Edit tour

Windows Analysis Report
book_lumm2.dat.exe

Overview

General Information

Sample name:	book_lumm2.dat.exe
Analysis ID:	1590142
MD5:	3aa6c0c3e8a405028606f3bc293f0b74
SHA1:	e8a6db0181e3c6839a306a4d7e01b69f98931061
SHA256:	4674e4792d2b85b545d1f94442f8465e08412e220cd3eff119458f609c030a96
Tags:	ClickFixexeFakeCaptchauser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

book_lumm2.dat.exe (PID: 4816 cmdline: "C:\Users\user\Desktop\book_lumm2.dat.exe" MD5: 3AA6C0C3E8A405028606F3BC293F0B74)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.57.112"], "Port": 4418, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
book_lumm2.dat.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
book_lumm2.dat.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x9d2f:$str01: $VB$Local_Port 0x9d53:$str02: $VB$Local_Host 0x8515:$str03: get_Jpeg 0x8b3b:$str04: get_ServicePack 0xae6c:$str05: Select * from AntivirusProduct 0xbe0d:$str06: PCRestart 0xbe21:$str07: shutdown.exe /f /r /t 0 0xbed3:$str08: StopReport 0xbea9:$str09: StopDDos 0xbf9f:$str10: sendPlugin 0xc01f:$str11: OfflineKeylogger Not Enabled 0xc177:$str12: -ExecutionPolicy Bypass -File " 0xcc81:$str13: Content-length: 5235
book_lumm2.dat.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcf41:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcfde:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd0f3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xcb9c:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd41:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdde:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcef3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc99c:$cnc4: POST / HTTP/1.1
00000000.00000002.3730762071.00000000022D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: book_lumm2.dat.exe PID: 4816	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.book_lumm2.dat.exe.10000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.book_lumm2.dat.exe.10000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x9d2f:$str01: $VB$Local_Port 0x9d53:$str02: $VB$Local_Host 0x8515:$str03: get_Jpeg 0x8b3b:$str04: get_ServicePack 0xae6c:$str05: Select * from AntivirusProduct 0xbe0d:$str06: PCRestart 0xbe21:$str07: shutdown.exe /f /r /t 0 0xbed3:$str08: StopReport 0xbea9:$str09: StopDDos 0xbf9f:$str10: sendPlugin 0xc01f:$str11: OfflineKeylogger Not Enabled 0xc177:$str12: -ExecutionPolicy Bypass -File " 0xcc81:$str13: Content-length: 5235
0.0.book_lumm2.dat.exe.10000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcf41:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcfde:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd0f3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xcb9c:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T16:30:22.100906+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:33.191053+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:34.132867+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:46.427607+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:58.736159+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:03.185722+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:11.023477+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:23.319475+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:33.194864+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:34.744711+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:34.960456+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:44.019864+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:44.143601+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:51.917834+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:00.800940+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:00.928798+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:01.398005+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:03.194575+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:13.980526+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:15.820631+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:16.289090+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:22.882966+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:23.023687+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:33.197198+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:35.319544+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:36.289863+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:44.351061+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:49.995461+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:02.495496+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:03.245012+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:05.353210+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:16.495624+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:19.166089+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:27.665975+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:30.742201+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:33.249637+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:34.429766+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:45.569695+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:47.368149+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:50.211452+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:57.949632+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:01.268868+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:02.298495+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:02.431491+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:02.554490+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:03.312643+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:05.992537+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:12.913953+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:25.235168+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:33.283870+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:37.507734+0100	2852870	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T16:30:22.198327+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:34.211561+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:34.508789+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:46.432225+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:58.737492+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:11.026244+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:23.323410+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:34.749922+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:34.963327+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:44.021595+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:44.145286+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:51.919695+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:00.803308+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:00.930546+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:01.399703+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:13.987756+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:15.827423+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:16.294393+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:22.884773+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:23.025555+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:35.321093+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:36.292861+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:44.352392+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:49.997232+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:02.499343+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:05.360824+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:16.496924+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:19.171222+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:27.667925+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:30.743483+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:34.431253+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:45.578586+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:47.371961+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:50.212952+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:57.950991+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:01.270814+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:02.300406+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:02.435338+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:02.555605+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:05.994018+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:12.914628+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:25.240261+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:37.508452+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP

ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T16:30:33.191053+0100	2858801	1	Malware Command and Control Activity Detected	92.255.57.112	4418	192.168.2.7	49699	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T16:32:13.259483+0100	2858799	1	Malware Command and Control Activity Detected	192.168.2.7	49699	92.255.57.112	4418	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: book_lumm2.dat.exe

Avira: detected

Found malware configuration

Source: book_lumm2.dat.exe

Malware Configuration Extractor: Xworm {"C2 url": ["92.255.57.112"], "Port": 4418, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: book_lumm2.dat.exe	Virustotal: Detection: 61%			Perma Link
Source: book_lumm2.dat.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: book_lumm2.dat.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: book_lumm2.dat.exe	String decryptor: 92.255.57.112
Source: book_lumm2.dat.exe	String decryptor: 4418
Source: book_lumm2.dat.exe	String decryptor: P0WER
Source: book_lumm2.dat.exe	String decryptor: <Xwormmm>
Source: book_lumm2.dat.exe	String decryptor: XWorm
Source: book_lumm2.dat.exe	String decryptor: USB.exe

Source: book_lumm2.dat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: book_lumm2.dat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49699 -> 92.255.57.112:4418
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.57.112:4418 -> 192.168.2.7:49699
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49699 -> 92.255.57.112:4418
Source: Network traffic	Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.57.112:4418 -> 192.168.2.7:49699
Source: Network traffic	Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49699 -> 92.255.57.112:4418

