Edit tour

Windows Analysis Report
SPOOOFER776.exe

Overview

General Information

Sample name:	SPOOOFER776.exe
Analysis ID:	1590903
MD5:	66a9fe0ffb298b4c4c390dee3bc534e9
SHA1:	5dc498039926c0c342c536d3cccf1e5c1dd752d8
SHA256:	0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SPOOOFER776.exe (PID: 1200 cmdline: "C:\Users\user\Desktop\SPOOOFER776.exe" MD5: 66A9FE0FFB298B4C4C390DEE3BC534E9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SPOOOFER776.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
SPOOOFER776.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
SPOOOFER776.exe	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x551718:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x551798:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x55181d:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x551c82:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x551d3a:$s2: Set-MpPreference -DisableArchiveScanning $true 0x551dda:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x551e78:$s4: Set-MpPreference -DisableScriptScanning $true 0x551f02:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x551f70:$s6: Set-MpPreference -MAPSReporting 0 0x551fe8:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x552086:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x552114:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x55219e:$s10: Set-MpPreference -SevereThreatDefaultAction 6

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000000.1513698661.0000000000AAD000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Process Memory Space: SPOOOFER776.exe PID: 1200	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SPOOOFER776.exe.7840000.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SPOOOFER776.exe.46215f0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SPOOOFER776.exe.6430000.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SPOOOFER776.exe.4b21610.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SPOOOFER776.exe.8b0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.SPOOOFER776.exe.8b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SPOOOFER776.exe.8b0000.0.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x551718:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x551798:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x55181d:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x551c82:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x551d3a:$s2: Set-MpPreference -DisableArchiveScanning $true 0x551dda:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x551e78:$s4: Set-MpPreference -DisableScriptScanning $true 0x551f02:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x551f70:$s6: Set-MpPreference -MAPSReporting 0 0x551fe8:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x552086:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x552114:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x55219e:$s10: Set-MpPreference -SevereThreatDefaultAction 6
Click to see the 2 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SPOOOFER776.exe	Virustotal: Detection: 73%			Perma Link
Source: SPOOOFER776.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: SPOOOFER776.exe

Joe Sandbox ML: detected

Source: SPOOOFER776.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.7:49701 version: TLS 1.2

Source: SPOOOFER776.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdb source: SPOOOFER776.exe
Source:	Binary string: q.costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: costura.costura.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: Siticone.Desktop.UI.pdb source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdbBdU^dU PdU_CorExeMainmscoree.dll source: SPOOOFER776.exe
Source:	Binary string: guna.ui2?costura.guna.ui2.dll.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: Siticone.Desktop.UI.pdb8@N@ @@_CorDllMainmscoree.dll source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: SPOOOFER776.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: SPOOOFER776.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: SPOOOFER776.exe, type: SAMPLE
Source: Yara match	File source: 0.2.SPOOOFER776.exe.7840000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPOOOFER776.exe.46215f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPOOOFER776.exe.6430000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPOOOFER776.exe.4b21610.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SPOOOFER776.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 396Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.26.1.5 104.26.1.5

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: unknown

HTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 396Expect: 100-continueConnection: Keep-Alive

Source: SPOOOFER776.exe	String found in binary or memory: http://167.114.85.75/logo.zip
Source: SPOOOFER776.exe	String found in binary or memory: http://167.114.85.75/mac.bat
Source: SPOOOFER776.exe	String found in binary or memory: http://167.114.85.75/tpmbypassspoofer.exe
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SPOOOFER776.exe, 00000000.00000002.1602421792.0000000005C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://keyauth.win
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.000000000327F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://keyauth.wind
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/KeyAuth
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/KeyAuthd
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.000000000326E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://vimeo.com/api/v2/video/
Source: SPOOOFER776.exe	String found in binary or memory: https://api.ipify.org)Nome
Source: SPOOOFER776.exe	String found in binary or memory: https://discord.com/api/webhooks/1222693252319416370/7HHFXJ3XDvpPWnJrESXq2ra2rQYgEisxjWubp5mRiRjzLmM
Source: SPOOOFER776.exe	String found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AFUWINx64.EXE
Source: SPOOOFER776.exe	String found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIDEWINx64.exe
Source: SPOOOFER776.exe	String found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIFLDRV64.sys
Source: SPOOOFER776.exe	String found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/Volumeid64.exe
Source: SPOOOFER776.exe	String found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/amifldrv64_1.sys
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/LR
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/api/licensing.php
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/api/licensing.phpLR
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/pricing
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/pricingLR
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.000000000326E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.0/
Source: SPOOOFER776.exe	String found in binary or memory: https://keyauth.win/api/1.0/aYou
Source: SPOOOFER776.exe	String found in binary or memory: https://keyauth.win/api/1.1/
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://payments.siticoneframework.com/api/licensing.php
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://payments.siticoneframework.com/api/licensing.php%Siticone
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.siticoneframework.com/Mhttps://siticoneframework.com/pricing/Mhttps://siticoneframework.

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.7:49701 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: SPOOOFER776.exe, type: SAMPLE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.0.SPOOOFER776.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0180E40C	0_2_0180E40C
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589E798	0_2_0589E798
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589A248	0_2_0589A248
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589CDE0	0_2_0589CDE0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05897DD8	0_2_05897DD8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05899918	0_2_05899918
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589E788	0_2_0589E788
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589A239	0_2_0589A239
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589CDD0	0_2_0589CDD0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589AF52	0_2_0589AF52
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589A8E8	0_2_0589A8E8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589A8F8	0_2_0589A8F8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05890A80	0_2_05890A80
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05890A90	0_2_05890A90
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05890A37	0_2_05890A37
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05899570	0_2_05899570
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589BD89	0_2_0589BD89
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589DD93	0_2_0589DD93
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589DDA8	0_2_0589DDA8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589DDB8	0_2_0589DDB8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05897DC8	0_2_05897DC8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589BD00	0_2_0589BD00
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589BD5F	0_2_0589BD5F
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589BCF2	0_2_0589BCF2
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589BE72	0_2_0589BE72
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_05899908	0_2_05899908
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B6CE94	0_2_07B6CE94
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B62AA8	0_2_07B62AA8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B620F0	0_2_07B620F0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B620E0	0_2_07B620E0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B69FD0	0_2_07B69FD0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B62A98	0_2_07B62A98
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_07B6D978	0_2_07B6D978
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945F938	0_2_0945F938
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945E9E4	0_2_0945E9E4
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945E9B4	0_2_0945E9B4
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_09454B3C	0_2_09454B3C
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_09458A64	0_2_09458A64
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945EA64	0_2_0945EA64
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945FAF1	0_2_0945FAF1
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_094560F8	0_2_094560F8
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945F2D0	0_2_0945F2D0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0945F492	0_2_0945F492
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_09453641	0_2_09453641
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_09453650	0_2_09453650
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_09459679	0_2_09459679
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_09453619	0_2_09453619
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0AD879A0	0_2_0AD879A0
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0AD87990	0_2_0AD87990
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0AD89408	0_2_0AD89408

Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSPOOOFER.exeD vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000000.1514580935.0000000000E47000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSPOOOFER.exeD vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1584805452.00000000014FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
Source: SPOOOFER776.exe, 00000000.00000002.1607154311.0000000006AC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
Source: SPOOOFER776.exe	Binary or memory string: OriginalFilenameSPOOOFER.exeD vs SPOOOFER776.exe

Source: SPOOOFER776.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: SPOOOFER776.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.0.SPOOOFER776.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\SPOOOFER776.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPOOOFER776.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe

Mutant created: NULL

Source: SPOOOFER776.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SPOOOFER776.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SPOOOFER776.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SPOOOFER776.exe	Virustotal: Detection: 73%
Source: SPOOOFER776.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\SPOOOFER776.exe

File read: C:\Users\user\Desktop\SPOOOFER776.exe

Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SPOOOFER776.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SPOOOFER776.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SPOOOFER776.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SPOOOFER776.exe

Static file information: File size 5856768 > 1048576

Source: SPOOOFER776.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x554600

Source: SPOOOFER776.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SPOOOFER776.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdb source: SPOOOFER776.exe
Source:	Binary string: q.costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: costura.costura.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: Siticone.Desktop.UI.pdb source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdbBdU^dU PdU_CorExeMainmscoree.dll source: SPOOOFER776.exe
Source:	Binary string: guna.ui2?costura.guna.ui2.dll.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: Siticone.Desktop.UI.pdb8@N@ @@_CorDllMainmscoree.dll source: SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: SPOOOFER776.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: SPOOOFER776.exe

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: SPOOOFER776.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SPOOOFER776.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1513698661.0000000000AAD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPOOOFER776.exe PID: 1200, type: MEMORYSTR

Source: SPOOOFER776.exe

Static PE information: 0xF237E430 [Fri Oct 10 03:12:48 2098 UTC]

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589C3DF push ebx; ret	0_2_0589C3E5
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0589C247 push ecx; iretd	0_2_0589C248
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0AD84340 push E806BD5Eh; retf	0_2_0AD84361
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Code function: 0_2_0AD84363 push E805C65Eh; ret	0_2_0AD84369

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Memory allocated: 5140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Memory allocated: 6840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe TID: 3872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe TID: 1228	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe TID: 3088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SPOOOFER776.exe, 00000000.00000002.1602421792.0000000005C62000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF&`

