Edit tour

Windows Analysis Report
17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe

Overview

General Information

Sample name:	17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe
Analysis ID:	1589559
MD5:	3fed3a6ff0a80d3751531bdebaa9b2b4
SHA1:	e8a237f849876e8c393cb95bac7f624d79b36f7f
SHA256:	7d629e56510be6655db82910df89e19820e9095d947d6dd4ced7c6656cdf8a02
Tags:	base64-decodedexeuser-abuse_ch

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe" MD5: 3FED3A6FF0A80D3751531BDEBAA9B2B4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe

Joe Sandbox ML: detected

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe

Code function: 0_2_00408C83 push 41080E0Ah; ret

0_2_00408CAA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe	18%	ReversingLabs	Win32.Trojan.GenCBL
17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589559
Start date and time:	2025-01-12 20:50:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe
Detection:	MAL
Classification:	mal52.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.109.210.53
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe, PID 7396 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	VlY57c5AF4.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	wN7EPNiHSM.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	32474162872806629906.js	Get hash	malicious	Strela Downloader	Browse	13.107.253.45
	0Ie2kYdPTW.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	97q26I8OtN.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	nkCBRtd25H.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	13.107.253.45
	http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.ch	Get hash	malicious	Unknown	Browse	13.107.253.45

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.034782551060832
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe
File size:	31'025 bytes
MD5:	3fed3a6ff0a80d3751531bdebaa9b2b4
SHA1:	e8a237f849876e8c393cb95bac7f624d79b36f7f
SHA256:	7d629e56510be6655db82910df89e19820e9095d947d6dd4ced7c6656cdf8a02
SHA512:	b8c7c90dd9a6d4cd9f307ac2f676f6286d7313f6b859fca35fdd28be97633374155d9a59b41657efc9a04271774ffd322d07bd4ea3f7b1c287dec1623dd9ab7a
SSDEEP:	384:8vrMINhaGwl7lRo64XP5doXErJUB/hbFdGBWJQKYVzhbSB5ATy/o0el7xI:8jMINhjwl7lRo3/vEErmWjdy/o17
TLSH:	60D24C4AF203D8F0EA5A82F69EFD873E5AF7651899216D36EF1DF6BCA8334407524140
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................J...p...............`....@........................................... ............................

File Icon


Icon Hash:	00928e8e8686b000

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 20:51:21.596693993 CET	1.1.1.1	192.168.2.7	0x864c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 12, 2025 20:51:21.596693993 CET	1.1.1.1	192.168.2.7	0x864c	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 12, 2025 20:51:21.596693993 CET	1.1.1.1	192.168.2.7	0x864c	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

Analysis Process: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exePID: 7396, Parent PID: 4056

General

Target ID:	0
Start time:	14:51:23
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe"
Imagebase:	0x400000
File size:	31'025 bytes
MD5 hash:	3FED3A6FF0A80D3751531BDEBAA9B2B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exePID: 7396, Parent PID: 4056COMMON

Non-executed Functions

Function 0040136D Relevance: 18.9, Strings: 15, Instructions: 171COMMON

Download Yara Rule

Strings

N3GZ, xrefs: 004014F6
9, xrefs: 00401497
V6RC, xrefs: 004014AE
XSP2, xrefs: 004014DE
RDE5, xrefs: 004014D6
H2KO, xrefs: 004014FE
INUW, xrefs: 00401506
RNS6, xrefs: 004014E6
VDMJ, xrefs: 004014EE
2EBL, xrefs: 004014C6
WGYZ, xrefs: 004014BE
PUP2, xrefs: 0040150E
QJ4U, xrefs: 004014B6
O6UW, xrefs: 004014CE
GCF5, xrefs: 004014A6