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 92.255.57.112

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 92.255.57.112:4418

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112

Source: book_lumm2.dat.exe, 00000000.00000002.3730762071.00000000022D1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: book_lumm2.dat.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: book_lumm2.dat.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.book_lumm2.dat.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.book_lumm2.dat.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Code function: 0_2_00007FFAAC506306	0_2_00007FFAAC506306
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Code function: 0_2_00007FFAAC501215	0_2_00007FFAAC501215
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Code function: 0_2_00007FFAAC50A219	0_2_00007FFAAC50A219
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Code function: 0_2_00007FFAAC5070B2	0_2_00007FFAAC5070B2
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Code function: 0_2_00007FFAAC50A219	0_2_00007FFAAC50A219

Source: book_lumm2.dat.exe, 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs book_lumm2.dat.exe
Source: book_lumm2.dat.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs book_lumm2.dat.exe

Source: book_lumm2.dat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: book_lumm2.dat.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: book_lumm2.dat.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.book_lumm2.dat.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.book_lumm2.dat.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Mutant created: \Sessions\1\BaseNamedObjects\eBzUWjdTcEaHqPrC

Source: book_lumm2.dat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: book_lumm2.dat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: book_lumm2.dat.exe	Virustotal: Detection: 61%
Source: book_lumm2.dat.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: book_lumm2.dat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: book_lumm2.dat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Memory allocated: 2110000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Memory allocated: 1A2D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Window / User API: threadDelayed 9419			Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	Window / User API: threadDelayed 445			Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe TID: 7372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe TID: 7380	Thread sleep count: 9419 > 30	Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe TID: 7380	Thread sleep count: 445 > 30	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\book_lumm2.dat.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\book_lumm2.dat.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: book_lumm2.dat.exe, 00000000.00000002.3729587620.00000000006AD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrkflI

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Queries volume information: C:\Users\user\Desktop\book_lumm2.dat.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\book_lumm2.dat.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: book_lumm2.dat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.book_lumm2.dat.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3730762071.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: book_lumm2.dat.exe PID: 4816, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: book_lumm2.dat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.book_lumm2.dat.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3730762071.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: book_lumm2.dat.exe PID: 4816, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	232 Virtualization/Sandbox Evasion	LSASS Memory	232 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
book_lumm2.dat.exe	61%	Virustotal		Browse
book_lumm2.dat.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
book_lumm2.dat.exe	100%	Avira	HEUR/AGEN.1305769
book_lumm2.dat.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
92.255.57.112	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
92.255.57.112	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	book_lumm2.dat.exe, 00000000.00000002.3730762071.00000000022D1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.112	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590142
Start date and time:	2025-01-13 16:29:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	book_lumm2.dat.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 86% Number of executed functions: 49 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target book_lumm2.dat.exe, PID 4816 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:30:08	API Interceptor	14160278x Sleep call for process: book_lumm2.dat.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	png2obj1_XClient.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	Dm35sdidf3.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	QP2uO3eN2p.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	WErY5oc4hl.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	NLXwvLjXPh.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	mhqxUdpe7V.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	MiGFg375KJ.exe	Get hash	malicious	XWorm	Browse	92.255.57.155