Source: C:\Users\user\Desktop\SPOOOFER776.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe	Queries volume information: C:\Users\user\Desktop\SPOOOFER776.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPOOOFER776.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SPOOOFER776.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SPOOOFER776.exe	74%	Virustotal		Browse
SPOOOFER776.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
SPOOOFER776.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://167.114.85.75/mac.bat	0%	Avira URL Cloud	safe
https://gunaui.com/api/licensing.phpLR	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/KeyAuthd	0%	Avira URL Cloud	safe
https://payments.siticoneframework.com/api/licensing.php%Siticone	0%	Avira URL Cloud	safe
http://167.114.85.75/tpmbypassspoofer.exe	0%	Avira URL Cloud	safe
http://167.114.85.75/logo.zip	0%	Avira URL Cloud	safe
http://keyauth.wind	0%	Avira URL Cloud	safe
https://gunaui.com/LR	0%	Avira URL Cloud	safe
https://gunaui.com/pricingLR	0%	Avira URL Cloud	safe
https://payments.siticoneframework.com/api/licensing.php	0%	Avira URL Cloud	safe
https://api.ipify.org)Nome	0%	Avira URL Cloud	safe
https://www.siticoneframework.com/Mhttps://siticoneframework.com/pricing/Mhttps://siticoneframework.	0%	Avira URL Cloud	safe
https://gunaui.com/pricing	0%	Avira URL Cloud	safe
https://gunaui.com/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/KeyAuth	0%	Avira URL Cloud	safe
https://gunaui.com/api/licensing.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.1.5	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.0/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.datacontract.org/2004/07/KeyAuthd	SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vimeo.com/api/v2/video/	SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.datacontract.org	SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://keyauth.win	SPOOOFER776.exe, 00000000.00000002.1588524507.000000000326E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://keyauth.wind	SPOOOFER776.exe, 00000000.00000002.1588524507.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/amifldrv64_1.sys	SPOOOFER776.exe	false		high
http://gdata.youtube.com/feeds/api/videos/	SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	false		high
https://gunaui.com/api/licensing.phpLR	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://keyauth.win	SPOOOFER776.exe, 00000000.00000002.1588524507.000000000327F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://payments.siticoneframework.com/api/licensing.php%Siticone	SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.0/aYou	SPOOOFER776.exe	false		high
https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AFUWINx64.EXE	SPOOOFER776.exe	false		high
https://keyauth.win/api/1.1/	SPOOOFER776.exe	false		high
https://discord.com/api/webhooks/1222693252319416370/7HHFXJ3XDvpPWnJrESXq2ra2rQYgEisxjWubp5mRiRjzLmM	SPOOOFER776.exe	false		high
http://167.114.85.75/tpmbypassspoofer.exe	SPOOOFER776.exe	false	Avira URL Cloud: safe	unknown
https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIDEWINx64.exe	SPOOOFER776.exe	false		high
https://gunaui.com/LR	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	SPOOOFER776.exe, 00000000.00000002.1602421792.0000000005C62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://167.114.85.75/logo.zip	SPOOOFER776.exe	false	Avira URL Cloud: safe	unknown
https://gunaui.com/pricingLR	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://payments.siticoneframework.com/api/licensing.php	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://167.114.85.75/mac.bat	SPOOOFER776.exe	false	Avira URL Cloud: safe	unknown
https://www.siticoneframework.com/Mhttps://siticoneframework.com/pricing/Mhttps://siticoneframework.	SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1594018347.0000000004322000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIFLDRV64.sys	SPOOOFER776.exe	false		high
https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/Volumeid64.exe	SPOOOFER776.exe	false		high
https://gunaui.com/api/licensing.php	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/KeyAuth	SPOOOFER776.exe, 00000000.00000002.1588524507.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org)Nome	SPOOOFER776.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SPOOOFER776.exe, 00000000.00000002.1588524507.000000000326E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gunaui.com/pricing	SPOOOFER776.exe, 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.1.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590903
Start date and time:	2025-01-14 16:48:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SPOOOFER776.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.175.87.197, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:50:10	API Interceptor	1x Sleep call for process: SPOOOFER776.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.1.5	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.6030.29502.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.24402.15705.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	email.eml	Get hash	malicious	unknown	Browse	172.64.41.3
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	http://brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	172.65.251.78
	http://wagestream.acemlnb.com	Get hash	malicious	Unknown	Browse	104.20.0.15
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Payment_243.js	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	104.26.1.5
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.26.1.5
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	104.26.1.5
	http://vionicstore.shop	Get hash	malicious	Unknown	Browse	104.26.1.5
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	104.26.1.5
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	104.26.1.5
	TiOWA908TP.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fmessagupdates.courtfilepro.com%2FVTtMa	Get hash	malicious	HTMLPhisher	Browse	104.26.1.5

Process:	C:\Users\user\Desktop\SPOOOFER776.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1553
Entropy (8bit):	5.349053066873526
Encrypted:	false
SSDEEP:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HmHKJHKmTH3:Pq5qHwCYqh3oPtI6eqzxGqJqqX
MD5:	E7486FB6F704DFF43F9913929E0B6E90
SHA1:	8213ECDCA2A2902EA04CC46AD25B7BE8B009B66F
SHA-256:	4D21973286C22A3C68CC366BB1B73F2040212B6F4EDCC23D725EF141224DBE98
SHA-512:	345B6E69130DB544888D8E8F15BE7CB7604DE1F9EBAE9010CB62B9AA94EC1B74FBDE493D50DD0EE53C6DC2EE65961DC0887D7B860BF4525F50F54F907548E565
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.681946284740579
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SPOOOFER776.exe
File size:	5'856'768 bytes
MD5:	66a9fe0ffb298b4c4c390dee3bc534e9
SHA1:	5dc498039926c0c342c536d3cccf1e5c1dd752d8
SHA256:	0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
SHA512:	a8a8c2674744069531908b69384a1a03b38991ddbabd2a0d5908add292796e0ca4ed6c16a0867d1af0e200e4b203d6d1e41b6639ba6e6df276e43bbfc262ee36
SSDEEP:	98304:WDEBe6aA0c5ZUYKjYXC3UdKep9y1X+bEszBfhBVnTknrqkqXf0F9+KH4kpc+DX/P:W490cbzyEdKepwIb5zBXVnT02kSIEKYK
TLSH:	BF46F0422186D59CF037D9BC46D6E9ADF996AC615ED2C92A2DC3B5F880F32027B50F03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.7..........."...0..FU.........ndU.. ........@.. ........................Y...........`................................

File Icon


Icon Hash:	4427131757593716

Static PE Info

General

Entrypoint:	0x95646e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF237E430 [Fri Oct 10 03:12:48 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x55641a	0x51	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x558000	0x4130c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x556338	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x554474	0x554600	5541e199cb4d52f020bf34a5a192525c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x558000	0x4130c	0x41400	d891dc917d538be924cb523af7b0577b	False	0.1685674090038314	data	3.375765933642511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x59a000	0xc	0x200	dabe037bf1c4ab067372e4781f14db8e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x558100	0x40c28	Device independent bitmap graphic, 251 x 512 x 32, image size 257024	0.16656362155804205
RT_GROUP_ICON	0x598d38	0x14	data	1.2
RT_VERSION	0x598d5c	0x3b0	data	0.4343220338983051
RT_MANIFEST	0x59911c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:50:07.475513935 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:07.475536108 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:07.475600958 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:07.493783951 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:07.493796110 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:07.975893974 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:07.975982904 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:07.980335951 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:07.980344057 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:07.980664015 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:08.024307966 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:08.041878939 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:08.087321997 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:08.143662930 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:08.144129038 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:08.144141912 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:08.319844961 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:08.319952965 CET	443	49701	104.26.1.5	192.168.2.7
Jan 14, 2025 16:50:08.319999933 CET	49701	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:50:08.322191954 CET	49701	443	192.168.2.7	104.26.1.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:50:07.459449053 CET	62576	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:50:07.466665030 CET	53	62576	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:50:07.459449053 CET	192.168.2.7	1.1.1.1	0xb554	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:50:07.466665030 CET	1.1.1.1	192.168.2.7	0xb554	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:50:07.466665030 CET	1.1.1.1	192.168.2.7	0xb554	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:50:07.466665030 CET	1.1.1.1	192.168.2.7	0xb554	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