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: 2EBL$9$GCF5$H2KO$INUW$N3GZ$O6UW$PUP2$QJ4U$RDE5$RNS6$V6RC$VDMJ$WGYZ$XSP2
API String ID: 0-3611973022
Opcode ID: 531b8c8a3eb4b3221872e507e8f6b8c36c661db0118d954696ab65a9f2da7739
Instruction ID: 72be665efa1e9de365ca40be08b7b3400e061fbf781dd5862eae946ef745aaad
Opcode Fuzzy Hash: 531b8c8a3eb4b3221872e507e8f6b8c36c661db0118d954696ab65a9f2da7739
Instruction Fuzzy Hash: CC618DB09097409FC300EF69958568ABFF0EF86304F058A7ED4986B2A2D338D546CB97

Function 004018AA Relevance: 16.4, Strings: 13, Instructions: 169COMMON

Download Yara Rule

Strings

77ow, xrefs: 004018D0
SrjD, xrefs: 004018F8
HZFy, xrefs: 004018F0
e1AN, xrefs: 004018D8
eu4u, xrefs: 00401910
&, xrefs: 00401B1F
yAxt, xrefs: 004018E8
2fEh, xrefs: 00401900
SmTb, xrefs: 00401908
KF5x, xrefs: 004018C8
zDa6, xrefs: 004018E0
-, xrefs: 004018B1
4pBU, xrefs: 004018C0

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: &$-$2fEh$4pBU$77ow$HZFy$KF5x$SmTb$SrjD$e1AN$eu4u$yAxt$zDa6
API String ID: 0-1423849705
Opcode ID: e784d339b102494f2d0274b8473576c8e1f2c7d8093020a8e4f767ba6701d87a
Instruction ID: 7d0111eb0074cd424df840d4f0b9aac11ea99db73d9ef7f84f1514d15deeefcc
Opcode Fuzzy Hash: e784d339b102494f2d0274b8473576c8e1f2c7d8093020a8e4f767ba6701d87a
Instruction Fuzzy Hash: 60715EB45097809FC315DF25C48168ABFE0EF89304F558AAEE4885B366D378C986CF97

Function 0040268D Relevance: 16.3, Strings: 13, Instructions: 72COMMON

Download Yara Rule

Strings

_fMd, xrefs: 004026ED
rW6b, xrefs: 004026FD
fKtg, xrefs: 004026D5
kCTX, xrefs: 004026BD
Ag0N, xrefs: 004026DD
MJ3y, xrefs: 004026E5
HPjv, xrefs: 004026CD
Zw1l, xrefs: 004026AD
JExd, xrefs: 004026F5
2XWA, xrefs: 004026B5
egWI, xrefs: 004026C5
2, xrefs: 00402696
UQDU, xrefs: 004026A5

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: 2$2XWA$Ag0N$HPjv$JExd$MJ3y$UQDU$Zw1l$_fMd$egWI$fKtg$kCTX$rW6b
API String ID: 0-2346713966
Opcode ID: e53f08a1341546357df5cce1958fc74e65bb5ad013de3c08b91d834acea12b87
Instruction ID: 9592670fe84819f028b2b0761fecf336c5812e6c6a2df081fd6ca900139d6054
Opcode Fuzzy Hash: e53f08a1341546357df5cce1958fc74e65bb5ad013de3c08b91d834acea12b87
Instruction Fuzzy Hash: E031D0B44087009FD315EF26C585A0BBBF1EF89304F518A6EE4889B36AD379C545CF8A

Function 00401B45 Relevance: 13.9, Strings: 11, Instructions: 141COMMON

Download Yara Rule

Strings

B36c, xrefs: 00401CE9
5B6B, xrefs: 00401CD9
CcCb, xrefs: 00401CE1
FAe5, xrefs: 00401D01
7613, xrefs: 00401D09
e34d, xrefs: 00401D11
0C71, xrefs: 00401CF1
90C6, xrefs: 00401CF9
0xa8, xrefs: 00401CC9
DCB3, xrefs: 00401CD1
+, xrefs: 00401CBA