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.923417039945195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	book_lumm2.dat.exe
File size:	59'904 bytes
MD5:	3aa6c0c3e8a405028606f3bc293f0b74
SHA1:	e8a6db0181e3c6839a306a4d7e01b69f98931061
SHA256:	4674e4792d2b85b545d1f94442f8465e08412e220cd3eff119458f609c030a96
SHA512:	5aae425e56814a35ae55dd9bb35c2e2950aabb8abc42ceb330571deb01c5467c207f5ff2a4c2f10178e20acc61f4f11c415ae122cf999967bc840bc9a50ce048
SSDEEP:	1536:9y6f9D8gRkXeqSpMikbetK3Cfub+4KxOas5jX:9yeKJ+MikbEwDlKxOaQz
TLSH:	51436B183BF64126F1FF5FB509F13156D67AF2276412D6AF24C4029B0723A89CE816FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x.g................................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40ff2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x678278FB [Sat Jan 11 13:58:19 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfed4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdf34	0xe000	250de06110f577b575d19b6dacddc8ae	False	0.6152866908482143	data	6.0147607868244055	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x4ce	0x600	b6854ead75e0aea5a0ec3175723e462f	False	0.3736979166666667	data	3.7184457289766475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	4d3b23f5a21ea76fe7492fc0df5cac5f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x100a0	0x244	data			0.4724137931034483
RT_MANIFEST	0x102e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T16:30:21.624712+0100	2858800	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:22.100906+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:22.198327+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:33.191053+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:33.191053+0100	2858801	ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:34.132867+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:34.211561+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:34.508789+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:46.427607+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:46.432225+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:30:58.736159+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:30:58.737492+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:03.185722+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:11.023477+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:11.026244+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:23.319475+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:23.323410+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:33.194864+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:34.744711+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:34.749922+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:34.960456+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:34.963327+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:44.019864+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:44.021595+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:44.143601+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:44.145286+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:31:51.917834+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:31:51.919695+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:00.800940+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:00.803308+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:00.928798+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:00.930546+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:01.398005+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:01.399703+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:03.194575+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:13.259483+0100	2858799	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:13.980526+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:13.987756+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:15.820631+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:15.827423+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:16.289090+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:16.294393+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:22.882966+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:22.884773+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:23.023687+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:23.025555+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:33.197198+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:35.319544+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:35.321093+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:36.289863+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:36.292861+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:44.351061+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:44.352392+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:32:49.995461+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:32:49.997232+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:02.495496+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:02.499343+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:03.245012+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:05.353210+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:05.360824+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:16.495624+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:16.496924+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:19.166089+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:19.171222+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:27.665975+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:27.667925+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:30.742201+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:30.743483+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:33.249637+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:34.429766+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:34.431253+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:45.569695+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:45.578586+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:47.368149+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:47.371961+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:50.211452+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:50.212952+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:33:57.949632+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:33:57.950991+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:01.268868+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:01.270814+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:02.298495+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:02.300406+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:02.431491+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:02.435338+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:02.554490+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:02.555605+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:03.312643+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:05.992537+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:05.994018+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:12.913953+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:12.914628+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:25.235168+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:25.240261+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP
2025-01-13T16:34:33.283870+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:37.507734+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	92.255.57.112	4418	192.168.2.7	49699	TCP
2025-01-13T16:34:37.508452+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	92.255.57.112	4418	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 16:30:09.108458996 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:09.113389969 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:09.113651037 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:09.326963902 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:09.331809998 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:21.624711990 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:21.629532099 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:22.100905895 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:22.149328947 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:22.198327065 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:22.203202009 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:33.191052914 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:33.243158102 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:33.916732073 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:33.921762943 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:34.132867098 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:34.180658102 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:34.211560965 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:34.508789062 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:34.569317102 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:34.569376945 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:46.212265968 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:46.217099905 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:46.427607059 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:46.432224989 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:46.437041044 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:58.509300947 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:58.514435053 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:58.736159086 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:30:58.737492085 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:30:58.742317915 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:03.185722113 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:03.228075027 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:10.806171894 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:10.811631918 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:11.023477077 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:11.026243925 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:11.031227112 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:23.103240013 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:23.108192921 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:23.319474936 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:23.323410034 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:23.328284025 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:33.194864035 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:33.243446112 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:34.524993896 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:34.530035973 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:34.744710922 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:34.744790077 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:34.749675989 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:34.749922037 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:34.754812956 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:34.960455894 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:34.963326931 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:34.968236923 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:43.775300026 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:43.780364990 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:43.822339058 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:43.827841997 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:44.019864082 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:44.021595001 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:44.026439905 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:44.143600941 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:44.145286083 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:44.150660992 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:51.699395895 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:51.704510927 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:51.917834044 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:31:51.919694901 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:31:51.924855947 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.571949959 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:00.577790022 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.618951082 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:00.624917030 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.800940037 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.803308010 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:00.808212042 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.928797960 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.930546045 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:00.935439110 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:00.962511063 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:00.967333078 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:01.398005009 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:01.399703026 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:01.404660940 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:03.194575071 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:03.244921923 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:13.259483099 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:13.264342070 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:13.980525970 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:13.987756014 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:13.992527008 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:15.572484016 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:15.577265978 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:15.820631027 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:15.827423096 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:15.832190037 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:16.073189974 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:16.078351021 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:16.289089918 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:16.294393063 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:16.299808025 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:22.666029930 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:22.672108889 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:22.806500912 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:22.813148975 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:22.882966042 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:22.884773016 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:22.889631033 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:23.023686886 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:23.025554895 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:23.030358076 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:33.197197914 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:33.353166103 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:35.103519917 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:35.108453989 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:35.319544077 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:35.321093082 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:35.326531887 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:36.073967934 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:36.079154968 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:36.289863110 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:36.292860985 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:36.298021078 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:43.634598017 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:43.639830112 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:44.351061106 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:44.352391958 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:44.357213020 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:49.762116909 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:49.767267942 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:49.995460987 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:32:49.997231960 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:32:50.002635002 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:02.060264111 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:02.065665007 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:02.495496035 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:02.499342918 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:02.504146099 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:03.245012045 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:03.290764093 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:05.072303057 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:05.077343941 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:05.353209972 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:05.360824108 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:05.365600109 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:16.259787083 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:16.267483950 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:16.495624065 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:16.496923923 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:16.502114058 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:18.947438002 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:18.952806950 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:19.166089058 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:19.171221972 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:19.176517963 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:27.431761980 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:27.437047958 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:27.665975094 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:27.667924881 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:27.672821045 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:30.525541067 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:30.531533003 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:30.742201090 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:30.743483067 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:30.749588966 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:33.249636889 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:33.291239023 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:34.213047981 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:34.218137026 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:34.429765940 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:34.431252956 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:34.436292887 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:45.353904009 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:45.358805895 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:45.569694996 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:45.578586102 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:45.583962917 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:47.152214050 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:47.157150984 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:47.368149042 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:47.371961117 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:47.376863956 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:49.994437933 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:49.999634981 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:50.211452007 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:50.212951899 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:50.219480991 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:57.729474068 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:57.735603094 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:57.949631929 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:33:57.950990915 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:33:57.955935001 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:01.041250944 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:01.046314955 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:01.268867970 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:01.270813942 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:01.278603077 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.072649956 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:02.077930927 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.088217020 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:02.093055964 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.135010958 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:02.139892101 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.298495054 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.300405979 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:02.305495977 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.431490898 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.435338020 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:02.440265894 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.554490089 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:02.555604935 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:02.560702085 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:03.312643051 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:03.353569984 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:05.775680065 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:05.780587912 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:05.992537022 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:05.994018078 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:05.998887062 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:12.697635889 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:12.702955961 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:12.913953066 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:12.914628029 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:12.919552088 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:25.001843929 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:25.007008076 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:25.235167980 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:25.240261078 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:25.245276928 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:33.283869982 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:33.339348078 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:37.291460037 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:37.296787977 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:37.507734060 CET	4418	49699	92.255.57.112	192.168.2.7
Jan 13, 2025 16:34:37.508451939 CET	49699	4418	192.168.2.7	92.255.57.112
Jan 13, 2025 16:34:37.513360977 CET	4418	49699	92.255.57.112	192.168.2.7

Target ID:	0
Start time:	10:30:04
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\book_lumm2.dat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\book_lumm2.dat.exe"
Imagebase:	0x10000
File size:	59'904 bytes
MD5 hash:	3AA6C0C3E8A405028606F3BC293F0B74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1261619962.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3730762071.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFAAC501215 Relevance: 2.9, Strings: 2, Instructions: 357COMMON

Download Yara Rule

Strings

`+, xrefs: 00007FFAAC5013D1
8e, xrefs: 00007FFAAC50150D

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 8e$`+
API String ID: 0-2433936501
Opcode ID: 526b264e4f952e9314e957e147e7afc148790cb5abd31837e42f876eec4e836e
Instruction ID: e8536fff112a4b74a69e566bb062931d51d498057294e76b2cc4d99b7ddcddea
Opcode Fuzzy Hash: 526b264e4f952e9314e957e147e7afc148790cb5abd31837e42f876eec4e836e
Instruction Fuzzy Hash: FCA15F53E4E7939FF35167BCA8161FA6F94DF42324708817BE18ECA593D804A84983D2

Function 00007FFAAC50A219 Relevance: 2.4, Strings: 1, Instructions: 1180COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAAC50AD0F

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4d8f27cbc4b216dbc27deec721952ece81f48f95f88a8e649df6f606e055c919
Instruction ID: 6ece120b9d6a0b85a51ca01fa5fb70f30f30841c45ed49ad40a18dceea31a177
Opcode Fuzzy Hash: 4d8f27cbc4b216dbc27deec721952ece81f48f95f88a8e649df6f606e055c919
Instruction Fuzzy Hash: D5828170E5D90A9FFB94EB78C455A7D72D6EF99300F548578E40ED32C2DE28E8068781

Function 00007FFAAC506306 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501ba11e9893baddc9b9f3f59065b292464a3b95e40dec92880ac1bb080e990a
Instruction ID: bf397798b8b07e89a702816c3e5a2ea0dc5c5cf1bcbb2d8a593bc3357b475b7d
Opcode Fuzzy Hash: 501ba11e9893baddc9b9f3f59065b292464a3b95e40dec92880ac1bb080e990a
Instruction Fuzzy Hash: A9F19270909A4E8FEBA8DF28C8557E937D1FF55310F04827AE84EC7295CE34E9458B81

Function 00007FFAAC5070B2 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91898b7fa02d2cdf7c51206ee6176fe4bc06d2e833ce4a935f66f342fa7969f
Instruction ID: cfa5f739baa71ab2f02a4385590c09bf40e0888aac7ade40cf95ffe733ad322f
Opcode Fuzzy Hash: a91898b7fa02d2cdf7c51206ee6176fe4bc06d2e833ce4a935f66f342fa7969f
Instruction Fuzzy Hash: F1E1C070908A4E8FEBA8DF28C8557E977D1FB55351F14826EE84EC3291CF34A8848BC1

Function 00007FFAAC5011B0 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC50A0E3
r6, xrefs: 00007FFAAC509E7B
6, xrefs: 00007FFAAC509FC5
r6, xrefs: 00007FFAAC50A06B

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 6$r6$r6$r6
API String ID: 0-3926755054
Opcode ID: b44d222cd4685c74b897344802932106a3863b530223616c3f651ecfcc1e96fd
Instruction ID: 866bb6e7b70b14120c086d7b5b7c44816861af84b8e4f09e01b5f9ee69587311
Opcode Fuzzy Hash: b44d222cd4685c74b897344802932106a3863b530223616c3f651ecfcc1e96fd
Instruction Fuzzy Hash: DBD11971A5CA1ECFE799EF28C4986A877D1FF59304B5485B9E44EC729ACE24EC0187C0

Function 00007FFAAC502165 Relevance: 4.2, Strings: 3, Instructions: 422COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC502281
HB, xrefs: 00007FFAAC502451
0", xrefs: 00007FFAAC50223D

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 0"$HB$r6
API String ID: 0-2729165795
Opcode ID: 0ef1b3301f567ced60a322d5aafeb0183a6d7791284c7ecc86a7118ad5b7de55
Instruction ID: d323ba5a49117c3fa1df30700b83745236b9657f74c5b1e62855b9e017243611
Opcode Fuzzy Hash: 0ef1b3301f567ced60a322d5aafeb0183a6d7791284c7ecc86a7118ad5b7de55
Instruction Fuzzy Hash: C0D16DA2E1DA4A8FF799973888252B97BD1FF96300F4441B9E04EC72D7DD289C0683C1

Function 00007FFAAC501B48 Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC501C59
HB, xrefs: 00007FFAAC501C19
/, xrefs: 00007FFAAC501BFA

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: HB$/$/
API String ID: 0-2471025714
Opcode ID: 1d68acb56959517530c9df7e5998852d071e3f2eaccd29f49c100918e80b2399
Instruction ID: 6b014d9843067e986a0725226d7776e45cf338343858f901b03250fc381fd04b
Opcode Fuzzy Hash: 1d68acb56959517530c9df7e5998852d071e3f2eaccd29f49c100918e80b2399
Instruction Fuzzy Hash: 95614A30D4D6869FEB46D73484126AA7BA1EF57310F1842F9D05DC71E3DE68A806C792

Function 00007FFAAC5012E3 Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

`+, xrefs: 00007FFAAC5013D1
8e, xrefs: 00007FFAAC50150D

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 8e$`+
API String ID: 0-2433936501
Opcode ID: 5218b770ecd092f7f96ee14ce11d7f6bb2f1a189e2c47b5766a3856d9a5232ab
Instruction ID: 5e26f579eb510288679fe6b8fc3038796c79b134758880fb2b7c5c40ca43a768
Opcode Fuzzy Hash: 5218b770ecd092f7f96ee14ce11d7f6bb2f1a189e2c47b5766a3856d9a5232ab
Instruction Fuzzy Hash: 2F813093D4E7C29FF3555778A8560FA6F98EF52364B08817FE18ECA593DC04A80983D2

Function 00007FFAAC5012D3 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

`+, xrefs: 00007FFAAC5013D1
8e, xrefs: 00007FFAAC50150D

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 8e$`+
API String ID: 0-2433936501
Opcode ID: 0d9a7f268dd4f953b1fc36a44f491036d2dc6bbf7255e359bc1eb6ba98ffcab9
Instruction ID: 34629487cfb6dab66f87d4fe3666c225d336849f32f1d92a1928ff486243d7d2
Opcode Fuzzy Hash: 0d9a7f268dd4f953b1fc36a44f491036d2dc6bbf7255e359bc1eb6ba98ffcab9
Instruction Fuzzy Hash: BC713E93D4E7839FF34557B898560FA6F88EF52354B0881BAE08ECA593DC04E80983D2

Function 00007FFAAC500925 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

0D, xrefs: 00007FFAAC500AA1
0D, xrefs: 00007FFAAC500A50

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 0D$0D
API String ID: 0-2892953775
Opcode ID: 7658e47b6029ca9b5001f7b048bcc8d081f1f1149e50b953a5b125195416aa8b
Instruction ID: 77812139c6fd02ce60e1d5230d37008ed901f676585a66cc875acc34da475bff
Opcode Fuzzy Hash: 7658e47b6029ca9b5001f7b048bcc8d081f1f1149e50b953a5b125195416aa8b
Instruction Fuzzy Hash: CC5115A1E59A4E5FEB84EB78C4695BD7FD6FF8A210B4084B9E00FC31D7DD2898058380

Function 00007FFAAC5086FA Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC5086FA

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: M_^
API String ID: 0-921959145
Opcode ID: 48f734b8e97daa03836d5b5e5bb1f73722897c112ff896a40ebe5005bf458b35
Instruction ID: ade2e49dbee04791432fadfbbe7d6e615c48ddf0b6ac941e86587d8f64cb0ee7
Opcode Fuzzy Hash: 48f734b8e97daa03836d5b5e5bb1f73722897c112ff896a40ebe5005bf458b35
Instruction Fuzzy Hash: BA3121A294EB8E9FE38A9728D8651F87FF1FF42210F0446B6E04AC71D7DD18580A8780

Function 00007FFAAC500B5E Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC500BD2

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: d982a5535b4eef71b6944d6fe1fa511bf8809a8db34025f4f65add9f58d6c050
Instruction ID: 88b92d3f87c6137eda8093bbbb6cdc8d905e4a1b9ae41a4df02f9d3f5ebbb742
Opcode Fuzzy Hash: d982a5535b4eef71b6944d6fe1fa511bf8809a8db34025f4f65add9f58d6c050
Instruction Fuzzy Hash: 82411661B1DA890FE789AB7CD85A6797BD5DF8A214F0941FAE04EC7293CD189C068341

Function 00007FFAAC500528 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC500BD2

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: ec696cfe185d9c8314fcca27cad78d4982279e584916f137705a96d2933a6e55
Instruction ID: 7446efc86970d70655a2948c3b5fec50750a621f766f7c61f9a65c4800aa8f20
Opcode Fuzzy Hash: ec696cfe185d9c8314fcca27cad78d4982279e584916f137705a96d2933a6e55
Instruction Fuzzy Hash: 7231D362B189490FE798EB7CD85AB79A6C6EB99315F0445BEE00EC3293DD689C018380

Function 00007FFAAC500E11 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC500E42

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 6afc7bdde811e6ceb608248271a3a53b7ff81903da93449a594eea696d76f738
Instruction ID: 70f1dff65bfcd83f26c156054bfa7ff272420959affd9746db81cc3a827c2783
Opcode Fuzzy Hash: 6afc7bdde811e6ceb608248271a3a53b7ff81903da93449a594eea696d76f738
Instruction Fuzzy Hash: 7031D452B58A4A5FF784B7BCD81A7BC67D6EB99751F0442BAE00EC3293DD18AC058381

Function 00007FFAAC500CC1 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FFAAC500D00

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-408134297
Opcode ID: 22a78bd65b91637ffc30353e592ba286daf5aecdf859f61470698f915fbc0210
Instruction ID: c5cd10f834c97a1b08f6e185b715f41d0fa19a98a9b9829bd5de2dfa64d01586
Opcode Fuzzy Hash: 22a78bd65b91637ffc30353e592ba286daf5aecdf859f61470698f915fbc0210
Instruction Fuzzy Hash: E041E375E48A4E9FEB85EB78C4556AD7BF1FF99300F5444B5E04EC3286CD28A801CB80

Function 00007FFAAC500E30 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC500E42

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 2edd11673aa86566cd015f510926f6599db361788319824f41c1ddc012fb35dc
Instruction ID: e58307e52c55bd8961484d760e2ee8dfa5fc0d2171652d23d430c9a51a44af18
Opcode Fuzzy Hash: 2edd11673aa86566cd015f510926f6599db361788319824f41c1ddc012fb35dc
Instruction Fuzzy Hash: 3F318252B58D0A5FFB84B7BCD81A7BD66D6EBD9752F00417AE40EC3292DD28AC4183C1

Function 00007FFAAC5017E5 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FFAAC501786

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-408134297
Opcode ID: 1bc7cc90524423938692b3fa6018856663cfb91b1c422798a9456687937c8db9
Instruction ID: bf7412455c5eb730a79f331846d361482da099cf43e9c9aad2d125852cf75a9b
Opcode Fuzzy Hash: 1bc7cc90524423938692b3fa6018856663cfb91b1c422798a9456687937c8db9
Instruction Fuzzy Hash: 44310861E4E507AFF7D4A734C0122BA268ABF96350F148479F00EC61C3DE2CE84583D2

Function 00007FFAAC507E61 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAAC507ED3

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: edb4c2ff45f5b20792301c23234956bb40863b8ce824e2bd9b6239587fa26413
Instruction ID: 114f779c6a2501ac2063001f9808b254e11ae4ef0269a254a6920b40bde2fbbd
Opcode Fuzzy Hash: edb4c2ff45f5b20792301c23234956bb40863b8ce824e2bd9b6239587fa26413
Instruction Fuzzy Hash: B521C531C4D296CFEB419BA4C8056F9BFE4EF46311F0541BAE44DD7292DA2CA84487D1

Function 00007FFAAC50A15D Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

FO_H, xrefs: 00007FFAAC50A1A2

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: FO_H
API String ID: 0-2715392569
Opcode ID: ab2e93310c0efe59e3f2c0c6e2e7efed03c140b4e18f1a969f3f6ab002797cbe
Instruction ID: 4e77e9a95cd1bc6eca20e5a7f0a35a9589aa7d96fe8fdd8dd9030d1da8af3186
Opcode Fuzzy Hash: ab2e93310c0efe59e3f2c0c6e2e7efed03c140b4e18f1a969f3f6ab002797cbe
Instruction Fuzzy Hash: BE018B5588F6C6AEEB83577408200A67FA8AF43214B4884FBE08DCB193DA0C851AC382

Function 00007FFAAC5014D3 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC50150D

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: ac93a5f2816180ce60b7409d563adc35d926bd684151aa90f8c7bebc1700a887
Instruction ID: ad0c6e7139ffd7b831bf52c491baf4f5c4fa44d995558ad0f07c6ee6fa4ca060
Opcode Fuzzy Hash: ac93a5f2816180ce60b7409d563adc35d926bd684151aa90f8c7bebc1700a887
Instruction Fuzzy Hash: D601DD52D0EB954FF382A37858664793FE0DF8211170849A7E48ECA2E3DC08994943D3

Function 00007FFAAC50176D Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FFAAC501786

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-408134297
Opcode ID: 27fcf7c42e34dbd361b7abba27b00e2e0184b5d15c338ec8bad5e0f791928589
Instruction ID: 3e61bdfdede60e61c37a20f681c2603b91039993c3ef472118b02efdc5424d92
Opcode Fuzzy Hash: 27fcf7c42e34dbd361b7abba27b00e2e0184b5d15c338ec8bad5e0f791928589
Instruction Fuzzy Hash: 77F0F491E4E6879FF794637884662792A86AF66301F0484F9F04EC61C3DD5CF8458383

Function 00007FFAAC506CC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32e3089b242a2392e5c2a80c4d2e1118e18f0d4fe727f45c2a4165f535f5e2e
Instruction ID: f325ae9e68d4d2029eba49413dc3ba73263cf52d027374231a1a1a73f8994581
Opcode Fuzzy Hash: c32e3089b242a2392e5c2a80c4d2e1118e18f0d4fe727f45c2a4165f535f5e2e
Instruction Fuzzy Hash: 20B1A270508A4E8FEBA8DF28D8557E93BD1FF55310F14827AE84EC7292CE3499458B82

Function 00007FFAAC5086E8 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc01e94d848db3d99b75252db369af1516b2b02a767a2400dd6a36c8bbbb8d07
Instruction ID: 998597c0b9b71c3925859bd8382e2ce68ce99e194c148b351dd9ea9275751232
Opcode Fuzzy Hash: fc01e94d848db3d99b75252db369af1516b2b02a767a2400dd6a36c8bbbb8d07
Instruction Fuzzy Hash: 453103A294EB8B9EF78A9768D8510F97FA0FF42210F0446B6E04AC7193DD19980A83C0

Function 00007FFAAC5086F8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ba25500de471741f23d68575eb7b5901c5a63490e23a60ee30452dd3cea479
Instruction ID: 03a2d90cc19f373abcd081ef849a7f612160c73a8c555634bd204e73795d9d30
Opcode Fuzzy Hash: b9ba25500de471741f23d68575eb7b5901c5a63490e23a60ee30452dd3cea479
Instruction Fuzzy Hash: F93101A294EB8B9EF78A9768D8611FD7FB1FF42210F0446B6E04AC71D7CD18580987C0

Function 00007FFAAC508708 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff4d3bf44a1aa0023d81c2f1e77746224d42f2e88e3394ae404e15fb5c496a2
Instruction ID: eba047df1187bd3ed256c6c4e1857cb146fd2076aa5abe2bbac86ef5c5dc9d3d
Opcode Fuzzy Hash: 4ff4d3bf44a1aa0023d81c2f1e77746224d42f2e88e3394ae404e15fb5c496a2
Instruction Fuzzy Hash: F621F1A294EB8A9EF78A9768D8611F97FB1FF42210F0446B6E04AC71D7CD2858098780

Function 00007FFAAC508718 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a454d8c8d7f10f06b9ff70f991fc8d555beeb8b9d7df5c592cd51acd19b10b41
Instruction ID: 5cbd413cd1af59753d24e96d1c1fe01f46329ca19f41b35353cf6b812689863e
Opcode Fuzzy Hash: a454d8c8d7f10f06b9ff70f991fc8d555beeb8b9d7df5c592cd51acd19b10b41
Instruction Fuzzy Hash: 312123A290EB8E9FF785A768C8611FD7FB1FF42200F0446B6E00AC71D3CD1858098780

Function 00007FFAAC5089C9 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072883d9f517e7cef5cc40ad034419cb8aeedbf54ca7b174a0538af2554a2c14
Instruction ID: 2e371f4b78fcbac2eb7f7d43b33cc617a7e6a4c8a46040f9b9d73a592ac1db34
Opcode Fuzzy Hash: 072883d9f517e7cef5cc40ad034419cb8aeedbf54ca7b174a0538af2554a2c14
Instruction Fuzzy Hash: 1E9116B1D4EA4B9FF798E738C446AA47BD4EF56310F0485B5E00DC7592DE28E84A83C1

Function 00007FFAAC508F0D Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e73049009d57ac41fab06b57aa7af64368a7f59ccbda33116a2d21c8f402f9
Instruction ID: 36037dd8ca45f99e3df051a38bfcd123dd879a79841db2ede8183aef40c0805a
Opcode Fuzzy Hash: 11e73049009d57ac41fab06b57aa7af64368a7f59ccbda33116a2d21c8f402f9
Instruction Fuzzy Hash: 87710871E5D9499FEB98EB38D859AF977E5EF46310F0441BAE00ED3192CD289C45C780

Function 00007FFAAC507F4D Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5b00035b57f5e4619fcb8419ef9ed8ead62d8e6e973240dd0da7a24d72bb69
Instruction ID: 1e846ec7d067b6c5f3acd456ddde58e0e49c07375682dbb5d52713d92a8ca1a0
Opcode Fuzzy Hash: 9b5b00035b57f5e4619fcb8419ef9ed8ead62d8e6e973240dd0da7a24d72bb69
Instruction Fuzzy Hash: 6C61967090860D8FEB98DF68D845BEDBBF5FF59311F1082AAD04DD7252CA34A946CB81

Function 00007FFAAC508C81 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da998a00762762fefeca557004fcb3bc510564d5c7a3ea1d839ec18439bc9fc4
Instruction ID: 82bb1225accae1d21c2447e3900d2f7d3daabf50587a430504136b4db9e55913
Opcode Fuzzy Hash: da998a00762762fefeca557004fcb3bc510564d5c7a3ea1d839ec18439bc9fc4
Instruction Fuzzy Hash: 6051E771E5991E9FEB98EB28D855ABC77F5FF96300F0041B9E00DD7292CE28A845C780

Function 00007FFAAC508F60 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93f2f349d3454f8c600a361aa555d818e279448c05340af99b6d5f8bf949516
Instruction ID: 7ab8c392d1cbd19ce57d332ccaf7c3e9b14419cde7835591a71ac3bc091ffcd5
Opcode Fuzzy Hash: e93f2f349d3454f8c600a361aa555d818e279448c05340af99b6d5f8bf949516
Instruction Fuzzy Hash: 5951A371E1890D8FEB98EB68C459ABDB7E5EF99310F1445B9E00ED3296CE24EC458780

Function 00007FFAAC503BFC Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51a22826ec49dad821aef10fa327b23289c28e14399f4c2e3df0bb6d293b577
Instruction ID: 59b43f90a3d0ad79018f125d2f5a62c23b1d65d724410c17e8f50727a0765c37
Opcode Fuzzy Hash: e51a22826ec49dad821aef10fa327b23289c28e14399f4c2e3df0bb6d293b577
Instruction Fuzzy Hash: E4517171908A1C8FDB58DB68D845BE9BBF1FF59310F1082AAD04DD3252DE34A9858B81

Function 00007FFAAC5094FA Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809eb1bbd225f7217624becd00035254e1649f64c1f1044593a70910c6a563c4
Instruction ID: f6d2cccad5020790d4eda3e05d51b8a9d17ede290879c83ad8a24a6e593d20c2
Opcode Fuzzy Hash: 809eb1bbd225f7217624becd00035254e1649f64c1f1044593a70910c6a563c4
Instruction Fuzzy Hash: 8651057090D64D9FE758DF68D855AB87BE0EF56311F04817EE04EC72A3DB28A8068B91

Function 00007FFAAC50189D Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6ad6f8145e4de5e36edefd3126196e007a53fced2ea961e62b2006c7ef1416
Instruction ID: 59ccadd4620896c56a5063bbdce4d2ea7a8717aa3dd2b6c98d7d45aee21f466e
Opcode Fuzzy Hash: 3a6ad6f8145e4de5e36edefd3126196e007a53fced2ea961e62b2006c7ef1416
Instruction Fuzzy Hash: 54519E74949A5D8FEB98DF28C459BA97BE0FF55301F00416EE04EC3692CB75D8458B81

Function 00007FFAAC5082B1 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f15662d4e8b890feda2381c69147db15568aa429bae11eaffed2204642c4137
Instruction ID: e1d8ef3e26901305ce530a56d1086d48accea6ef7878315d90c7e1b52bb42a83
Opcode Fuzzy Hash: 7f15662d4e8b890feda2381c69147db15568aa429bae11eaffed2204642c4137
Instruction Fuzzy Hash: 73410771D4990E9FEBC4EB68C859AFD7BF1FF89300B044079E40DD3692DE2898468790

Function 00007FFAAC508179 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ff652aa9f1858bdb5fcc4cdbdc3be2cf4dc2c6659b2c7d28387450b57066ec
Instruction ID: 702a9ab821f69490ed3278e14218ca2aac8835dbdba305f32cc421c525b62b69
Opcode Fuzzy Hash: 46ff652aa9f1858bdb5fcc4cdbdc3be2cf4dc2c6659b2c7d28387450b57066ec
Instruction Fuzzy Hash: 2631FB71A4DA8A9FEB86EB3CC4959A97BE0FF5631170405F6D448C7292CE34E845CB81

Function 00007FFAAC5098C5 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0e771d7dd24c15b3fe1525237b53d83f209461cdfec4e0cc6bb183c4ef15e0
Instruction ID: c31aadbbe03b2b2a6311f9440303101bb76980fd432f0f792e5c0f1aa4e89d30
Opcode Fuzzy Hash: 7f0e771d7dd24c15b3fe1525237b53d83f209461cdfec4e0cc6bb183c4ef15e0
Instruction Fuzzy Hash: A231A17040D7889FDB15DBA8D845AEABBF0FF56320F0482AFD08AC7562D764A806CB51

Function 00007FFAAC507810 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e23a9594f926b4c48b270a0375c050f06764e289b2b527f8643b809ed3c26d4
Instruction ID: 7f8efa018608980f6050f3f3562db3d0d8e365481b663842bb814160402ff436
Opcode Fuzzy Hash: 0e23a9594f926b4c48b270a0375c050f06764e289b2b527f8643b809ed3c26d4
Instruction Fuzzy Hash: 61212336E4CD4E8FEB90EB6898561ED7BE4FF89321F0402B2E40DC3192DE24985987C1

Function 00007FFAAC5096D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c7895c7611bb68370449659ae899df6e428515e8fc841aa9001ed40e9e5631
Instruction ID: 13dca1e3a67ce4c866ea9e2fa21638214b5927c7fd795ec2b70804a4103ec960
Opcode Fuzzy Hash: b8c7895c7611bb68370449659ae899df6e428515e8fc841aa9001ed40e9e5631
Instruction Fuzzy Hash: 9D21F360A5C95A9FF784A7BCD426BAD77D6EB96300F5441B5F01EC32D3CC58A9048382

Function 00007FFAAC5097E9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a00ec4935bdb3b3226360072af73dcd4903fa427a91266c13f6e2b0e317e9f0
Instruction ID: e142077f2a6a177f3fef39b3fda1a8868ed9de8dd4f92f264c0b8ff13248af35
Opcode Fuzzy Hash: 9a00ec4935bdb3b3226360072af73dcd4903fa427a91266c13f6e2b0e317e9f0
Instruction Fuzzy Hash: 5B113B21A8E58B5FF7869B6448116FA7BE5EFD7200F0480F6F08DC2583CD1C9C0A8391

Function 00007FFAAC5016D1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2353dc0f3aa43ca409e5f093209dab67ca0cf40f1eb1450b06ef1e0e801eafd9
Instruction ID: b1d6a0ff7f60b5b0d6b6e44c1b83ab4b8e11e19e22758e3a14297c489e14d69e
Opcode Fuzzy Hash: 2353dc0f3aa43ca409e5f093209dab67ca0cf40f1eb1450b06ef1e0e801eafd9
Instruction Fuzzy Hash: 9B0122B1C4878D8FE79DDF2884AA1B93FE0EB6A201F4440AFD48ED76A2DEB004108741

Function 00007FFAAC500600 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57de9ae89a6bb8ee980091910129618f0f65718e7bd1cef53020529f930bee34
Instruction ID: 851ffb2f7d14e61e9bc25d848bad33157d13b81939d8e7f3816f7bcd26a3e8a2
Opcode Fuzzy Hash: 57de9ae89a6bb8ee980091910129618f0f65718e7bd1cef53020529f930bee34
Instruction Fuzzy Hash: 3F016170E5D90B9EFB98AB2884026FA73D9FF99301F508479E44EC2686DD24EC5547C1

Function 00007FFAAC507DA1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6310a1a1f54fa033734d786136904f72c2600057455d7080906acdce774e403d
Instruction ID: 223f56a09f8a83c79923ff1f8e8aa63d99b6aff4140cd4d3ee1cd4a0a7e4a158
Opcode Fuzzy Hash: 6310a1a1f54fa033734d786136904f72c2600057455d7080906acdce774e403d
Instruction Fuzzy Hash: 7F0100B2D0AA8D8FDB91ABA8D85A1FD7BF1EF19211F4002E7D048C7192DE2898048781

Function 00007FFAAC508A5D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1694335edd7af6854de99b87c86f5c03bf0309be81ea4a426f501f34b8328066
Instruction ID: 272185c2cfd2b8b898a14e8af4b398f80ee5c00e5f314e24e538c23c9a0bf97a
Opcode Fuzzy Hash: 1694335edd7af6854de99b87c86f5c03bf0309be81ea4a426f501f34b8328066
Instruction Fuzzy Hash: 5501A2B1E19A075AF78CAB7888879B47280FF15311F404AB9E00FC24E3DE19F84A86C0

Function 00007FFAAC501848 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4e92399404da7a88b4294a35977642ffaafc53c62d76078c2efb33386f017c
Instruction ID: c530f2f17d69c88b4dff0b2625961d49fa188b052fb43bd6d85add13d2c30410
Opcode Fuzzy Hash: 4e4e92399404da7a88b4294a35977642ffaafc53c62d76078c2efb33386f017c
Instruction Fuzzy Hash: EAF0D131C4D4079FF395DB28C0406B933A6BF92320F108635E00EC21C2DF28E84586C1

Function 00007FFAAC501551 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf241b00b71f55a9fdb6f14c9026d52e880b9ad66b4bae7f9e3735e762a3a4
Instruction ID: 96095e9c5fd3d727eb662c046f7cc15fe4d692ae495ec57fdd12609e43201414
Opcode Fuzzy Hash: 4edf241b00b71f55a9fdb6f14c9026d52e880b9ad66b4bae7f9e3735e762a3a4
Instruction Fuzzy Hash: 2BE02632C4D3CA8FEB529B5458220D67F60EF16200F4501CBF40CC6143D610951843C3

Function 00007FFAAC50A1B5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5d5816998c9f71cafebff230d7c82d6a6d04b40a78aa4d9cb1b96f0d3f3eba
Instruction ID: 7602e98d4c0f578fdf86151d00ae24fd50251e5e42e37fa7ecbd12fbe2872df1
Opcode Fuzzy Hash: bd5d5816998c9f71cafebff230d7c82d6a6d04b40a78aa4d9cb1b96f0d3f3eba
Instruction Fuzzy Hash: 7CE0867188F7CE9FEB5297245C210D97F60EF12200F4805DBE49CC6053D959822D83C2

Function 00007FFAAC5011D8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4543ba48cad8328d3a84b1ebaeedb1f465cbd9892f5d05173ac5f92f47281ff
Instruction ID: c9d8abad62f8a7e977cc00929a38aad80a2047926e8c0b4d46bb7ad156a1db9a
Opcode Fuzzy Hash: c4543ba48cad8328d3a84b1ebaeedb1f465cbd9892f5d05173ac5f92f47281ff
Instruction Fuzzy Hash: 64C01235895D4EAEAB906B5058011EAB328FB05304F404556F81DD2041DB24E22856C2

Function 00007FFAAC5096AE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733092430.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac500000_book_lumm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e2db2d7f4c4cf275796c3299af9ca9f12d8a0b7dc45977b3d1cab754005dde
Instruction ID: cea00d0c0333adc224de1f4548c2c2b1dfae2e3dd1924f78e1aa250fb9b52dd3
Opcode Fuzzy Hash: e0e2db2d7f4c4cf275796c3299af9ca9f12d8a0b7dc45977b3d1cab754005dde
Instruction Fuzzy Hash: C1D0C91088F7C24FE707637508554507EB09A43290B8F82DBE888CA493D68D498D8392

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report book_lumm2.dat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
book_lumm2.dat.exe