keyauth.win

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	104.26.1.5	443	1200	C:\Users\user\Desktop\SPOOOFER776.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:50:08 UTC	162	OUT	POST /api/1.0/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: keyauth.win Content-Length: 396 Expect: 100-continue Connection: Keep-Alive
2025-01-14 15:50:08 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-14 15:50:08 UTC	396	OUT	Data Raw: 74 79 70 65 3d 36 39 36 65 36 39 37 34 26 76 65 72 3d 61 30 30 35 30 33 64 64 64 64 62 65 35 36 37 33 30 34 62 61 63 66 37 34 63 65 66 36 66 36 35 63 26 68 61 73 68 3d 36 36 61 39 66 65 30 66 66 62 32 39 38 62 34 63 34 63 33 39 30 64 65 65 33 62 63 35 33 34 65 39 26 65 6e 63 6b 65 79 3d 66 30 61 65 34 33 63 34 32 63 39 39 61 62 66 39 32 63 38 33 63 34 66 31 34 65 63 62 39 61 64 64 30 31 33 63 37 31 33 35 35 65 34 63 30 32 66 36 37 61 39 61 35 31 38 32 35 33 39 30 62 36 62 33 39 65 30 63 64 39 64 33 63 38 38 66 63 38 66 37 39 62 64 61 31 66 37 38 66 66 65 65 35 34 34 33 31 35 31 39 37 34 35 38 61 36 61 30 61 33 30 37 63 66 30 63 38 38 30 61 30 35 65 34 38 36 62 34 37 39 63 38 64 34 39 38 32 37 30 37 39 39 34 35 31 36 30 62 32 63 61 34 36 35 66 37 30 66 61 Data Ascii: type=696e6974&ver=a00503ddddbe567304bacf74cef6f65c&hash=66a9fe0ffb298b4c4c390dee3bc534e9&enckey=f0ae43c42c99abf92c83c4f14ecb9add013c71355e4c02f67a9a51825390b6b39e0cd9d3c88fc8f79bda1f78ffee544315197458a6a0a307cf0c880a05e486b479c8d49827079945160b2ca465f70fa
2025-01-14 15:50:08 UTC	1369	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:50:08 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 192 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4pe1exlR3DRrlysurqZmMgsFAMmE3LgJ9uoOVUxFylcmPudLUi%2Fs2uIGpLP%2B%2B%2BPzi4NDhzgkRAu1ObqzXfjQQd0OF%2FwWVn1zIKEw37y8L7dM9%2FxDMiPiwZAUL%2B6S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Server: cloudflare CF-RAY: 901ec7ac9b3bc327-EWR server-timing: cfL4;desc="?proto=TCP&rtt=3635&min_rtt=1524&rtt_var=4647&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1194&delivery_rate=1815920&cwnd=190&unsent_bytes=0&cid=dbb06189af54eee5&ts=358&x=0" dd2868bd9672431cb575cab44c92e9f7fb8548e6957
2025-01-14 15:50:08 UTC	149	IN	Data Raw: 32 38 62 33 62 38 32 35 34 30 62 32 34 34 62 66 34 38 36 62 33 34 32 35 30 35 38 31 61 33 35 64 31 61 36 63 66 33 66 37 39 63 63 38 66 39 39 34 36 32 37 66 61 64 37 36 30 65 33 30 37 66 39 39 33 39 35 61 65 62 30 32 35 66 33 36 30 31 64 31 38 61 32 64 37 61 30 64 63 38 64 62 36 31 38 30 66 63 31 38 37 61 33 63 33 30 31 31 64 34 63 33 39 39 31 64 63 32 34 65 34 65 39 39 30 64 62 30 38 64 61 37 64 61 30 33 66 61 32 32 61 32 32 32 35 35 65 39 32 Data Ascii: 28b3b82540b244bf486b34250581a35d1a6cf3f79cc8f994627fad760e307f99395aeb025f3601d18a2d7a0dc8db6180fc187a3c3011d4c3991dc24e4e990db08da7da03fa22a22255e92

Target ID:	0
Start time:	10:50:05
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\SPOOOFER776.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SPOOOFER776.exe"
Imagebase:	0x8b0000
File size:	5'856'768 bytes
MD5 hash:	66A9FE0FFB298B4C4C390DEE3BC534E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1612074302.0000000007840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1513698661.0000000000AAD000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1588524507.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1603366980.0000000006430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	99.6%
Signature Coverage:	0.8%
Total number of Nodes:	752
Total number of Limit Nodes:	47

Executed Functions

Function 05897DC8 Relevance: 13.2, Strings: 10, Instructions: 716
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 05898586
), xrefs: 058981F5
W, xrefs: 058981EB
", xrefs: 058986B4
,, xrefs: 05898641
\, xrefs: 05898533
&, xrefs: 058982B0
., xrefs: 0589864B
'<t, xrefs: 05897DF9
$<t, xrefs: 05897E17

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: '<t$"$&$)$,$-$.$W$\$$<t
API String ID: 0-3366147974
Opcode ID: c8712d602d14109bb4916c511feef7a18f61d727e06237488399c63e37939f55
Instruction ID: 215e14668e1b1459de6221f61924ed758028843a45dee52608b8cb31fa3e356f
Opcode Fuzzy Hash: c8712d602d14109bb4916c511feef7a18f61d727e06237488399c63e37939f55
Instruction Fuzzy Hash: 56722538610605CFDB25DF64C848EA9BBB2FF89305F1584A9E50A9B3B1DB31AD85CF41

Function 05897DD8 Relevance: 13.2, Strings: 10, Instructions: 713
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 05898586
), xrefs: 058981F5
W, xrefs: 058981EB
", xrefs: 058986B4
,, xrefs: 05898641
\, xrefs: 05898533
&, xrefs: 058982B0
., xrefs: 0589864B
'<t, xrefs: 05897DF9
$<t, xrefs: 05897E17

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: '<t$"$&$)$,$-$.$W$\$$<t
API String ID: 0-3366147974
Opcode ID: b3c7435fc24c42898e1ba3e0cf9ff4e22c490f43a7b9deacf3e15f2e51d2a330
Instruction ID: 8ade2ebbd279e85335f3652828ffd7969354b430c9fbd23bf106fb8546507bfd
Opcode Fuzzy Hash: b3c7435fc24c42898e1ba3e0cf9ff4e22c490f43a7b9deacf3e15f2e51d2a330
Instruction Fuzzy Hash: 8D622538610605CFDB25DF64C848EA9BBB2FF89305F1584A9E50A9B3B1DB31AD85CF41

Function 07B62A98 Relevance: 2.8, Strings: 2, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 07B62B04
#, xrefs: 07B62B9E

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: #$#
API String ID: 0-2529538431
Opcode ID: dec4b68846256a051ade08a2a2e1d363d38a662f6c417bd15a57ad11365ac04a
Instruction ID: eb7a9e6c4918662de60f9f40cc1ee32789ae39dd14cc6ccb8ab305f57ab0b0ce
Opcode Fuzzy Hash: dec4b68846256a051ade08a2a2e1d363d38a662f6c417bd15a57ad11365ac04a
Instruction Fuzzy Hash: B5D1D631A10215CFEB04CF68C884B99F7B2FF85304F1584BADD09AF2A5DB76A946CB51

Function 07B62AA8 Relevance: 2.8, Strings: 2, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 07B62B04
#, xrefs: 07B62B9E

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: #$#
API String ID: 0-2529538431
Opcode ID: 5a3c1622ca36e0531daa027a483db88cc83d650397a59e5810d3d12088ca784a
Instruction ID: f518f67e20cf61cb89842e46f01a4409287adbdd300ba8d78ffce81c7d3369d2
Opcode Fuzzy Hash: 5a3c1622ca36e0531daa027a483db88cc83d650397a59e5810d3d12088ca784a
Instruction Fuzzy Hash: 36D1D431A10214CFEB04CF68C884B99F7B6FF85304F1584B9D909AF2A5DBB6E906CB51

Function 0589CDE0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

#, xrefs: 0589CE54

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e874d057e44506c75970e9016032087f7e75729f82cf3799cfc229b7d194cd98
Instruction ID: 0d4227d0d8f969cf3a62cf7009a5c9829ded3d012a1eba87c75f6ab0750f0fa6
Opcode Fuzzy Hash: e874d057e44506c75970e9016032087f7e75729f82cf3799cfc229b7d194cd98
Instruction Fuzzy Hash: 2B51E570A11609DFDB44CF68D88479EFBB2FF88308F188569D805AB281D7B79D56CB50

Function 0589CDD0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

#, xrefs: 0589CE54

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0ab48a79cf891e1ff139af0bbdad93cf3909658d2f615edcb470bc2de5bc1d29
Instruction ID: 6d5ed40060247b9cc63e1546af76d79a5c71d632d65d529ce263358370df8238
Opcode Fuzzy Hash: 0ab48a79cf891e1ff139af0bbdad93cf3909658d2f615edcb470bc2de5bc1d29
Instruction Fuzzy Hash: 5851D070A10608DBDB44CF68D88479EFBB2FF88308F188569D805AB281D7B79D55CB50

Function 0945F938 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7649fc1dc2717bc786d25224c2f7b6687624f401798605b0dd31e7afd0957636
Instruction ID: 37d53bbb66e3cafd7bd59d7fc6d4df00fd1ec54c1c1a989e1336263e2c7b4295
Opcode Fuzzy Hash: 7649fc1dc2717bc786d25224c2f7b6687624f401798605b0dd31e7afd0957636
Instruction Fuzzy Hash: A0C1B231B00205ABC754EAB9C491369B7A5FF86310B14C5BAD80BDF35ADB35DE06CB92

Function 0589E788 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d33707b87d0f9d6720968925c4e9b0448a436c24b25db795b453acf0bedbad5
Instruction ID: ce50f0277412ae39ce26e30a8c32f14f2800893cdf59cbc07a4359e054aaaaa6
Opcode Fuzzy Hash: 7d33707b87d0f9d6720968925c4e9b0448a436c24b25db795b453acf0bedbad5
Instruction Fuzzy Hash: FCB1D739B102049FDB18DB78C945A6ABBA6FF84300F098476EA06DB7A1DB75DC41CB42