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: +$0C71$0xa8$5B6B$7613$90C6$B36c$CcCb$DCB3$FAe5$e34d
API String ID: 0-1843802130
Opcode ID: 5861881d43a6b7686a9996cec2a9e58d92eff9907685b811be04e98acc2bb27e
Instruction ID: 6626d54bb3a18e137c534c150fe7c317d5762ac79732285a8e4b0fb067234925
Opcode Fuzzy Hash: 5861881d43a6b7686a9996cec2a9e58d92eff9907685b811be04e98acc2bb27e
Instruction Fuzzy Hash: BC5143B45093409FD310EF25C481A8BBBE1EF99304F558AAEE4C85B366E278C542CF97

Function 00402455 Relevance: 13.8, Strings: 11, Instructions: 78COMMON

Download Yara Rule

Strings

mf7a, xrefs: 004024A5
htz8, xrefs: 004024B5
bnb1, xrefs: 0040246D
qhdd, xrefs: 00402495
eswl, xrefs: 004024AD
9pg6, xrefs: 0040249D
tjvx, xrefs: 00402475
+, xrefs: 0040245E
8rad, xrefs: 0040247D
fhv9, xrefs: 00402485
gl3k, xrefs: 0040248D

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: +$8rad$9pg6$bnb1$eswl$fhv9$gl3k$htz8$mf7a$qhdd$tjvx
API String ID: 0-1700376526
Opcode ID: d14cbbcb452c24c4bfb3fea7745c1925a42053610f93ec82b329d8e2ccdd4c95
Instruction ID: 0c76cefdde8871d846e89d6e9548bcfa17861b41e1fb5615ede721949ef58bc3
Opcode Fuzzy Hash: d14cbbcb452c24c4bfb3fea7745c1925a42053610f93ec82b329d8e2ccdd4c95
Instruction Fuzzy Hash: A83124F45097409FD310EF25C585A4BBBE1EF89304F458AAEE4885B362D378C546CB9B

Function 00401CB1 Relevance: 13.8, Strings: 11, Instructions: 77COMMON

Download Yara Rule

Strings

B36c, xrefs: 00401CE9
5B6B, xrefs: 00401CD9
CcCb, xrefs: 00401CE1
FAe5, xrefs: 00401D01
7613, xrefs: 00401D09
e34d, xrefs: 00401D11
0C71, xrefs: 00401CF1
90C6, xrefs: 00401CF9
0xa8, xrefs: 00401CC9
DCB3, xrefs: 00401CD1
+, xrefs: 00401CBA

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: +$0C71$0xa8$5B6B$7613$90C6$B36c$CcCb$DCB3$FAe5$e34d
API String ID: 0-1843802130
Opcode ID: 2ed0ec93befc6a54d0a63acb68e90919fb3d5a22d7e70886c067341b2ce8a42e
Instruction ID: 2769cc0278bc692575d38802f776b0d2d2200b29b60f087bf03db473d67daae8
Opcode Fuzzy Hash: 2ed0ec93befc6a54d0a63acb68e90919fb3d5a22d7e70886c067341b2ce8a42e
Instruction Fuzzy Hash: E83144B45097409FD310EF19C581A8BBBE1AF89304F458AAEE4885B362D7B8C546CB97

Function 00401657 Relevance: 13.8, Strings: 11, Instructions: 74COMMON

Download Yara Rule

Strings

p2q5, xrefs: 0040169E
933q, xrefs: 0040167E
wnqz, xrefs: 00401686
ld94, xrefs: 00401696
+, xrefs: 00401667
mw3c, xrefs: 004016A6
ppyp, xrefs: 004016B6
nndw, xrefs: 004016AE
lh5l, xrefs: 0040168E
wdqv, xrefs: 004016BE
bc1q, xrefs: 00401676

