref: 7E84AFF8
__vbaStrMove.MSVBVM60 ref: 7E84AFFF
__vbaStrCat.MSVBVM60( using NotePad with 1 tip per line. ,00000000), ref: 7E84B007
__vbaStrMove.MSVBVM60 ref: 7E84B00E
__vbaStrCat.MSVBVM60(Then place it in the same directory as the application. ,00000000), ref: 7E84B016
__vbaStrMove.MSVBVM60 ref: 7E84B01D
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E6600F4,00000054), ref: 7E84B036
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 7E84B05E
__vbaFreeObj.MSVBVM60 ref: 7E84B06A

Strings

Then place it in the same directory as the application. , xrefs: 7E84B011
file was not found? , xrefs: 7E84AFB7
Show Tips at Startup, xrefs: 7E84AD94
That the , xrefs: 7E84AFA0
Create a text file named , xrefs: 7E84AFE4
TIPOFDAY.TXT, xrefs: 7E84AF1C, 7E84AFA5, 7E84AFF3
;, xrefs: 7E65DA39
Options, xrefs: 7E84AD99
using NotePad with 1 tip per line. , xrefs: 7E84B002

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$Move$CheckFreeHresult$ListNew2$#594#689Addref
String ID: file was not found? $ using NotePad with 1 tip per line. $;$Create a text file named $Options$Show Tips at Startup$TIPOFDAY.TXT$That the $Then place it in the same directory as the application.
API String ID: 1089064309-813212176
Opcode ID: 29cdd0edc1f867a13a686bb22124873bf3900294c7fee59c648bed5df919c947
Instruction ID: 734ee41dbce21cd69458a8e5a7978560185a3ef271fd0f385d7cbe84fdcd4d00
Opcode Fuzzy Hash: 29cdd0edc1f867a13a686bb22124873bf3900294c7fee59c648bed5df919c947
Instruction Fuzzy Hash: 90C13EB5A00218ABDB15EFA5CC48EDEBBB9FF58201F10815AF555EB390DB705905CBA0

Function 7E65D48E Relevance: 82.6, APIs: 44, Strings: 3, Instructions: 385COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E843E02
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E843E27
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,00000060), ref: 7E843E4B
__vbaStrCat.MSVBVM60(?,Info zu ), ref: 7E843E5C
__vbaStrMove.MSVBVM60 ref: 7E843E6D
__vbaHresultCheckObj.MSVBVM60(00000000,7E6511C0,7E6601EC,00000054), ref: 7E843E89
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 7E843E9D
__vbaFreeObj.MSVBVM60 ref: 7E843EA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E843EBD
__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E843EDC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E843F01
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,000000B8), ref: 7E843F27
__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E843F3C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E843F61
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,000000C0), ref: 7E843F87
__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E843F9C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E843FC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,000000C8), ref: 7E843FE7
__vbaStrI2.MSVBVM60(?,Version ), ref: 7E844000
__vbaStrMove.MSVBVM60 ref: 7E844007
__vbaStrCat.MSVBVM60(00000000), ref: 7E84400A
__vbaStrMove.MSVBVM60 ref: 7E844015
__vbaStrCat.MSVBVM60(7E6602D4,00000000), ref: 7E84401D
__vbaStrMove.MSVBVM60 ref: 7E844028
__vbaStrI2.MSVBVM60(?,00000000), ref: 7E84402F
__vbaStrMove.MSVBVM60 ref: 7E844036
__vbaStrCat.MSVBVM60(00000000), ref: 7E844039
__vbaStrMove.MSVBVM60 ref: 7E844044
__vbaStrCat.MSVBVM60(7E6602D4,00000000), ref: 7E84404C
__vbaStrMove.MSVBVM60 ref: 7E844057
__vbaStrI2.MSVBVM60(?,00000000), ref: 7E84405E
__vbaStrMove.MSVBVM60 ref: 7E844065
__vbaStrCat.MSVBVM60(00000000), ref: 7E844068
__vbaStrMove.MSVBVM60 ref: 7E844073
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E6600F4,00000054), ref: 7E844095
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 7E8440C1
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 7E8440D9
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E8440F3
__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E84410E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E844133
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,00000060), ref: 7E844153
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E6600F4,00000054), ref: 7E84416E
__vbaFreeStr.MSVBVM60 ref: 7E844173
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 7E844183