Function 0589E798 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88412a7c2aedb2974012d3cc6de724369dd342dd8d63b021492c5a48d75700db
Instruction ID: 2ea0b494116611ad1bd652f25610a065b6b2129213d6dfd9a4f1a4542f9e5884
Opcode Fuzzy Hash: 88412a7c2aedb2974012d3cc6de724369dd342dd8d63b021492c5a48d75700db
Instruction Fuzzy Hash: 9CB1C739B102049FDB18DB78C945A6ABBA6FFC4300F098476EA06DB7A1DB75DD41CB42

Function 0180E40C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96fbab247c057107d6f616d3f2740328cf1d56d93b2f87bec330921a0cd2f33
Instruction ID: e82a00eb0284473b721940ebabd1276cb94e7ad19e1c16af2c8f54382ccb90ba
Opcode Fuzzy Hash: b96fbab247c057107d6f616d3f2740328cf1d56d93b2f87bec330921a0cd2f33
Instruction Fuzzy Hash: 12A17332E00619CFCF16DFB8C88459EBBB2FF85301B158569E915EB2A5DB31EA45CB40

Function 0589AF52 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db181cf83ff5b4818edab64a962f89ac707f2a92d11ddc1d3da8f922f09bc37
Instruction ID: 140a8c54c67d7622419755afb4f4f2612871ab7ad764a226ffb495b0b29fe727
Opcode Fuzzy Hash: 2db181cf83ff5b4818edab64a962f89ac707f2a92d11ddc1d3da8f922f09bc37
Instruction Fuzzy Hash: CE81A275F142048FCF48DB79E88466FBBA7EBC4314B18812AD81AD7394EA39DD41CB51

Function 05899908 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a130089a17d9ab8838fda573e051c2974afa72ec03b12d89f0fee17d567bd22
Instruction ID: 0307c37f99c536222e6cda60aac5a5fb7676e9b3ced289176bfee780c7aba09c
Opcode Fuzzy Hash: 3a130089a17d9ab8838fda573e051c2974afa72ec03b12d89f0fee17d567bd22
Instruction Fuzzy Hash: 4B912D74E50209EFDB08CFA5E58598EBBF2FB88354F24C42AD506EB264D734A946CF40

Function 05899918 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1edf95c506172ead43833f12931385803cb87fb99364aa2132479fbc6d56979
Instruction ID: d56d944ec9189a46bb622f1098cf00e21ec24240b0ba980e4fc79ded6e8c94e8
Opcode Fuzzy Hash: c1edf95c506172ead43833f12931385803cb87fb99364aa2132479fbc6d56979
Instruction Fuzzy Hash: C8912E74E50209EFDB08CFA5E58598EBBF6FB88354F24C42AD506EB264D734A946CF40

Function 07B6CE94 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942e522944a6a81b547be5a43703a43b0f03473876fb61e266317ed5dfa9701d
Instruction ID: 79d422c5db03f277c25f47559f97e3b713537f310c3419fbf7f89c394e721db0
Opcode Fuzzy Hash: 942e522944a6a81b547be5a43703a43b0f03473876fb61e266317ed5dfa9701d
Instruction Fuzzy Hash: 1E51E7B1718212DBEB189F38C458725BB62FB81314F1499BAE749CF2C4EB39E941C791

Function 07B6D978 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac9a3ee7b2dfd29c12be6ae8fb64eb03f82026730ac2e8a2fd98aea059fefde
Instruction ID: dab7126f017cf88ab6c188f0d909d433685dd0c4565ad30cd4fc0b1f20801bbb
Opcode Fuzzy Hash: cac9a3ee7b2dfd29c12be6ae8fb64eb03f82026730ac2e8a2fd98aea059fefde
Instruction Fuzzy Hash: 5B51E9B1718202DFEB089F38C454725BB66FB81214F1499FAE7498F2D0EB39EA45C791

Function 0589A239 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb320234cc28d8dc78ea60ad287e4e16e92b646edfaea59daefdd2a40cb2da7
Instruction ID: b2cd9e23d985fd1050e0aeef4848bcec0cabd9f1ed322bf04b36bd60f29013ed
Opcode Fuzzy Hash: 4fb320234cc28d8dc78ea60ad287e4e16e92b646edfaea59daefdd2a40cb2da7
Instruction Fuzzy Hash: CC51A774A1020F8BDB09CFB4C68299FBBB1FB88344F1486359904DB295E634ED86CBD1

Function 0589A248 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5fffe13e9e3975a64e206be1f3501d724f7a22cf9e7858d8b8e744bc172ab8
Instruction ID: 25719ebbfecf4c72e54e5a738688de32ba26c60df544b8bfb4f3269c53207c8d
Opcode Fuzzy Hash: 2e5fffe13e9e3975a64e206be1f3501d724f7a22cf9e7858d8b8e744bc172ab8
Instruction Fuzzy Hash: 14519974A1020F8BDB08CFA4C68299FBBB1FBC8344F1486359904DB255E635ED86CBD1

Function 0AD87990 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d444ea761dd96b97fbd28e93760dcc1234327178c14d8d6801137007ee7078a
Instruction ID: b052a4acae757f0f2c7072fd5a196737de7e15cc4fd51c5bcfb2c83e5ef45a17
Opcode Fuzzy Hash: 3d444ea761dd96b97fbd28e93760dcc1234327178c14d8d6801137007ee7078a
Instruction Fuzzy Hash: 7341C0B5B002059FD758EF74D849BADB7AAFB88300F21497AD50AD7281DB35E911CB90

Function 0AD879A0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f80bed2098c8b4457bf6a3db53b5ae2437726aeac7a96afa8cc67c39a3bd149
Instruction ID: cc60dae63f1a3e80602cbfb0acfc9e2dc3d90f927244e7b14072ff61b0f81d3b
Opcode Fuzzy Hash: 0f80bed2098c8b4457bf6a3db53b5ae2437726aeac7a96afa8cc67c39a3bd149
Instruction Fuzzy Hash: 8E419FB1B002059FDB58EF74D849BADB7AAFB88310F21457AE50A97281DB35ED11CA90

Function 058921D0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05892442

Strings

g, xrefs: 058922D9

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID: CreateWindow
String ID: g
API String ID: 716092398-30677878
Opcode ID: 328458b02c470a4f1bdc5161be527a3ec133ac5933a6c987d6195eeaf4147eb9
Instruction ID: 26204c2c62a266158da1db0e79660f8353c2334a8fac3875a8575c72b1ac508b
Opcode Fuzzy Hash: 328458b02c470a4f1bdc5161be527a3ec133ac5933a6c987d6195eeaf4147eb9
Instruction Fuzzy Hash: 44A191B5C09388AFDF06CFA5D844ADCBFB1BF06304F19819AE845EB2A2C3759845DB51

Function 0180B770 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0180B9D6

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b8e4dfde449963f917f6683da50c78e10b3394172069e3ce80b57447e0fb6fde
Instruction ID: 2ac730345a546d211171591dd2cb689be4e341237decba7e54bb56208c05bf7c
Opcode Fuzzy Hash: b8e4dfde449963f917f6683da50c78e10b3394172069e3ce80b57447e0fb6fde
Instruction Fuzzy Hash: 21817974A00B098FEB65CF29D84475ABBF1FF88350F04892DD486D7A91E734EA45CB91

Function 05890310 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05892442

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 76843b0288a613c50810dd28f326a5d6565324decc6f779336035f7713e4acf3
Instruction ID: 3f3344f17e2060740dd5bf6e1c1b8992522eafc5556eb387599ce9b65056a117
Opcode Fuzzy Hash: 76843b0288a613c50810dd28f326a5d6565324decc6f779336035f7713e4acf3
Instruction Fuzzy Hash: 7B51C0B5D10349AFDF14CF99C884ADEBBB5FF48310F24822AE819AB210D7759845CF94

Function 05890464 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 058949B1

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 65da6678bc1f2a0f1a3c06232af6860c2e6fd23beb178386dc7c9352acd47206
Instruction ID: 6b14c5105adcd74e482d3217d0e21bffa56ad5ba3aebe26193237c8ab66339bd
Opcode Fuzzy Hash: 65da6678bc1f2a0f1a3c06232af6860c2e6fd23beb178386dc7c9352acd47206
Instruction Fuzzy Hash: 6D412975900309DFDB14CF99C448AAABBF5FF88314F248559E919AB321D734A845CBA0

Function 01804800 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01806049

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eab541d4d42ecd20f816e77d65f7f5e1ff7cb6d033860c2b19832f5a89963080
Instruction ID: 720899a88be730601c9b6d364e6baddfd8842f8b47f7f8263b98f68403b4c2d9
Opcode Fuzzy Hash: eab541d4d42ecd20f816e77d65f7f5e1ff7cb6d033860c2b19832f5a89963080
Instruction Fuzzy Hash: 0141E470C0071DCFEB25CFA9C84478EBBB5BF49304F20816AD408AB295D7755949CF50

Function 01805F8D Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01806049

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eb4a5de94f1ac7a66ccaedde41e28950a7256f4cd1b0111bcfbf0be34044c284
Instruction ID: fd9a20868f8bb9e331d4416d29b0b45f8011ad0e11cca25884807cda74108c01
Opcode Fuzzy Hash: eb4a5de94f1ac7a66ccaedde41e28950a7256f4cd1b0111bcfbf0be34044c284
Instruction Fuzzy Hash: F541C0B1C0071DCFEB25CFA9C98478DBBB5BF49304F20816AD408AB255EB75694ACF50

Function 07B6AF90 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?), ref: 07B6B030

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7e0b0fba6a183a3327d2e818b5e619398a5d6ab1a03ed118eeb7e2567dfc8db4
Instruction ID: a34b99366c18f320cee5cc01e7e318496e66ab641bcfd7ca39da5528e01dae9d
Opcode Fuzzy Hash: 7e0b0fba6a183a3327d2e818b5e619398a5d6ab1a03ed118eeb7e2567dfc8db4
Instruction Fuzzy Hash: 1431F3F1D012499FEB14DFA9D884A9EBFF4EF48320F24806AE519E7350D735A945CB90

Function 07B6AF84 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?), ref: 07B6B030

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 59e6d1a2aede86b57c4d07facbac4111a04a8886fb61c2687e6ae57874e81623
Instruction ID: 90b9e5e2a62ea7aff3d359dc45c8741a5ff35556a4d8940ecc338d430f379afd
Opcode Fuzzy Hash: 59e6d1a2aede86b57c4d07facbac4111a04a8886fb61c2687e6ae57874e81623
Instruction Fuzzy Hash: 2831F2F1D00249AFEB14DFA9C898ADEBFF4AF48310F24406AE519EB251D7359985CB90

Function 07B68A92 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 07B68B2A

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 793b87d079c72e19811c423cc3e7a33ec57d98a7c9847e904c351461a9949e78
Instruction ID: 9cc2e9975c4e7cdb7d147d2e94fb4bf5f5f607598333c51abccae36ca72defa7
Opcode Fuzzy Hash: 793b87d079c72e19811c423cc3e7a33ec57d98a7c9847e904c351461a9949e78
Instruction Fuzzy Hash: 60216AB29053898FEB11CFAAC444BDEFFF4EF49210F14805AD458A7252C339A549CF65

Function 0180BDD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0180DD26,?,?,?,?,?), ref: 0180DDE7

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3f915e29c4c8433b67ba671906057ebf8fefd65fcdc0e2c7b8d903526b560a48
Instruction ID: dc592c0cc9b4b4ec3c4771888f354d23ca7e923ae62f4d7f5511484f94cd36ab
Opcode Fuzzy Hash: 3f915e29c4c8433b67ba671906057ebf8fefd65fcdc0e2c7b8d903526b560a48
Instruction Fuzzy Hash: 5921E5B590024CDFDB10CF9AD984ADEBBF4EB48310F14851AE914A7350D374A944CFA5

Function 0180DD58 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0180DD26,?,?,?,?,?), ref: 0180DDE7

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 92ac5fc3221208067f13bd34d65ac69221a7910b1424bbbeed4b29dd878302c5
Instruction ID: b7e77cedef3c7604365af21fb19876790c557864f997b53f453da4861d43765a
Opcode Fuzzy Hash: 92ac5fc3221208067f13bd34d65ac69221a7910b1424bbbeed4b29dd878302c5
Instruction Fuzzy Hash: 2A21F4B5800348AFDB10CF9AD884ADEBFF4EB48310F14851AE914A7250C379A944CF65

Function 0AD85D58 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0AD85DD1

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: a0113e3ded0af8f23921d2852bbc682a11a4a00129e9e4ea8669f5b0b05c9851
Instruction ID: d4bed95e750ea3960075b97e3796d1b0bcc1b6a6354f62cfb4c3b6c0bb5e0758
Opcode Fuzzy Hash: a0113e3ded0af8f23921d2852bbc682a11a4a00129e9e4ea8669f5b0b05c9851
Instruction Fuzzy Hash: 332135B1D102498FDB14CFAAC844BEEFBF4EF88310F14842AD854A7250C778A945CF64

Function 0AD861A0 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0AD86225

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: e241305acfb893f47ded06b1d911fe57caefc28b46af21c2869d9193b32e9b07
Instruction ID: cd76346b76acb12b185a81a0dc5c11f468309e185fddef09becbf3446f681e35
Opcode Fuzzy Hash: e241305acfb893f47ded06b1d911fe57caefc28b46af21c2869d9193b32e9b07
Instruction Fuzzy Hash: B32125B69003499FDB14CF9AD884BDEFBB5FB48310F15852DE858A7241C375A544CFA4

Function 0AD85D60 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0AD85DD1

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: e71abf097fb371f98381a15b30d5eab4e6899c119546d9e13b0d5936c8a0ac10
Instruction ID: ac783b305f460f3a6d8cb988546acab92b21c9aa4922dd3491425c83e86f8400
Opcode Fuzzy Hash: e71abf097fb371f98381a15b30d5eab4e6899c119546d9e13b0d5936c8a0ac10
Instruction Fuzzy Hash: 0F21F4B1D102498FEB14DF9AC844BEEFBF5EB88320F14842AD854A7250D778A944CFA5

Function 07B6F8B2 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,000000FF), ref: 07B6F92F

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a696102f8db04b416f6e62eb7eb59ec5bce012343222904e3d0a1f2a51435298
Instruction ID: f424227dc99cfb192312d6235673973ef46ed5bf4907c54e2e39e2f77d6c8c6c
Opcode Fuzzy Hash: a696102f8db04b416f6e62eb7eb59ec5bce012343222904e3d0a1f2a51435298
Instruction Fuzzy Hash: C72113B2D00349EFDB10CF9AD884AEEFBF4FB48310F10842AE558A7250D375A544CBA5

Function 07B6D214 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,000000FF), ref: 07B6F92F

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0a15fde855769b3f6e3bda66f40ab61e0652f3d80f92ecfa36a75bc53e503c15
Instruction ID: 297eae758605b712f3161b13fdcc1c9518aeba5cc898d0bdc0a4e15b3bdeb023
Opcode Fuzzy Hash: 0a15fde855769b3f6e3bda66f40ab61e0652f3d80f92ecfa36a75bc53e503c15
Instruction Fuzzy Hash: 5F21E4B5C00359DFDB10CF9AD888ADEFBF4FB48310F10856AE954A7250D374A544CBA5

Function 0AD861A8 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0AD86225

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 8417253b98d03984bb917fb54d0e1270ca43207cc40228b39d9429303e8ec978
Instruction ID: bb11f5d728d6b802ea01a4a4bfd584a9d28fed409942b6e5744ffb439af0ebcc
Opcode Fuzzy Hash: 8417253b98d03984bb917fb54d0e1270ca43207cc40228b39d9429303e8ec978
Instruction Fuzzy Hash: 9521EFB69103499FDB14DF9AD884ADEFBB5FB48320F11852EE818AB201C375A544CFA5

Function 07B68AC0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 07B68B2A

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: cb51658c4d63ab9d9a0c8550782a2fd314667efa9bcddd8e6401a5e4f9dab790
Instruction ID: cc181b50eb5b30626e7757a88ea8cb9efafb9c943fc96f96419743228513c84a
Opcode Fuzzy Hash: cb51658c4d63ab9d9a0c8550782a2fd314667efa9bcddd8e6401a5e4f9dab790
Instruction Fuzzy Hash: 581137B6C006498FEB14CF9AC444BDEFBF4EF48320F14842AE858A7240D339A545CFA5

Function 09450740 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 094507A5

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 378b30d011800176b3587cb6193290a5f38015f6c8777a2bf916fa7417067bfb
Instruction ID: fab109b0d459f4fbd413b5e64dd287b0628479a5e1dad2ea81947b09b9710a8a
Opcode Fuzzy Hash: 378b30d011800176b3587cb6193290a5f38015f6c8777a2bf916fa7417067bfb
Instruction Fuzzy Hash: 191146B5800349DFDB20CF9AC885BEEBFF8EB48310F10841AE859A3251C378A544CFA5

Function 09450748 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 094507A5

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5455a4087353080deb30a8a6c0901259f5c2b65315cf1ca4a8d10123f39610e8
Instruction ID: e4886bd1d6f34fce70e7491dd7053a9d67e152a2df987e7dc5b8735461a04fbe
Opcode Fuzzy Hash: 5455a4087353080deb30a8a6c0901259f5c2b65315cf1ca4a8d10123f39610e8
Instruction Fuzzy Hash: 1D1136B5800349DFDB10CF9AC945BDEFBF8EB48320F10841AE958A7251D378A544CFA5

Function 0180B970 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0180B9D6

Memory Dump Source

Source File: 00000000.00000002.1587753228.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_SPOOOFER776.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 83102394da586ccdd38fcea6c926df8b2afa2bd2d0ec6d5ba68705c8d93d6924
Instruction ID: bfc259298c30ad33b4f62ba23f643c70345979e459cbb8f794eb12c98ed1d115
Opcode Fuzzy Hash: 83102394da586ccdd38fcea6c926df8b2afa2bd2d0ec6d5ba68705c8d93d6924
Instruction Fuzzy Hash: BA1102B6C006498FDB10CF9AC844BDEFBF4EB48310F10841AD558A7350D375A545CFA5

Function 09455A19 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,05626428,?,?), ref: 09455A7D

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 161b0e2e298254a779df667856e31086ea25cb5c4258383c3067e324e72cb853
Instruction ID: 6963a38343d56a1374144f5783fa70c83eb080941f1d8b27bdcdb4237afeb12e
Opcode Fuzzy Hash: 161b0e2e298254a779df667856e31086ea25cb5c4258383c3067e324e72cb853
Instruction Fuzzy Hash: CB11E3B58003499FDB10DF9AC485BEEBFF8EB48320F10855AE959A7211C375A944CFA5

Function 09454AE0 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,05626428,?,?), ref: 09455A7D

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 96cf4b4db08e18d893b33d05a8b74d6e6382e4114e4a6d3692c014bfba1eef11
Instruction ID: 665b9b79f05b58d03dac8963c2d886f6ee7715431aa6c6413f0fb484b2fca5be
Opcode Fuzzy Hash: 96cf4b4db08e18d893b33d05a8b74d6e6382e4114e4a6d3692c014bfba1eef11
Instruction Fuzzy Hash: F111F5B5800349DFDB10DF9AD485BEEBBF8EB48320F10851AE919A7611C375A944CFA5

Function 07B6D178 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?,?,?,?,?,07B6F2E1,?,?,00000000), ref: 07B6F355

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6ad8996f1bd7b795d054db366fdf5ae8555168b4d5a8534d9ab3abfed64b6096
Instruction ID: 2f64f2ee67d2a8bd2383389f3dda58aa938f0e14fb61dabf879c8249bf157aea
Opcode Fuzzy Hash: 6ad8996f1bd7b795d054db366fdf5ae8555168b4d5a8534d9ab3abfed64b6096
Instruction Fuzzy Hash: 341106B5804749DFDB10CF9AD449BEEFBF8EB48320F108459E558A7600D379A944CFA5

Function 07B6708C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,07B69049,?,?,00000000), ref: 07B690BD

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e68b27ceb7af65e790176c6e51e3ab34dd08b33e9e4aafe35e76c982cb9a8f24
Instruction ID: 57da2b74d9704a6eb7f73ab717dcdc90f942ec0a1e1b90437fc8b740bdd705aa
Opcode Fuzzy Hash: e68b27ceb7af65e790176c6e51e3ab34dd08b33e9e4aafe35e76c982cb9a8f24
Instruction Fuzzy Hash: EE1106B5800349DFDB20DF9AC449BDEBBF8EB48320F108459E514A7310C379A944CFA5

Function 07B6905A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,07B69049,?,?,00000000), ref: 07B690BD

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4253a4c8fa8f7bcfb15d6dad853093f6316e04064e6507dcc8c51a5ab2085a31
Instruction ID: f7314a0582053edf727faebb9c5247cb4980246f8840d5f3c70060305abdfb57
Opcode Fuzzy Hash: 4253a4c8fa8f7bcfb15d6dad853093f6316e04064e6507dcc8c51a5ab2085a31
Instruction Fuzzy Hash: 4511F5B5800349DFDB20DF99D445BDEBFF4EB48324F20845AD554A7210C3796584CFA5

Function 07B65AF0 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07B65B4D

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bdcbfbfedc38f72312eb046ee73796ca800b86c8f3505023dd67f51e4b280c54
Instruction ID: 51889a2b533bab4e597fb58e923cd66b268e0c725fd4f492e2c7e4cd579ba76a
Opcode Fuzzy Hash: bdcbfbfedc38f72312eb046ee73796ca800b86c8f3505023dd67f51e4b280c54
Instruction Fuzzy Hash: 8D1133B1C00349CFDB20DF9AC448BCEBBF4EB48224F248419E518A7300D339A544CFA5

Function 07B65664 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07B65B4D

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 876d61a40e0252e72560ae27b905943c3cae90c94cd5b1d101a38d32c365cd1f
Instruction ID: d15065b1d47cc6680b0735e5ef8a925f94aaf2d8440517f8ecd3c64463299299
Opcode Fuzzy Hash: 876d61a40e0252e72560ae27b905943c3cae90c94cd5b1d101a38d32c365cd1f
Instruction Fuzzy Hash: 7B1130B1C00349CFEB20DF9AC488B9EBBF4EB48220F248459E518A7300D378A944CFA5

Function 07B6F2F0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?,?,?,?,?,07B6F2E1,?,?,00000000), ref: 07B6F355

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f2e614ed2db0e87bb9ec37c556d58e1925f6b0ec5a527ead04212d9472e2416a
Instruction ID: 8c0d8a65b75668f6c3fb2b165bf81c3330a6d9edd847f712e7b9a48c9824bcee
Opcode Fuzzy Hash: f2e614ed2db0e87bb9ec37c556d58e1925f6b0ec5a527ead04212d9472e2416a
Instruction Fuzzy Hash: 3111F2B5800649DFEB20CF9AD489BEEFBF4FB48314F20845AE558A7610C379A544CFA5

Function 09450669 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 09450683

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a0fdfd906fd173b1b1e0928478a8d436267243dd5e5f5cda00a59f0fe61d5491
Instruction ID: c8a73296313e05bf5a6021c2fbebff22cce8895d32682dd52fd66f253172f3fc
Opcode Fuzzy Hash: a0fdfd906fd173b1b1e0928478a8d436267243dd5e5f5cda00a59f0fe61d5491
Instruction Fuzzy Hash: 5ED01236049244AFC7139754A814CE93F715B1630070981D3F5448E072C516C669D715

Function 09450678 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 09450683

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b4df7e53359c6db820aee5b73abd908902e637acb7f4f2d13f5b8ec43699045b
Instruction ID: 5d9831ab15e8bc9936e2172a3e3eaaf302ad0793588beeda03706d51ae3f102b
Opcode Fuzzy Hash: b4df7e53359c6db820aee5b73abd908902e637acb7f4f2d13f5b8ec43699045b
Instruction Fuzzy Hash: 03B09B3700010C9E4B01BB84E804C55BBADAB543007008051E6084A031D521D564D751

Function 0172D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1587160974.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666d0151028dc844ad3a629d969ae38d7b78c382effad377ec44e9699b88f781
Instruction ID: 30afcd00826073992180f1711489a6c412778a25a20bf45d54965429c501248f
Opcode Fuzzy Hash: 666d0151028dc844ad3a629d969ae38d7b78c382effad377ec44e9699b88f781
Instruction Fuzzy Hash: B821F571908200EFDB25DF94D5C0B25FBA5FB85324F20C5ADE9094B292C336D447CA61

Function 0172D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1587160974.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dee5ccd9d8bff5731e3d62b6931b2e79ae2138ecb14db5ffa8a8906d720cbc0
Instruction ID: 187825ae9cc85e068d1d8d6f6075c9fd8d6b0190ce1175bf81167ab82755347a
Opcode Fuzzy Hash: 4dee5ccd9d8bff5731e3d62b6931b2e79ae2138ecb14db5ffa8a8906d720cbc0
Instruction Fuzzy Hash: BB210371604240DFDB35DF64D5C4B16FB61EB84314F20C5ADE90A0B2A2C33AD407CA62

Function 0172D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1587160974.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: fb8ba2defe92606a139ce90f313b4cb46fe2267abfd72222730b75d04e4fd1f9
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 8611BB75504280DFDB26CF54D5C4B15FFA2FB88314F24C6AAD8494B6A6C33AD40BCBA2

Function 0172D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1587160974.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_172d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: a6ed3c89072e8277618cf1ada38ce97915de3b6891c171782d043313eb6632bf
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 1D11BB75908280DFDB26CF54D5C0B15FFA1FB85324F24C6A9D8498B696C33AD40ACB62

Function 0171D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1586923468.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a5ba686585726221f9d3a07302bbe4bc48dc260c7c876d1df11fce07aacaa
Instruction ID: 5c090f340e0da8122ea8d7d4857d90d58c1b31e40be3c22ea307459a2ed30102
Opcode Fuzzy Hash: b20a5ba686585726221f9d3a07302bbe4bc48dc260c7c876d1df11fce07aacaa
Instruction Fuzzy Hash: F701A7314043809EE7304B6DDC88B66FFD8EF41724F18855AED094E28AC2799444CEB2

Function 0171D6CF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1586923468.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc321d281cb05444524e65aed7f646ef6772ae0a98ca73b032d373730b3beca
Instruction ID: a872d1439e4431544d3935980fb91efbbd99cfe4ff0c06f88f3ba46f943afb22
Opcode Fuzzy Hash: 7cc321d281cb05444524e65aed7f646ef6772ae0a98ca73b032d373730b3beca
Instruction Fuzzy Hash: C3F0F976600654AF97208F0AD985C27FBADEBC4770715C59AE84A4B712C672EC41CEA0

Function 0171D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1586923468.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231defebaf73e5e7995d8f0c7aa6df9dd37f3cf75c4f82a00d9c80241ee64964
Instruction ID: ff79f94a97879ee62f0f7080331a32217d2be56bb77dbee0deb11242856faacc
Opcode Fuzzy Hash: 231defebaf73e5e7995d8f0c7aa6df9dd37f3cf75c4f82a00d9c80241ee64964
Instruction Fuzzy Hash: 03F06271404384AEEB208A1ADD88B66FFE8EF51734F18C55AED084F297C2799844CAB1

Function 0171D6C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1586923468.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940ea452d1fadd48ecfbe1673f9dd3d89fdbb442e7db8d06ccd6b4e804e02ff7
Instruction ID: 375d2e21d7138444040a265acc96c755613c389d7528ef17c99bfd689a3c3a65
Opcode Fuzzy Hash: 940ea452d1fadd48ecfbe1673f9dd3d89fdbb442e7db8d06ccd6b4e804e02ff7
Instruction Fuzzy Hash: B9F04975104A80AFD325CF06C984C63BFB9EB857607198589F85A4B363C631FC42CF60

Non-executed Functions

Function 09454B3C Relevance: 6.9, Strings: 5, Instructions: 621COMMON

Download Yara Rule

Strings

Hq, xrefs: 094566C9
Hq, xrefs: 0945686D
Hq, xrefs: 0945675C
Hq, xrefs: 094567E3
Hq, xrefs: 0945692B

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: 00c40ffd63b584003644d68edc8264a5e0215cffa9080d875bf074398cebe82d
Instruction ID: 7411fcfe83a3fa8b001bb9268051b09915c1935502e9c690b9b1a129b49c3c41
Opcode Fuzzy Hash: 00c40ffd63b584003644d68edc8264a5e0215cffa9080d875bf074398cebe82d
Instruction Fuzzy Hash: 82328230E002188FDB64DFA9C4547AEBBF2AFC5300F55816AD40AAB399DB349D85CF95

Function 07B69FD0 Relevance: 2.8, Strings: 2, Instructions: 343COMMON

Download Yara Rule

Strings

Hq, xrefs: 07B6A16D
Hq, xrefs: 07B6A1CD

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: f9e38aca6315d3d05c749e873774f89e89713275d2e42dfcec51baa619cf4544
Instruction ID: a4e542151e6281255b88339bcbc480f6296257e0e34ca11c1df3f16235eddf07
Opcode Fuzzy Hash: f9e38aca6315d3d05c749e873774f89e89713275d2e42dfcec51baa619cf4544
Instruction Fuzzy Hash: 0BD151B0A002199FDB14DFA9D458BAEBBF2FF89310F148069E509EB355DB349D42CB91

Function 0945EA64 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

,T:, xrefs: 0945EA64

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: ,T:
API String ID: 0-4234161963
Opcode ID: 8406ac038d12bde1c65e63d5235b0be69f381e8020edd559b56bfdef3f93a77d
Instruction ID: 7e26d3a23783b7f052fea68920cc84076ba7a6a4fd16cc3e9375676c717a58bd
Opcode Fuzzy Hash: 8406ac038d12bde1c65e63d5235b0be69f381e8020edd559b56bfdef3f93a77d
Instruction Fuzzy Hash: 48A16035A04109CFDB14CBD8C994B9EBBB6FB89300F1584A6E906EB366C735DD46CB42

Function 05899570 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

LRq, xrefs: 05899593

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: b56e238af3d63a0c1f5e90881aa3e488f2e7d8170cd114ed53d11461db0d3fad
Instruction ID: 3b68ef15bb655174844dadceb5b05c8dea3d87331a49fb55358ff809c5869cd1
Opcode Fuzzy Hash: b56e238af3d63a0c1f5e90881aa3e488f2e7d8170cd114ed53d11461db0d3fad
Instruction Fuzzy Hash: E2818631F1411DCBDF18CF69C942BAEBBB6EB84304F59853AD806EB290D674DD418B91

Function 0589BD00 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

=, xrefs: 0589BD28

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 7f9aaa690099553782a3eb2ca423983c9baece2fe0a993894291ce9f85fd0b7e
Instruction ID: 5d955f7feb057ef79946d0d7ea692ea7efc18182f1748a6b42e21f1803c0eb31
Opcode Fuzzy Hash: 7f9aaa690099553782a3eb2ca423983c9baece2fe0a993894291ce9f85fd0b7e
Instruction Fuzzy Hash: 60518470B45348ABFB08DBA9DC55B7DB6A2EBC4308F18846AC616FB6C4D67C9E41C701

Function 0589BCF2 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

=, xrefs: 0589BD28

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: f694d993b9b1d8008589d3718c5a33dccab7d6f3563563becd846ca54e94ba8d
Instruction ID: c4c7a788e44f6c06d70cb31cd6f8a561d49a9cc4e9d7a9881faa734569c03634
Opcode Fuzzy Hash: f694d993b9b1d8008589d3718c5a33dccab7d6f3563563becd846ca54e94ba8d
Instruction Fuzzy Hash: 9F51A570B45349ABFB08CBA9CC55B7D76A2EBC4308F18846AC616FB2D5D67C9E41CB01

Function 0589BD89 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

=, xrefs: 0589BD28

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: b1fb9f1b8fe43fc142b3522161c6519799d07e39e8abef7b3b35ae890ecd308c
Instruction ID: be9f72d671ec3418051460131e6eedc4e66975c5afa1157b2dbfcbd0690914ca
Opcode Fuzzy Hash: b1fb9f1b8fe43fc142b3522161c6519799d07e39e8abef7b3b35ae890ecd308c
Instruction Fuzzy Hash: EC418470745349ABFB08CAA9CC55B7DB6A2EBC4308F18C46AC616FB6D4D67C9E40C701

Function 0589BD5F Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

=, xrefs: 0589BD28

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 690aad23a18442314c5daa92f97764336cea50ad62bede6715f38979241b5777
Instruction ID: fd9e6ebd7ea3774707e0741444b183d3a77b9c620f740372fb718a95593e7210
Opcode Fuzzy Hash: 690aad23a18442314c5daa92f97764336cea50ad62bede6715f38979241b5777
Instruction Fuzzy Hash: 01418370705349ABFB08CAA9CC55B7DB6A2EBC4308F28C46AC616FB2D4D67C9E40C705

Function 0589BE72 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

=, xrefs: 0589BD28

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 125b13ceb4b814d5478c86ca23d37679adb1fc0138872b8e595a10401cb16487
Instruction ID: b17ea151040d3c80266d63af96f8d023620a9ff4c912d6989cbe1e7548667cfb
Opcode Fuzzy Hash: 125b13ceb4b814d5478c86ca23d37679adb1fc0138872b8e595a10401cb16487
Instruction Fuzzy Hash: 66418470705349ABFB08CBA9C855B7D76A2EBC4308F18846AC616FB2D5D67C9E41C711

Function 0AD89408 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616578775.000000000AD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad80000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf889eb44a9f02bc4e57ba1c3300cf4278bb45dc102df53f0b44499aa9d819d
Instruction ID: 3102440342de365bf67567d225a3d1dbce8e29eeb24a97a3e78d0338ac3522af
Opcode Fuzzy Hash: ecf889eb44a9f02bc4e57ba1c3300cf4278bb45dc102df53f0b44499aa9d819d
Instruction Fuzzy Hash: 72D1EDB1B017098FDB6AEB79C860BAE77F6AF88700F11446DD196CB290CB34D901CB91

Function 05890A90 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cea014de417b76e1c83821f896ce228de9cba278aed1856d8fc2a0b9336b6d6
Instruction ID: 34fc7dbc9fc1dd961f6e1b70901c109b764acc84203dca29354921630279bc03
Opcode Fuzzy Hash: 4cea014de417b76e1c83821f896ce228de9cba278aed1856d8fc2a0b9336b6d6
Instruction Fuzzy Hash: F512BAB0522F498BD330CF25E84E1993F71B765328F906A09E1665F2E1EFB4114ACF49

Function 094560F8 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2b45c3d50d4bde5d8686145c67a4363e11a2f09b37f6401e3626a7bf311945
Instruction ID: ad0eab5bd919d610c9ca6d32077142be2b6f3c9c5b762cc42fed6051f111c185
Opcode Fuzzy Hash: 2e2b45c3d50d4bde5d8686145c67a4363e11a2f09b37f6401e3626a7bf311945
Instruction Fuzzy Hash: 69C14D70E002189FDF15CFA5C88079EBBB2BF88310F15C16AE84AAB256DB31D985CF50

Function 0945E9E4 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf68eb88d79773293304ad3c60d3e98ada1bf3c4f2eaece748458cd4b3c9cd6
Instruction ID: 82fb78e1c2d96cd21e852ec937313aafce27615da26a95e6efc19e00327bfec0
Opcode Fuzzy Hash: bbf68eb88d79773293304ad3c60d3e98ada1bf3c4f2eaece748458cd4b3c9cd6
Instruction Fuzzy Hash: 5AB1B330B00205ABC754EB79C491369B6A6FF96310B14C4BAD80EDF35ADB35DE06CB92

Function 0945F492 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c147ebd0cd2afe5ee525cb283b963330dbd22c2f4c3162799f81c919603db79b
Instruction ID: e6a3c6cf762732a8d7c27f8a0f36d8344e5d31a12784c485cbad1f78c157b335
Opcode Fuzzy Hash: c147ebd0cd2afe5ee525cb283b963330dbd22c2f4c3162799f81c919603db79b
Instruction Fuzzy Hash: CDB1A230B00205ABC754EB79C491369B6A6FF96310B14C5BAD80EDF35ADB35DE06CB92

Function 09453641 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612559bc10e9cc5305af568e139337333b52ed4fafe5aa7d39e829e5f8d384a4
Instruction ID: 742ac45fdd9f97a0da809b3a805c7021e3ecf6b0f8d5badf1d12a1b39578e4aa
Opcode Fuzzy Hash: 612559bc10e9cc5305af568e139337333b52ed4fafe5aa7d39e829e5f8d384a4
Instruction Fuzzy Hash: C3D1E635C2075A8ACB11EB68D990699F7B1FFDA310F20879AD1093B254FB746AC5CF81

Function 09453650 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2265b1cf854712ea9b1c4d291f7c84c2a2663b2e48e8f87a5bafced383a1cc
Instruction ID: 1c0b01717e7f3823180ffc8014fe151e5c2a9219ab3ddf7189061d0a07670b3b
Opcode Fuzzy Hash: 4d2265b1cf854712ea9b1c4d291f7c84c2a2663b2e48e8f87a5bafced383a1cc
Instruction Fuzzy Hash: 14D1D635C2075A8ACB10EB68D990699F7B1FFD9310F20879AE1093B214FB746AD5CF81

Function 09453619 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5123f22c25cbca97c150949b66ff88f8074571933684f7fd4fa405812d4f8d
Instruction ID: 5c64f3118346b5189bb169f3965e0258be9c259f3addda08d54829d6488603a5
Opcode Fuzzy Hash: 7e5123f22c25cbca97c150949b66ff88f8074571933684f7fd4fa405812d4f8d
Instruction Fuzzy Hash: BCD1D635C2075A8ACB11EB68D994699F7B1FFDA310F10879AD1093B214FB746AC5CF81

Function 07B620E0 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f48a49cdd60174d39bebb1d1efc89e31cb05cbe95517b007c7f00e0e343ae22
Instruction ID: 70bfa1ca57403b35672ab976e8274b02a226acecef134dccfe1874506849cc09
Opcode Fuzzy Hash: 7f48a49cdd60174d39bebb1d1efc89e31cb05cbe95517b007c7f00e0e343ae22
Instruction Fuzzy Hash: A2A1F7B1B0420ADBE7459F3CC58429DB792FF86110B40D8BAD70EEF259DA39EA41CB51

Function 0945FAF1 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76831d8ed33014b5e8601e77317aeb473c1eabb1f0ccde9dc4f102cae842de7f
Instruction ID: fbaaa514e93dd495eca5fa0f5ee098b50c8f042d4321defbb374367a60c67d74
Opcode Fuzzy Hash: 76831d8ed33014b5e8601e77317aeb473c1eabb1f0ccde9dc4f102cae842de7f
Instruction Fuzzy Hash: 2BA15035A04109DFDB14CF94C954B9EBBB2FB89300F1584A6E906EB366C735DD46CB42

Function 09459679 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4165c5c04c81edcd7bf25b1f84e9f64c2761e9bec5955fba21d6197c034df
Instruction ID: 72dba9af3bca6d6c8b7d22bc31f09ce1ccfc2b0abf5209687088737829f17b68
Opcode Fuzzy Hash: 14b4165c5c04c81edcd7bf25b1f84e9f64c2761e9bec5955fba21d6197c034df
Instruction Fuzzy Hash: 5FA15C70700305CFC755EFB9C49125ABBA2FF86214B54C8AEA90A9F31ADF31D906CB91

Function 07B620F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1614819916.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b60000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4a018ba98d39e621beb79d879d9a0d38599eb16db290e3901832c23eae2f42
Instruction ID: 48bfea53898a1553775485e2ac12838707eef597a84a2648925ae5ca8ee2b838
Opcode Fuzzy Hash: 6a4a018ba98d39e621beb79d879d9a0d38599eb16db290e3901832c23eae2f42
Instruction Fuzzy Hash: EDA1F8B1B0020ADBE7449F3CC58469DB692FF86110B40D8B9D70EAF359DA39EA41CB51

Function 09458A64 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c653df02533baaa8b05b09db23549295606174f0f946bd7d9d86f0440bc24f30
Instruction ID: 07c3b806fce2ba66acd7656b1c20d05b359d873bc5448929d7a79ec61e2913ab
Opcode Fuzzy Hash: c653df02533baaa8b05b09db23549295606174f0f946bd7d9d86f0440bc24f30
Instruction Fuzzy Hash: B2A17D70700305CFC754EFB9C49125AB7A2FF86214B54C8AEA90A9F35ADF31D906CB91

Function 05890A37 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38a4b93e7e3c808b240e7cc47b7ecf1c016b05e5f4db46bd457288fc4411ba9
Instruction ID: 324a2d4bd2029a26058be2ce982328a7b2e71c2fc9ef30cd1d82bf8a153fed3f
Opcode Fuzzy Hash: c38a4b93e7e3c808b240e7cc47b7ecf1c016b05e5f4db46bd457288fc4411ba9
Instruction Fuzzy Hash: C9C12CB0922B498BD730CF64E84E1997FB1FBA5324F546A09E1666F2D0EF74144ACF48

Function 05890A80 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd91e5307650d0a13617adc21075ce6f4b92c58c2f5166b2724ef9a57ff86c2
Instruction ID: d769c5722ca8f86dcb3cf44d52063e7fb8d72a18b8c56a466953b4ef9b69a2b6
Opcode Fuzzy Hash: bcd91e5307650d0a13617adc21075ce6f4b92c58c2f5166b2724ef9a57ff86c2
Instruction Fuzzy Hash: BEC12DB0921B498BD730CF64E84E1997FB1BBA5324F546A09F1666F2D0EFB4144ACF48

Function 0589DD93 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ab8b76a949ea3bd99d54dc7305f0660b351d46fd1252d59e287cb6545e6a2e
Instruction ID: 022fa609aa2765d5e07a652f0eb1ec36c0562ce726d9ceb9c5e82d79a1a85c72
Opcode Fuzzy Hash: 07ab8b76a949ea3bd99d54dc7305f0660b351d46fd1252d59e287cb6545e6a2e
Instruction Fuzzy Hash: 1051B971B216428BD70CDB3CC88123ABFA6FBC5200B05497AD84ADF698DE34EC168795

Function 0589DDA8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4ab8ac782b2417ca84b3434c3dc69f085cf1aa4f1f7f26440cbb1a75674e05
Instruction ID: 5138196f02c3680911a2b86ce8ab96288dc4a5b7f8a0d6004834e517c0b8ed3c
Opcode Fuzzy Hash: 1d4ab8ac782b2417ca84b3434c3dc69f085cf1aa4f1f7f26440cbb1a75674e05
Instruction Fuzzy Hash: 53518871B219468BD70CDB3CC88123ABFA6FBC5200F05497AD84ADFA94DE34EC168785

Function 0589DDB8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ef19ab4f6179e86a72e385045b237154a912d1b4e9798da425f3c944531560
Instruction ID: 75beef9708f18596643890540877439d1cf13dba9a44b0d0cdf0c9c2da8e8493
Opcode Fuzzy Hash: 35ef19ab4f6179e86a72e385045b237154a912d1b4e9798da425f3c944531560
Instruction Fuzzy Hash: F0519731B21A568BD70CDB3CD88123ABEA7FBC5200B45497AD84ACF694CF34EC168795

Function 0589A8E8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca9a7d6c314f0e8c5dd3317ff3de29b30a0647e6f2ed81930cff7f545371e6f
Instruction ID: 74dfbddf0274c59b06c6312471f5482d59bd547fc27a2fc1a6cc4d4f950b880f
Opcode Fuzzy Hash: 3ca9a7d6c314f0e8c5dd3317ff3de29b30a0647e6f2ed81930cff7f545371e6f
Instruction Fuzzy Hash: 75412D78E1020ADFDB48DF79D58169EBBF2EBC8304F24C5AA8416D7294E7789E458F40

Function 0589A8F8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1601619572.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67200830a0d7e9a5dd5ac1a660c0b5879d6e25e6193a19d305a6a4d2df09a11d
Instruction ID: 37c3c27211c008e6af2289e3f0431a134ffd518a79fc12eb968aec008f2a5af4
Opcode Fuzzy Hash: 67200830a0d7e9a5dd5ac1a660c0b5879d6e25e6193a19d305a6a4d2df09a11d
Instruction Fuzzy Hash: 45412B74E1020ADFDB48DF79D58169EBBF2FBC8204F24C9A98416D7294E7389E458F40

Function 0945F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69059a21740481aa606279a208ec680c2e366ea85ef8d60cdfcb10d96e2f0cdf
Instruction ID: d9819d6f4518cf40d7645fcba941588037accc16af5f3a6b1f600d6214cc1d1b
Opcode Fuzzy Hash: 69059a21740481aa606279a208ec680c2e366ea85ef8d60cdfcb10d96e2f0cdf
Instruction Fuzzy Hash: CD01B925B186424EE74895BE9945327265767C5310B1DC4BBDD0BCB2A6CD35CD0B8742

Function 0945E9B4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615652114.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9450000_SPOOOFER776.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89d4ad6cf66d762520c5ca65e8222bc008939b7d9ecd8d97f964321ff6e34cf
Instruction ID: 6ea8a9c37f5f8bbbf1c98b86936b9bdd2d767fb72de7339ad21de81b961a41fe
Opcode Fuzzy Hash: c89d4ad6cf66d762520c5ca65e8222bc008939b7d9ecd8d97f964321ff6e34cf
Instruction Fuzzy Hash: 3B01F729B245014BE348A5BFD94532B2147A7C5350F09C4BBAD0BCB392CC36CD0B8783

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SPOOOFER776.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPOOOFER776.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
SPOOOFER776.exe

Function 05897DC8 Relevance: 13.2, Strings: 10, Instructions: 716
COMMON

Function 05897DD8 Relevance: 13.2, Strings: 10, Instructions: 713
COMMON

Function 07B62A98 Relevance: 2.8, Strings: 2, Instructions: 322
COMMON

Function 07B62AA8 Relevance: 2.8, Strings: 2, Instructions: 317
COMMON

Function 058921D0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 274
COMMON