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: +$933q$bc1q$ld94$lh5l$mw3c$nndw$p2q5$ppyp$wdqv$wnqz
API String ID: 0-443998844
Opcode ID: b2de2caf00c8f0441bc1cfcff7b843001bff4a19e725bfae4fdc0c580cfab147
Instruction ID: 9d047fd9ef854e0a97a8e8c98361abb32a29202f6f200d741151f4e5a61092c6
Opcode Fuzzy Hash: b2de2caf00c8f0441bc1cfcff7b843001bff4a19e725bfae4fdc0c580cfab147
Instruction Fuzzy Hash: E03137B450D7409FC305EF26C080A4ABFF1AF99304F559AAEE4885B366D278C645CB9B

Function 00401784 Relevance: 13.8, Strings: 11, Instructions: 73COMMON

Download Yara Rule

Strings

+, xrefs: 0040178D
hgsz, xrefs: 004017BC
9kmu, xrefs: 004017CC
qzan, xrefs: 0040179C
yhwx, xrefs: 004017C4
hu4r, xrefs: 004017B4
x3ec, xrefs: 004017E4
9tw3, xrefs: 004017AC
2gna, xrefs: 004017D4
dypa, xrefs: 004017DC
5p8x, xrefs: 004017A4

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: +$2gna$5p8x$9kmu$9tw3$dypa$hgsz$hu4r$qzan$x3ec$yhwx
API String ID: 0-791623046
Opcode ID: aa9b35d1b75b50c1b58f85a749248a552775dcfd7e0d1c2744b6f94fa701b9b5
Instruction ID: 9787564b28c5d83be64a41797dc0b1a7628983580777b69c4e1fb7daaa58be6f
Opcode Fuzzy Hash: aa9b35d1b75b50c1b58f85a749248a552775dcfd7e0d1c2744b6f94fa701b9b5
Instruction Fuzzy Hash: 113117B450D7809FC301EF66C48064EBFF1AF99304F558AAEE4885B366D278C945CB57

Function 00401F98 Relevance: 12.7, Strings: 10, Instructions: 199COMMON

Download Yara Rule

Strings

aNu5, xrefs: 004021D8
KMmV, xrefs: 004021E8
2U95, xrefs: 004021E0
t1Q3, xrefs: 004021C0
$, xrefs: 004021B1
AmjS, xrefs: 004021F8
gK8j, xrefs: 004021C8
gyx, xrefs: 00402200
rFry, xrefs: 004021D0
6eD9, xrefs: 004021F0

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: $$2U95$6eD9$AmjS$KMmV$aNu5$gK8j$gyx$rFry$t1Q3
API String ID: 0-3422511559
Opcode ID: 76e2dc3e6455dd06556cc4f30715b561805729319add866438fbe9bef88eed2d
Instruction ID: e12243c3d836fe70e22efbbfb3b661b869fa85b00570039a0e2febb2aa8c19f8
Opcode Fuzzy Hash: 76e2dc3e6455dd06556cc4f30715b561805729319add866438fbe9bef88eed2d
Instruction Fuzzy Hash: B49114B45097409FC350EF2AC185A8ABBF1EF99304F458AAEE4885B366D378C541CF97

Function 00401A17 Relevance: 12.6, Strings: 10, Instructions: 105COMMON

Download Yara Rule

Strings

#, xrefs: 00401A45
MscY, xrefs: 00401A84
159N, xrefs: 00401A54
Gx9B, xrefs: 00401A5C
&, xrefs: 00401B1F
6rUo, xrefs: 00401A64
3jXX, xrefs: 00401A6C
WvDY, xrefs: 00401A7C
1pQx, xrefs: 00401A8C
4GGg, xrefs: 00401A74

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: #$&$159N$1pQx$3jXX$4GGg$6rUo$Gx9B$MscY$WvDY
API String ID: 0-3791356947
Opcode ID: 1990a2224489b371ada9333c9694b85bfaba8c30ad8e0a3ebbbc0287102f3aba
Instruction ID: 13aff369a796da89cbae5c36a60894b07206ad9bdacae673a2bf02b543ac33ff
Opcode Fuzzy Hash: 1990a2224489b371ada9333c9694b85bfaba8c30ad8e0a3ebbbc0287102f3aba
Instruction Fuzzy Hash: 1B4160B490D7809FD311DF64C08068EBFE1EF96304F598AAEE4845B366D2788986CF56