Strings

Info zu , xrefs: 7E843E56
Version , xrefs: 7E843FF8
7, xrefs: 7E65D48E

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$CheckHresult$Move$Free$New2$List
String ID: 7$Info zu $Version
API String ID: 386842864-2038211018
Opcode ID: c229a4df403f702de2e2512c5d621157c007f22678581d4a3941eadb1a9b5415
Instruction ID: 3fc7bb042377dbf3f15869f9f48ddef8e1dc33ff390391f507ad0aae60d43cf0
Opcode Fuzzy Hash: c229a4df403f702de2e2512c5d621157c007f22678581d4a3941eadb1a9b5415
Instruction Fuzzy Hash: A5D13BB5A00219AFDB11EFA9CC88E9FBBBDFF59604F104119F505E7390DB70A9058BA0

Function 7E65B375 Relevance: 34.6, APIs: 23, Instructions: 144COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(7E65F83C,7E65F82C), ref: 7E844540
__vbaStrMove.MSVBVM60 ref: 7E84454D
__vbaStrCat.MSVBVM60(7E65F854,00000000), ref: 7E844555
__vbaStrMove.MSVBVM60 ref: 7E84455C
__vbaStrCat.MSVBVM60(7E65F878,00000000), ref: 7E844564
__vbaStrMove.MSVBVM60 ref: 7E84456B
__vbaStrCat.MSVBVM60(7E65F8AC,00000000), ref: 7E844573
__vbaStrMove.MSVBVM60 ref: 7E84457A
__vbaStrCat.MSVBVM60(7E65F8C8,00000000), ref: 7E844582
__vbaStrMove.MSVBVM60 ref: 7E844589
__vbaStrCat.MSVBVM60(7E65F8F4,00000000), ref: 7E844591
__vbaStrMove.MSVBVM60 ref: 7E844598
__vbaStrCat.MSVBVM60(7E65F910,00000000), ref: 7E8445A0
__vbaStrMove.MSVBVM60 ref: 7E8445A7
__vbaStrCat.MSVBVM60(7E65F93C,00000000), ref: 7E8445AF
__vbaStrMove.MSVBVM60 ref: 7E8445B6
__vbaStrCat.MSVBVM60(7E65F960,00000000), ref: 7E8445BE
__vbaStrMove.MSVBVM60 ref: 7E8445C5
__vbaStrCat.MSVBVM60(7E65F978,00000000), ref: 7E8445CD

Part of subcall function 7E84A060: __vbaVarDup.MSVBVM60(6D1FD8B1,6D1EA323), ref: 7E84A0A0
Part of subcall function 7E84A060: #653.MSVBVM60(?,?), ref: 7E84A0AE
Part of subcall function 7E84A060: __vbaI4Var.MSVBVM60(?), ref: 7E84A0B8
Part of subcall function 7E84A060: __vbaFreeVar.MSVBVM60 ref: 7E84A0CE
Part of subcall function 7E84A060: #632.MSVBVM60(?,?,?,?), ref: 7E84A0FA
Part of subcall function 7E84A060: __vbaVarCat.MSVBVM60(?,?,?), ref: 7E84A10C
Part of subcall function 7E84A060: __vbaVarMove.MSVBVM60 ref: 7E84A117
Part of subcall function 7E84A060: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 7E84A123
Part of subcall function 7E84A060: __vbaFreeVar.MSVBVM60(7E84A168), ref: 7E84A161

__vbaStrVarMove.MSVBVM60(?,?), ref: 7E8445FD
__vbaStrMove.MSVBVM60 ref: 7E844608
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 7E844630
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 7E844640

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID:
API String ID: 193477259-0
Opcode ID: 820dfc5137f1e9296cc0431dce476f3af25695573472387359d007e1d845cad4
Instruction ID: 76dae97eb71ce4441784bb8ef33d6b7c5bc570b38e177c3afa877737f2e6588c
Opcode Fuzzy Hash: 820dfc5137f1e9296cc0431dce476f3af25695573472387359d007e1d845cad4
Instruction Fuzzy Hash: FE51B8B5E10118ABDB15EFA9D844DEEBBB9EF88600F10821AF551A7344DB705905CFA1

Function 7E65DA12 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(7E65F658,7E8B3C50), ref: 7E84AA54
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000014), ref: 7E84AA7F
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF3C,00000058), ref: 7E84AAA7
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E84AAB7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65FF90,000000E0), ref: 7E84AADE
__vbaStrI2.MSVBVM60(?), ref: 7E84AAE4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E84AAEF
#690.MSVBVM60(?,Options,Show Tips at Startup,00000000), ref: 7E84AB04
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 7E84AB14
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 7E84AB24

Strings

Show Tips at Startup, xrefs: 7E84AAF9
K, xrefs: 7E65DA12
Options, xrefs: 7E84AAFE

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$#690MoveNew2
String ID: K$Options$Show Tips at Startup
API String ID: 2513475975-3248163797
Opcode ID: 9d44576b3ba3a1a8b30d33fb297880a40c68b09e65cfab58c9bfd2657498824e
Instruction ID: 161ef9326419076ca719d282dad00d08d380b0a2def0f9d5fd3b1dfbf7d6a355
Opcode Fuzzy Hash: 9d44576b3ba3a1a8b30d33fb297880a40c68b09e65cfab58c9bfd2657498824e
Instruction Fuzzy Hash: 204171B5A40209AFDB00DFA5CD89EDEBBB9FF09604F104159F905EB380D774A905CBA0

Function 7E65DA05 Relevance: 22.6, APIs: 15, Instructions: 144COMMON

Download Yara Rule

APIs

#648.MSVBVM60(?), ref: 7E84A841
__vbaFreeVar.MSVBVM60 ref: 7E84A84D
__vbaStrCmp.MSVBVM60(7E65F084,00000000), ref: 7E84A864
#645.MSVBVM60(?,00000000), ref: 7E84A881
__vbaStrMove.MSVBVM60 ref: 7E84A88C
__vbaStrCmp.MSVBVM60(7E65F084,00000000), ref: 7E84A898
__vbaFreeStr.MSVBVM60 ref: 7E84A8A6
__vbaFreeStr.MSVBVM60(7E84A9BB), ref: 7E84A9B4

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$Free$#645#648Move
String ID:
API String ID: 2957232524-0
Opcode ID: 02da39ec9a1237963ad4f7c79d7160b3a1b126f21b15628f9b2158c2a9138730
Instruction ID: 1971b07c523111f16162194b1aa096e73cdaf45d01caaf06683c5c451842da4e
Opcode Fuzzy Hash: 02da39ec9a1237963ad4f7c79d7160b3a1b126f21b15628f9b2158c2a9138730
Instruction Fuzzy Hash: 7F510CB5E01209EFCB10DFA6C988ADDBBB5FF49304F208159E559AB384D7345A05CF91

Function 7E65DA46 Relevance: 15.1, APIs: 10, Instructions: 109COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(7E65FF2C,7E65144C), ref: 7E84B136
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65FF1C,00000024), ref: 7E84B157
__vbaObjSet.MSVBVM60(?,00000000), ref: 7E84B176
__vbaNew2.MSVBVM60(7E65FF2C,7E65144C), ref: 7E84B18A
__vbaHresultCheckObj.MSVBVM60(00000000,7E84B3B3,7E65FF1C,0000001C), ref: 7E84B1BC
__vbaStrVarVal.MSVBVM60(?,?), ref: 7E84B1CC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E6600F4,00000054), ref: 7E84B1E6
__vbaFreeStr.MSVBVM60 ref: 7E84B1EF
__vbaFreeObj.MSVBVM60 ref: 7E84B1F8
__vbaFreeVar.MSVBVM60 ref: 7E84B201