Function 00401A3C Relevance: 12.6, Strings: 10, Instructions: 68COMMON

Download Yara Rule

Strings

#, xrefs: 00401A45
MscY, xrefs: 00401A84
159N, xrefs: 00401A54
Gx9B, xrefs: 00401A5C
&, xrefs: 00401B1F
6rUo, xrefs: 00401A64
3jXX, xrefs: 00401A6C
WvDY, xrefs: 00401A7C
1pQx, xrefs: 00401A8C
4GGg, xrefs: 00401A74

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: #$&$159N$1pQx$3jXX$4GGg$6rUo$Gx9B$MscY$WvDY
API String ID: 0-3791356947
Opcode ID: fe42437445bbac51b2bdf5aae76d656f568078d6d5641f4c3693ced4d05e5321
Instruction ID: 604256f1160542816560c2513f6d752a4afb1a23faa054a4b49c06bf42ee08bb
Opcode Fuzzy Hash: fe42437445bbac51b2bdf5aae76d656f568078d6d5641f4c3693ced4d05e5321
Instruction Fuzzy Hash: 743136B440D7809FD315DF258081A4ABFF1AF9A304F459AAEE4885B362D378C586CF57

Function 0040209E Relevance: 11.3, Strings: 9, Instructions: 74COMMON

Download Yara Rule

Strings

j73s, xrefs: 004020C6
YPv1, xrefs: 004020DE
kWhF, xrefs: 004020D6
#, xrefs: 004020A7
DTWu, xrefs: 004020B6
B5q5, xrefs: 004020EE
tdaG, xrefs: 004020CE
SLFG, xrefs: 004020BE
5Tpe, xrefs: 004020E6

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: #$5Tpe$B5q5$DTWu$SLFG$YPv1$j73s$kWhF$tdaG
API String ID: 0-2542516191
Opcode ID: 9e04fbcb1f6bfb3ab6acb7154911c2426a4c0d314fb3185112ff4fbf65f002b9
Instruction ID: 43e2d8bb4e87c6a6007a37dde88a50eeee4659cb5a8a5f345bda43839e414197
Opcode Fuzzy Hash: 9e04fbcb1f6bfb3ab6acb7154911c2426a4c0d314fb3185112ff4fbf65f002b9
Instruction Fuzzy Hash: 48312AB4509700AFD310EF25C58568ABBE1EF99304F458A6DE4885B362D378C541CF97

Function 00402581 Relevance: 11.3, Strings: 9, Instructions: 74COMMON

Download Yara Rule

Strings

auvp, xrefs: 004025A1
juzW, xrefs: 004025A9
#, xrefs: 0040258A
5btj, xrefs: 004025C1
Q83Q, xrefs: 004025D1
55ax, xrefs: 004025B1
qC5m, xrefs: 004025C9
TUaj, xrefs: 00402599
hos6, xrefs: 004025B9

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: #$55ax$5btj$Q83Q$TUaj$auvp$hos6$juzW$qC5m
API String ID: 0-2214622807
Opcode ID: 7fc41ed3baeeb8278fbf3976de94bb276a600013be0679bb8779226f4c39bdd2
Instruction ID: 2250873882d05d55c524eb286f5da0266c5e01cef18a0ccfee1af0b874e86d87
Opcode Fuzzy Hash: 7fc41ed3baeeb8278fbf3976de94bb276a600013be0679bb8779226f4c39bdd2
Instruction Fuzzy Hash: 7A3126B45197009FD300EF29C58568ABFE1EF89304F418AADE4885B366D7B8C5428B9B