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2
String ID:
API String ID: 4034668929-0
Opcode ID: 010446097d0156823284373c29feab49c9aaa6bdaad734350ad24ccf88d9dc55
Instruction ID: 024b23dc7329bb299c78c34d1d6221c5b83c744039d18d91317cf336a4908f98
Opcode Fuzzy Hash: 010446097d0156823284373c29feab49c9aaa6bdaad734350ad24ccf88d9dc55
Instruction Fuzzy Hash: CF4138B5A00609ABDB10DFAACD8CE9EBBBDFF46604B108519F951A7390DB7099058B60

Function 7E84A060 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(6D1FD8B1,6D1EA323), ref: 7E84A0A0
#653.MSVBVM60(?,?), ref: 7E84A0AE
__vbaI4Var.MSVBVM60(?), ref: 7E84A0B8
__vbaFreeVar.MSVBVM60 ref: 7E84A0CE
#632.MSVBVM60(?,?,?,?), ref: 7E84A0FA
__vbaVarCat.MSVBVM60(?,?,?), ref: 7E84A10C
__vbaVarMove.MSVBVM60 ref: 7E84A117
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 7E84A123
__vbaFreeVar.MSVBVM60(7E84A168), ref: 7E84A161

Memory Dump Source

Source File: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$Free$#632#653ListMove
String ID:
API String ID: 2983645214-0
Opcode ID: 09eff88537459b898eb99eb6f731124954ad3a62acc13ad384c343dd324a8e23
Instruction ID: bd9e17b5cfe671c93658994342950cfbc6a1f52e3d7c58f1e8c8cbac3cbb1680
Opcode Fuzzy Hash: 09eff88537459b898eb99eb6f731124954ad3a62acc13ad384c343dd324a8e23
Instruction Fuzzy Hash: C921F5B6D0064DEFDB00DFA5C888ADEBFB8FF08304F104559E406A7244EB706989CB60

Function 7E65D9B1 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

#593.MSVBVM60(?), ref: 7E84A712
__vbaNew2.MSVBVM60(7E65FF2C,00000000), ref: 7E84A72E
__vbaHresultCheckObj.MSVBVM60(00000000,?,7E65FF1C,00000024), ref: 7E84A74F
__vbaR8IntI4.MSVBVM60 ref: 7E84A761
__vbaFreeVar.MSVBVM60 ref: 7E84A76D
__vbaNew2.MSVBVM60(7E65D4B8,7E8B33AC), ref: 7E84A786
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65FE6C,000006FC), ref: 7E84A7AD

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$CheckHresultNew2$#593Free
String ID:
API String ID: 2147906589-0
Opcode ID: 68377e583644f49ee31e30c1535bb5ec15b598e399ed4b15d51ba5d0575446f3
Instruction ID: cafd546c31017276d9df88aa666a95d1c24a68bc751085116766279a95d8c91c
Opcode Fuzzy Hash: 68377e583644f49ee31e30c1535bb5ec15b598e399ed4b15d51ba5d0575446f3
Instruction Fuzzy Hash: A721A0B9601609EFCB20DF66DD4CB8A7BB9FF09614F204154F885AB794E7349510CB61

Function 7E65DA2C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(7E65F658,7E8B3C50,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E84AC48
__vbaObjSetAddref.MSVBVM60(?,7E6513F8,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E84AC5E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000010,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E84AC7B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,Function_00003126), ref: 7E84AC84

Strings

O, xrefs: 7E65DA2C

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID: O
API String ID: 1649212984-878818188
Opcode ID: fd2f88450dd29250d0926498eac3d77ce7d0967729cf99c62d182b1cb35996d4
Instruction ID: 82d12aa5dcb360df630111878e15d308a5fbdb6a45c5628324020ca4f647df63
Opcode Fuzzy Hash: fd2f88450dd29250d0926498eac3d77ce7d0967729cf99c62d182b1cb35996d4
Instruction Fuzzy Hash: CD11B679A40608FFC700DF5AC989E9EBBB9FF49614F208169F941EB380D7349841CB90

Function 7E65D481 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(7E65F658,7E8B3C50,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E843D08
__vbaObjSetAddref.MSVBVM60(?,7E6511B0,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E843D1E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,7E65F648,00000010,?,?,?,?,?,?,?,?,Function_00003126), ref: 7E843D3B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,Function_00003126), ref: 7E843D44

Strings

O, xrefs: 7E65D481

Memory Dump Source

Source File: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID: O
API String ID: 1649212984-878818188
Opcode ID: c3249558844d2073b866abf27d91f81deecec255ea5cdd0ad24f83d0e3e3154c
Instruction ID: 89c6bea59b826347d8364eb803ce2347ad48e611fc78c35965e5cc0ca65afd1f
Opcode Fuzzy Hash: c3249558844d2073b866abf27d91f81deecec255ea5cdd0ad24f83d0e3e3154c
Instruction Fuzzy Hash: 7911B679A00608FFC701DFA6CD89B9EBBB9FF49614F208129F941A7380C7345905CB90

Function 7E846C10 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?,7E846A00,00000001,6D2CEC2C,00000000,?,?,?,?,?,?,Function_00003126), ref: 7E846C67
#644.MSVBVM60(00000001,?,?,?,?,?,?,Function_00003126), ref: 7E846C72
#644.MSVBVM60(00000000,?,?,?,?,?,?,Function_00003126), ref: 7E846C84
#644.MSVBVM60(-00000004,?,?,?,?,?,?,Function_00003126), ref: 7E846CA2

Memory Dump Source

Source File: 00000000.00000002.2153353406.000000007E65F000.00000020.00000001.01000000.00000003.sdmp, Offset: 7E650000, based on PE: true

Associated: 00000000.00000002.2153199809.000000007E650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153279656.000000007E651000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153313282.000000007E65E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153788068.000000007E8B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153860108.000000007E8B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e650000_fpY3HP2cnH.jbxd

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: ad3fc80313e700f92bb431c9623582f748ce9d7868cfd3bb5a0d6e80f3edeb8b
Instruction ID: 0bc919f711aea086d710ac8a4fef2c717335c92ee6146f792f6a7031d6b979e5
Opcode Fuzzy Hash: ad3fc80313e700f92bb431c9623582f748ce9d7868cfd3bb5a0d6e80f3edeb8b
Instruction Fuzzy Hash: E111C1B5A40208AFCB00DFB9CD44E6ABBFDEB49700B20461AF805E3784D7B59D008B64

Analysis Process: RegAsm.exePID: 364, Parent PID: 4784COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	38.9%
Signature Coverage:	8.3%
Total number of Nodes:	36
Total number of Limit Nodes:	5

Executed Functions

Function 01567070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 015670E7

Strings

[;ME, xrefs: 0156708A

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: [;ME
API String ID: 3662101638-1444403609
Opcode ID: 05de628abad3d9e3aa67c3a398b256fa2fe80858c7254b37bc08579f9b774930
Instruction ID: b5cfbc0a5a9c51ed16f511b2590940417fbc0d52569978390b2681ed9ae86845
Opcode Fuzzy Hash: 05de628abad3d9e3aa67c3a398b256fa2fe80858c7254b37bc08579f9b774930
Instruction Fuzzy Hash: BB2145B2800259CFDB10CF9AD884BEEFBF4AF49320F14841AE459A7340C778A944CFA1

Function 01564A88 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[;ME, xrefs: 01564AC7
[;ME, xrefs: 01564AA7

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID:
String ID: [;ME$[;ME
API String ID: 0-4159865865
Opcode ID: 3776ef2a646bc0c2e2cc8e337ff708ab8f22bf8194b19225817dc505bf634a74
Instruction ID: 8103af776822e898d2fe77559cfe90c78320e43d7ccfb587d69fcca179806da6
Opcode Fuzzy Hash: 3776ef2a646bc0c2e2cc8e337ff708ab8f22bf8194b19225817dc505bf634a74
Instruction Fuzzy Hash: AFB12A70E00209CFEF14CFA9C8957ADBBF6BF88714F148529D815AB394EB749885CB81

Function 0156A6BD Relevance: 2.7, Instructions: 2747COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc80e6c1ca36d77ef5b909a8321ecd01f340643e99d1bc767c5ba22a556bf598
Instruction ID: 3ae83307d85330ca4c1b204bdceafd1002fbb88c8d6a60f0c249121ddbfbada3
Opcode Fuzzy Hash: dc80e6c1ca36d77ef5b909a8321ecd01f340643e99d1bc767c5ba22a556bf598
Instruction Fuzzy Hash: 7C53E631D10B5A8ADB51EF68C880599F7B1FF99300F11D79AE4587B221FB70AAD4CB81

Function 01563E70 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[;ME, xrefs: 01563EAF
[;ME, xrefs: 01563E8F

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID:
String ID: [;ME$[;ME
API String ID: 0-4159865865
Opcode ID: 8645c978617ae96586980cd0894bd3cdad6108d444aaf200db578ecf64fb0bb6
Instruction ID: c6e9b5c0aea554d3de2bd880ed60a4814c8cfc8979e1774e1971fe3ebe019bac
Opcode Fuzzy Hash: 8645c978617ae96586980cd0894bd3cdad6108d444aaf200db578ecf64fb0bb6
Instruction Fuzzy Hash: 41917B70E00309DFDF14CFA9C8857AEBBF6BF88714F148129E419AB294EB749845CB91

Function 0156D890 Relevance: 2.3, Instructions: 2316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c01bf777a8a860cb278d9efefad1dbb77f601688a868ec9617d1b5eda693b9
Instruction ID: 07eb37d43cb55387d1a46fcb4354c96b6e4e2044f819076f057933f77dfcb238
Opcode Fuzzy Hash: e9c01bf777a8a860cb278d9efefad1dbb77f601688a868ec9617d1b5eda693b9
Instruction Fuzzy Hash: 3E332E31D1071A8EDB11EF68C8905ADF7B5FF99300F15C79AD458AB221EB70AAC5CB81

Function 00445373 Relevance: 1.5, APIs: 1, Instructions: 14
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 00445895

Memory Dump Source

Source File: 00000002.00000002.4599419545.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 461f2017c842cedaf0df22ee892202376c2aa431922ed03f5d6da0b6b6b90dc6
Instruction ID: 4402dccb5b4fc3af3cc79e13926bd180780f8553674bae104511bcc9d3ed03d2
Opcode Fuzzy Hash: 461f2017c842cedaf0df22ee892202376c2aa431922ed03f5d6da0b6b6b90dc6
Instruction Fuzzy Hash: B3D01265658E05BFFE0DCA848C12FB9222897047A0F3003063723940C1EAE49741A26B

Function 069B1130 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6dbdb073e41040e2193d9be5768bb20351cdf4b472d578f8155db3771609b3
Instruction ID: cbeb6f24ce1aab78b6c1b7faee9fb1c10d87b70b8374b96663117a86c113014e
Opcode Fuzzy Hash: 3b6dbdb073e41040e2193d9be5768bb20351cdf4b472d578f8155db3771609b3
Instruction Fuzzy Hash: 8B323B30E1075ACBDB14DF65D89459DB7B6FFD9300F20D6AAD40AAB214EB30AD85CB90

Function 069B3A88 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1958e8a00a897e774b156248b7e0bd4941cdff382d757d604d9613dc37d293ed
Instruction ID: 666e7a8bdf9dcba2ea09be8ba0478479bd771dae99c15412c844d0554b2ea735
Opcode Fuzzy Hash: 1958e8a00a897e774b156248b7e0bd4941cdff382d757d604d9613dc37d293ed
Instruction Fuzzy Hash: A602AC30B012069FDB14DB68E5946AEBBF6FF88300F24856AD406DB795DB35EC42CB80

Function 069BA6BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069BA73E
GetCurrentThread.KERNEL32 ref: 069BA77B
GetCurrentProcess.KERNEL32 ref: 069BA7B8
GetCurrentThreadId.KERNEL32 ref: 069BA811

Strings

[;ME, xrefs: 069BA6DC

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID: [;ME
API String ID: 2063062207-1444403609
Opcode ID: 17c9aed468566469bdb51d14b0151964c38b7ed63534e21252f059f943c89b4b
Instruction ID: 96cf5b6a1c2f278ace734737ba696f8b0eec2f66fab0116d914d887a65c70aac
Opcode Fuzzy Hash: 17c9aed468566469bdb51d14b0151964c38b7ed63534e21252f059f943c89b4b
Instruction Fuzzy Hash: 105177B0D00749DFDB54CFAAD988BEEBBF1EB48310F208059E009A7760D7749944CB65

Function 069BA6C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069BA73E
GetCurrentThread.KERNEL32 ref: 069BA77B
GetCurrentProcess.KERNEL32 ref: 069BA7B8
GetCurrentThreadId.KERNEL32 ref: 069BA811

Strings

[;ME, xrefs: 069BA6DC

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID: [;ME
API String ID: 2063062207-1444403609
Opcode ID: 677d3a72d848162cff87bf279072ded9dc8b60224c7afdb970fc1ef212df32e4
Instruction ID: f9daee9d465e23f0f9099b97f627158e6a53e93fa077490763f20cec58d1b062
Opcode Fuzzy Hash: 677d3a72d848162cff87bf279072ded9dc8b60224c7afdb970fc1ef212df32e4
Instruction Fuzzy Hash: 005174B0D00749DFDB54CFAAD988BEEBBF1EB88300F208059E009A7760D774A944CB65

Function 0156706B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 015670E7

Strings

[;ME, xrefs: 0156708A

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: [;ME
API String ID: 3662101638-1444403609
Opcode ID: e5162e1e7448e8a2ebc81d5c72517c1bf92d95d9453b9fb8e458608866a5a92d
Instruction ID: 94a7baa84da0ea3271bd66e95da13a0bfe9f25522131cafde294aa356c14c35e
Opcode Fuzzy Hash: e5162e1e7448e8a2ebc81d5c72517c1bf92d95d9453b9fb8e458608866a5a92d
Instruction Fuzzy Hash: D8213672800259CFDB10CF9AD884BEEBBF4AF49220F14841AE459A7340C778A944CF61

Function 069BA900 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069BA98F

Strings

[;ME, xrefs: 069BA927

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID: [;ME
API String ID: 3793708945-1444403609
Opcode ID: 7138145d6298ca745f1be1433ba3573e2b12df071e773b2c51010ee198feb991
Instruction ID: 3c31dc8e57023c3ec82c73caceb97eec2939ba96a1ae566140c021ff51782527
Opcode Fuzzy Hash: 7138145d6298ca745f1be1433ba3573e2b12df071e773b2c51010ee198feb991
Instruction Fuzzy Hash: A721E4B5D00248DFDB10CFAAD984ADEBBF4EB48310F24841AE958A7750D378A954CF65

Function 069BA908 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069BA98F

Strings

[;ME, xrefs: 069BA927

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID: [;ME
API String ID: 3793708945-1444403609
Opcode ID: 092d2ebc82227bd4d30995d209f8517486378def4ff4996a6abc13e39952d8ae
Instruction ID: 7a594dc81eac6552d63c1e650780ecaba61b1bef4a31bebbc2793393033399b1
Opcode Fuzzy Hash: 092d2ebc82227bd4d30995d209f8517486378def4ff4996a6abc13e39952d8ae
Instruction Fuzzy Hash: FB21E4B5900248EFDB10CFAAD984ADEFBF8EB48310F14841AE918A7310D378A944CF65

Function 014FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4600022983.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14fd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f152305f05de05de488fcc6b6f79358d09759e33b1adeb0b533f301c6f7a58
Instruction ID: e37aaa45850a58a0ddc44c4539e208576696bdcadcc4d10708c949f044f80cf2
Opcode Fuzzy Hash: f5f152305f05de05de488fcc6b6f79358d09759e33b1adeb0b533f301c6f7a58
Instruction Fuzzy Hash: F62107B1A04344EFDB15DF64D9C0B16BB61FB84318F24C56EDA094B366C336D447CA62

Function 014FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4600022983.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14fd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53030be91fdec0b49904d580d07fbc410dde8b45ce54dd121bfe46866b4a1b1d
Instruction ID: bf69cc2f30d0a2eada1449383e1ebffd8375f8832ddcec70ac2b8d47c0c23635
Opcode Fuzzy Hash: 53030be91fdec0b49904d580d07fbc410dde8b45ce54dd121bfe46866b4a1b1d
Instruction Fuzzy Hash: 89217C755093809FCB06CF24D990716BF71EB46218F28C5EAD9498F767C33A984ACB62

Non-executed Functions

Function 015641B8 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

[;ME, xrefs: 015641F7
[;ME, xrefs: 015641D7

Memory Dump Source

Source File: 00000002.00000002.4600226433.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1560000_RegAsm.jbxd

Similarity

API ID:
String ID: [;ME$[;ME
API String ID: 0-4159865865
Opcode ID: 69d50b97ff125d79a962fbd8e5b405b80bbddff86b61517073d20c34668f68fc
Instruction ID: 31f9e12b691efd339a80411dcecae31ac19bcbb49d79cca3ff32d2d6438b464a
Opcode Fuzzy Hash: 69d50b97ff125d79a962fbd8e5b405b80bbddff86b61517073d20c34668f68fc
Instruction Fuzzy Hash: D7B13E70E00249CFDF14CFA9C8857EEBBF6BF88714F148529D815AB294EB749885CB91

Function 069B33A0 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4601797472.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6678f91cca97334598c1bb75aac790383c7b9b93a5791ac281a4bf3ec062326
Instruction ID: 36248adaba88f4e3215e0889564785e12a2783ea173cf5ddf50263e5fe917d64
Opcode Fuzzy Hash: b6678f91cca97334598c1bb75aac790383c7b9b93a5791ac281a4bf3ec062326
Instruction Fuzzy Hash: E3124A30F01219CFDB64DF69D994A9EB7B6BF89300F20956AD40AAB754DB319D81CF80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fpY3HP2cnH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
fpY3HP2cnH.exe

Function 02AC069B Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 387
COMMON

Function 02AC02F0 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 386
COMMON

Function 02AC2C91 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 380
nativeCOMMON

Function 02AC06FF Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 379
COMMON

Function 02AC01A0 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 379
COMMON

Function 02AC06BB Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 378
COMMON

Function 02AC0360 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 377
COMMON

Function 02AC1CE8 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 376
nativethreadprocessCOMMON

Function 02AC024E Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 376
COMMON

Function 02AC06D9 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 375
COMMON

Function 02AC07EE Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 375
COMMON

Function 02AC0C98 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 372
COMMON

Function 02AC115C Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 372
COMMON

Function 02AC075F Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 372
COMMON

Function 7E846120 Relevance: 193.2, APIs: 105, Strings: 5, Instructions: 685
librarymemoryloaderCOMMON