Function 00401DDD Relevance: 11.3, Strings: 9, Instructions: 73COMMON

Download Yara Rule

Strings

vVk9, xrefs: 00401E0D
iUaU, xrefs: 00401DFD
jbrV, xrefs: 00401E1D
LWGd, xrefs: 00401DF5
#, xrefs: 00401DE6
AXw3, xrefs: 00401E15
KnnB, xrefs: 00401E25
QFL5, xrefs: 00401E05
HqxE, xrefs: 00401E2D

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: #$AXw3$HqxE$KnnB$LWGd$QFL5$iUaU$jbrV$vVk9
API String ID: 0-995546221
Opcode ID: 98c710c72189a744ff8cdd91eda24bac1b26c866eb2de665e7976fd6c847888c
Instruction ID: 2241d20c756fd53f3e03a0cd37dee07b923047e9ddac2473d74902a10ea1cdd0
Opcode Fuzzy Hash: 98c710c72189a744ff8cdd91eda24bac1b26c866eb2de665e7976fd6c847888c
Instruction Fuzzy Hash: 663125B05097009FD300EF29C585A8EBBF1EF99304F418A6DE4889B362E378C5428F87

Function 004022A0 Relevance: 11.3, Strings: 9, Instructions: 68COMMON

Download Yara Rule

Strings

CD2k, xrefs: 004022D0
LdSo, xrefs: 004022C8
Wjct, xrefs: 004022E8
Va9d, xrefs: 004022F0
#, xrefs: 004022A9
ENWp, xrefs: 004022C0
bavq, xrefs: 004022E0
SNzB, xrefs: 004022D8
rHUQ, xrefs: 004022B8

Memory Dump Source

Source File: 00000000.00000002.2624341597.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2624319027.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624361796.0000000000406000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624379581.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2624398725.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb07.jbxd

Similarity

API ID:
String ID: #$CD2k$ENWp$LdSo$SNzB$Va9d$Wjct$bavq$rHUQ
API String ID: 0-2449800134
Opcode ID: 044b2245cd6735dce099764175fb06d1e65b4140b0000a54e7d42b0d491fc042
Instruction ID: 783df6cadfdc9959c44120f0faae25060cdea660e3f4788734335dc8a15dfa43
Opcode Fuzzy Hash: 044b2245cd6735dce099764175fb06d1e65b4140b0000a54e7d42b0d491fc042
Instruction Fuzzy Hash: 533158B440D7809FD316DF25C08064ABFF1AF9A304F059AAEE4885B362D378C685CB97

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exePID: 7396, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: 17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exePID: 7396, Parent PID: 4056COMMON

Non-executed Functions

Function 0040136D Relevance: 18.9, Strings: 15, Instructions: 171COMMON

Function 004018AA Relevance: 16.4, Strings: 13, Instructions: 169COMMON

Function 0040268D Relevance: 16.3, Strings: 13, Instructions: 72COMMON

Function 00401B45 Relevance: 13.9, Strings: 11, Instructions: 141COMMON

Function 00402455 Relevance: 13.8, Strings: 11, Instructions: 78COMMON

Function 00401CB1 Relevance: 13.8, Strings: 11, Instructions: 77COMMON

Function 00401657 Relevance: 13.8, Strings: 11, Instructions: 74COMMON

Function 00401784 Relevance: 13.8, Strings: 11, Instructions: 73COMMON

Function 00401F98 Relevance: 12.7, Strings: 10, Instructions: 199COMMON

Function 00401A17 Relevance: 12.6, Strings: 10, Instructions: 105COMMON

Function 00401A3C Relevance: 12.6, Strings: 10, Instructions: 68COMMON

Function 0040209E Relevance: 11.3, Strings: 9, Instructions: 74COMMON

Function 00402581 Relevance: 11.3, Strings: 9, Instructions: 74COMMON

Function 00401DDD Relevance: 11.3, Strings: 9, Instructions: 73COMMON

Function 004022A0 Relevance: 11.3, Strings: 9, Instructions: 68COMMON

Windows Analysis Report
17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe