Edit tour

Windows Analysis Report
WZ6RvDzQeq.exe

Overview

General Information

Sample name:	WZ6RvDzQeq.exe
Analysis ID:	1591112
MD5:	d63f0d4ccf6dceeb0db924ce75a83251
SHA1:	3f0c5c70dd0d4e1a9052a2c6ce00da187b403566
SHA256:	25e947b199af51b580a7bc98e1ecea3dfdb1bac24403757a8e832adfb52f6738
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

WZ6RvDzQeq.exe (PID: 2084 cmdline: "C:\Users\user\Desktop\WZ6RvDzQeq.exe" MD5: D63F0D4CCF6DCEEB0DB924CE75A83251)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WZ6RvDzQeq.exe PID: 2084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:56:52.804853+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.57.155	56001	192.168.11.20	49758	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WZ6RvDzQeq.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: WZ6RvDzQeq.exe	Virustotal: Detection: 55%			Perma Link
Source: WZ6RvDzQeq.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WZ6RvDzQeq.exe

Joe Sandbox ML: detected

Source: WZ6RvDzQeq.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: WZ6RvDzQeq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.155:56001 -> 192.168.11.20:49758

Source: global traffic

TCP traffic: 192.168.11.20:49758 -> 92.255.57.155:56001

Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155
Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155

Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.0000000005560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.0000000005560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WZ6RvDzQeq.exe, 00000000.00000002.17998975929.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: WZ6RvDzQeq.exe, 00000000.00000002.17998975929.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000323E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.0000000005560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.0000000005560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_02D3469D	0_2_02D3469D
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_02D347E5	0_2_02D347E5
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_02D348A0	0_2_02D348A0
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_02D31C1F	0_2_02D31C1F
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Code function: 0_2_02D31C30	0_2_02D31C30

Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePutsblg.dll" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.17998975929.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.18003238917.0000000003E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePutsblg.dll" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000002.18004515214.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePutsblg.dll" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe, 00000000.00000000.15539935795.00000000007BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFzewje.exe" vs WZ6RvDzQeq.exe
Source: WZ6RvDzQeq.exe	Binary or memory string: OriginalFilenameFzewje.exe" vs WZ6RvDzQeq.exe

Source: WZ6RvDzQeq.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: WZ6RvDzQeq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Mutant created: \Sessions\1\BaseNamedObjects\ba5217eadeaf

Source: WZ6RvDzQeq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WZ6RvDzQeq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WZ6RvDzQeq.exe	Virustotal: Detection: 55%
Source: WZ6RvDzQeq.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WZ6RvDzQeq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WZ6RvDzQeq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WZ6RvDzQeq.exe

Static PE information: 0xCAFB9F6F [Tue Nov 30 08:53:03 2077 UTC]

Source: WZ6RvDzQeq.exe

Static PE information: section name: .text entropy: 7.872285671131451

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Code function: 0_2_02D34589 rdtsc

0_2_02D34589

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Window / User API: threadDelayed 9945

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 4276	Thread sleep count: 9945 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -32094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -31969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -31860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe TID: 3704	Thread sleep time: -31735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 33000	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32875	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32766	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32656	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32547	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32438	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32313	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32203	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 32094	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 31969	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 31860	Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Thread delayed: delay time: 31735	Jump to behavior

Source: WZ6RvDzQeq.exe, 00000000.00000002.17998975929.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliig

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Process Stats: CPU usage > 5% for more than 60s

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Code function: 0_2_02D34589 rdtsc

0_2_02D34589

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000320A000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.00000000030FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000320A000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000307F000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18007085145.00000000072FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.00000000030FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000320A000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Queries volume information: C:\Users\user\Desktop\WZ6RvDzQeq.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.000000000557F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q com.liberty.jaxx
Source: WZ6RvDzQeq.exe, 00000000.00000002.17998975929.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet*
Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.000000000557F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: WZ6RvDzQeq.exe, 00000000.00000002.17998975929.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet*
Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.000000000557F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: WZ6RvDzQeq.exe, 00000000.00000002.18005688059.000000000557F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\WZ6RvDzQeq.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WZ6RvDzQeq.exe PID: 2084, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	442 Virtualization/Sandbox Evasion	LSASS Memory	531 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	442 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WZ6RvDzQeq.exe	56%	Virustotal		Browse
WZ6RvDzQeq.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
WZ6RvDzQeq.exe	100%	Avira	HEUR/AGEN.1323341
WZ6RvDzQeq.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
http://www.quovadis.bm0	WZ6RvDzQeq.exe, 00000000.00000002.18005688059.0000000005560000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ocsp.quovadisoffshore.com0	WZ6RvDzQeq.exe, 00000000.00000002.18005688059.0000000005560000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp, WZ6RvDzQeq.exe, 00000000.00000002.18000596484.000000000323E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	WZ6RvDzQeq.exe, 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.155	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591112
Start date and time:	2025-01-14 17:54:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	WZ6RvDzQeq.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target WZ6RvDzQeq.exe, PID 2084 because it is empty
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:56:51	API Interceptor	13282212x Sleep call for process: WZ6RvDzQeq.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.155	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155/1/1.png

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse	92.255.57.112
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse	92.255.57.112
	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	png2obj1_XClient.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	Dm35sdidf3.exe	Get hash	malicious	XWorm	Browse	92.255.57.155

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.856791476993461
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WZ6RvDzQeq.exe
File size:	365'568 bytes
MD5:	d63f0d4ccf6dceeb0db924ce75a83251
SHA1:	3f0c5c70dd0d4e1a9052a2c6ce00da187b403566
SHA256:	25e947b199af51b580a7bc98e1ecea3dfdb1bac24403757a8e832adfb52f6738
SHA512:	a9846ee5541e2a140a541b5d78af9476c2d9606a581d2eb0109b1ceb75abcb244e8b4c0f32facfff5f5e568e7b27b4cad9bccf26f3ba8720ebb58cb4cc0ef064
SSDEEP:	6144:rygIsrPEg1pEZS8pV07t854csHTE1WJvYSM3D5To6wUXZRC2L/mdsIsfyEaJaa:W21uZS8pq71cCJvCm6nXLFLO2qaa
TLSH:	9C74021077CF8321E1284AB688E7686613F5D3072E73C7577A4692C11EE33C69B96B8D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.................0.............~.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45a97e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCAFB9F6F [Tue Nov 30 08:53:03 2077 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a930	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x58984	0x58a00	d2ca19ae7178665eadbda2dac9b663f4	False	0.9205196579689704	data	7.872285671131451	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x560	0x600	d73e5769a0afb2d9a9a3c1152abe6084	False	0.4016927083333333	data	3.9326269831708895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	93e2d3f363bbc8046e2c6cbf9530b91e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x2d4	data			0.43370165745856354
RT_MANIFEST	0x5c374	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:56:52.804853+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	92.255.57.155	56001	192.168.11.20	49758	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:56:51.849020958 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:52.082362890 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:56:52.082539082 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:52.083579063 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:52.316586971 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:56:52.316714048 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:52.556423903 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:56:52.556557894 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:56:52.556761026 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:52.570533037 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:52.804852962 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:56:52.854824066 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:54.283312082 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:54.568799019 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:56:54.568991899 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:56:54.848220110 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:15.309118986 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:15.350003958 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:15.583373070 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:15.631120920 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:25.833779097 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:26.113456964 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:26.113668919 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:26.347662926 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:26.394449949 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:26.627814054 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:26.633359909 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:26.920375109 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:26.920576096 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:27.201646090 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:38.320220947 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:38.376188993 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:38.610364914 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:38.657295942 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:58.840792894 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:59.116759062 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:59.116971970 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:59.350339890 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:59.402750015 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:59.635885000 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:59.637610912 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:57:59.923686981 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:57:59.923912048 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:00.200330973 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:01.331717014 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:01.386909008 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:01.620390892 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:01.667932034 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:31.843808889 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:32.120848894 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:32.121047974 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:32.354345083 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:32.395538092 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:32.635607004 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:32.637285948 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:32.913991928 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:58:32.914128065 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:58:33.189059019 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:04.854506969 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:05.138462067 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:05.138596058 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:05.372198105 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:05.419562101 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:05.652785063 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:05.654802084 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:05.929833889 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:05.929979086 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:06.211208105 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:37.865052938 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:38.142647982 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:38.142802954 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:38.376672029 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:38.428006887 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:38.661217928 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:38.665175915 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:38.951673031 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 17:59:38.951843023 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 17:59:39.226263046 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:03.064182043 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:03.341628075 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:03.341856003 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:03.575596094 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:03.625632048 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:03.858916044 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:03.860342979 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:04.143266916 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:04.143431902 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:04.425740004 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:36.071046114 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:36.346498013 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:36.346649885 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:36.579754114 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:36.633989096 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:36.867266893 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:36.870126009 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:37.154436111 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:37.154649019 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:37.435682058 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:53.174429893 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:53.457833052 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:53.457981110 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:53.691591978 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:53.739648104 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:53.972924948 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:53.973535061 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:54.249327898 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:00:54.249500036 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:00:54.525280952 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:01:26.170380116 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:01:26.446623087 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:01:26.446796894 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:01:26.680833101 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:01:26.732472897 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:01:26.966114044 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:01:26.966819048 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:01:27.254079103 CET	56001	49758	92.255.57.155	192.168.11.20
Jan 14, 2025 18:01:27.254268885 CET	49758	56001	192.168.11.20	92.255.57.155
Jan 14, 2025 18:01:27.535067081 CET	56001	49758	92.255.57.155	192.168.11.20

Target ID:	0
Start time:	11:56:45
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\WZ6RvDzQeq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WZ6RvDzQeq.exe"
Imagebase:	0x760000
File size:	365'568 bytes
MD5 hash:	D63F0D4CCF6DCEEB0DB924CE75A83251
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.18000596484.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02D318F1 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D31A55
Teq, xrefs: 02D3196A
Teq, xrefs: 02D31A3F
Teq, xrefs: 02D31A00

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: Teq$Teq$Teq$Teq
API String ID: 0-3690903476
Opcode ID: ae3c302c08020bb951a9896fec4296938750e114f8533192950e6be7dc763883
Instruction ID: 00a7eb448c9f98adb542cdc18b2693b4ace3da699a33d16ae620312161037295
Opcode Fuzzy Hash: ae3c302c08020bb951a9896fec4296938750e114f8533192950e6be7dc763883
Instruction Fuzzy Hash: 50515A74B042158FCB05DF78D498A6DBBF2BF89300F2544A9E44ADB3A5CA70DC02CB61

Function 02D31900 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

Teq, xrefs: 02D31A55
Teq, xrefs: 02D3196A
Teq, xrefs: 02D31A3F
Teq, xrefs: 02D31A00

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: Teq$Teq$Teq$Teq
API String ID: 0-3690903476
Opcode ID: 29385d7e1b178a2ea188cdd2126e6f3d3bba39123b3589f92bf04a7d0e9f4fc6
Instruction ID: f207555c89877c76d6c9e5f9347429fbf567d8e275ff35057deb2b3fbb10f9c3
Opcode Fuzzy Hash: 29385d7e1b178a2ea188cdd2126e6f3d3bba39123b3589f92bf04a7d0e9f4fc6
Instruction Fuzzy Hash: 43513874B001158FDB45DF69D498AADB7F2BF8C300F254469E54ADB3A4CA70DC02CB61

Function 02D31EA8 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b52b5a4b073ae075cbd090e3beac4a4b1b271b08cab047cbc41026cba247cc9
Instruction ID: 9a8e35350e14b78d6069c6bf221a6008210982c5c557d28d673a682b8aa5e5b8
Opcode Fuzzy Hash: 6b52b5a4b073ae075cbd090e3beac4a4b1b271b08cab047cbc41026cba247cc9
Instruction Fuzzy Hash: FEC1CD75A003009FD716DF29D498B9ABBF2FF89310F1585A9D802AB365DB31EC46CB90

Function 02D317F8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42a040746c925c65f71550c2669d486db59a780c2286cc6c196ca1b6504f430
Instruction ID: 1a3c1431cedfaa00546d843cc20100a026a59d56146bdf1896510fc26ebdcad0
Opcode Fuzzy Hash: e42a040746c925c65f71550c2669d486db59a780c2286cc6c196ca1b6504f430
Instruction Fuzzy Hash: C511E335700241AFC307EB39E858B2B7BE5EFC9650B1541A9E905CF39AEB60DC00CB90

Function 02D31808 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cc5b3a3a3f968cb185fa1658c5cf1bca43033a6bc3799e1cbf120a2065031e
Instruction ID: 31a73cb446144d181b3f8fbbd2974b95edc4de7580d1343456d78adb45902edb
Opcode Fuzzy Hash: 66cc5b3a3a3f968cb185fa1658c5cf1bca43033a6bc3799e1cbf120a2065031e
Instruction Fuzzy Hash: E611A135700201AFD356EB29E998F2B77E6EFC8690B558169E909CB355EF70EC01CB90

Function 011FD7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.17999977357.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229a5a69cae6dd09e7475501ab47eca9d4c235d1e028e715cdcf10eb60582556
Instruction ID: 2fec44ae34047893a04a2fa9a2a08a5630922b08ce09065d7ad8e02697abd391
Opcode Fuzzy Hash: 229a5a69cae6dd09e7475501ab47eca9d4c235d1e028e715cdcf10eb60582556
Instruction Fuzzy Hash: 3001F7724043409BFB244A99DCC0776BF98EF81270F14801EEE4C0E283C3389840CAB2

Function 011FD7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.17999977357.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578094ba9f1fe2a71eb27412f3d63a659f72f2810b680dd82bf974e5ca70d09b
Instruction ID: da9d83cd86745314f7fdfc2fe1aabf7f49a7faf130626d72bf1bf7ba0b9526aa
Opcode Fuzzy Hash: 578094ba9f1fe2a71eb27412f3d63a659f72f2810b680dd82bf974e5ca70d09b
Instruction Fuzzy Hash: 65F0CD72405344AEEB218A0ADCC4B62FF98EB81734F18C05EEE0C0F283C3789844CAB1

Function 02D30981 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b3be34b508519e93f9f601104b881a2a9a231065476944461f8b97a8cb4a8d
Instruction ID: 4d819719b6cbb1908f6a200516ebe57a6f606be688ad8b8ef45a4888efe15107
Opcode Fuzzy Hash: 37b3be34b508519e93f9f601104b881a2a9a231065476944461f8b97a8cb4a8d
Instruction Fuzzy Hash: 9AF08160908643CBD30BAB35D014296BBE1BF92315F19C66AC59E5B646DA35DC02C702

Function 02D308A4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25498eb8b0082e76255930790d2fb5853cd3f1bd3a20e0ce8ba9b057e77ee91f
Instruction ID: 6d43babb1c8ba0c5b772fbe94b2b2e9d63052941186ba47479c45f53712feeec
Opcode Fuzzy Hash: 25498eb8b0082e76255930790d2fb5853cd3f1bd3a20e0ce8ba9b057e77ee91f
Instruction Fuzzy Hash: BAE0DF70905309EFCB02EFB0E90486DBBBAEB05209B100199D905CB341EA305E00DBC1

Function 02D308A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b854b8f488438b11237c86eadd6562553d79b9ef56d44493062733c4f354523
Instruction ID: f50414d141243b862dc202b94b8f98720b79197a6e96310f1138414d2bd61234
Opcode Fuzzy Hash: 4b854b8f488438b11237c86eadd6562553d79b9ef56d44493062733c4f354523
Instruction Fuzzy Hash: 7BE08C30900309EFCB06EFB0EA0896CB7B6FB08205B100199D909DB340EB305E00DBC1

Function 02D3152A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619a9ae16db2f11ea9dbd6909f79d20d59fd42b57bbbc064188daf9090bfea38
Instruction ID: 5f73a22230edadfe4998f95736baebaffa5ef4892059e066c8c502da90743459
Opcode Fuzzy Hash: 619a9ae16db2f11ea9dbd6909f79d20d59fd42b57bbbc064188daf9090bfea38
Instruction Fuzzy Hash: C1D0A774A04A06C6D7067F26D504359F7D9BFA1312F49C63AC98EA2344EB30DC41C701

Function 02D30930 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c51cb15eaadb523707788a9a259f329027ea053e781eced5aff9cda1b01cbda
Instruction ID: 09e88bc8b8bf07c82d01e6b7e1addf54a1c73cb85466404a5c2569feea06a871
Opcode Fuzzy Hash: 7c51cb15eaadb523707788a9a259f329027ea053e781eced5aff9cda1b01cbda
Instruction Fuzzy Hash: D0D0127109E7D45FC34307B064154913FB89D0321934A00C6D048CE063D65D081AC767

Function 02D318C9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343b20dc68d5a56c9c5ff8d5a56851a5dedbd5b981eea8419af6d3d94556f015
Instruction ID: 1e829709ae7d4bc46546f36775e17be8a52d7548f0e5839a3d80c8bd3a5e0236
Opcode Fuzzy Hash: 343b20dc68d5a56c9c5ff8d5a56851a5dedbd5b981eea8419af6d3d94556f015
Instruction Fuzzy Hash: 47C01239980302AFDB1646B470890943B72A9652243420696E0048515AD73508A68B00

Function 02D32EB7 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4e43d3cddb9bbb5065666386fc6f0411a45c66a897e7c629d73bddf7d9d4a2
Instruction ID: 871752682e0d23106224a6d7c983b4f6e95895f21b0b408e180085cf1e85a61e
Opcode Fuzzy Hash: ad4e43d3cddb9bbb5065666386fc6f0411a45c66a897e7c629d73bddf7d9d4a2
Instruction Fuzzy Hash: 82C08C38A00104ABCF076BD0E8188ECBAF3FF88340F00011AFA0272390CA22AD50CB11

Function 02D30880 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd9913665a73b169165466d4c1cb88ec9571760d774390fadb80624900df7a0
Instruction ID: 921a8490fc37d79205d48b8af33907f12b2aa6034f8a7e44238b082e4f36fb8a
Opcode Fuzzy Hash: 6dd9913665a73b169165466d4c1cb88ec9571760d774390fadb80624900df7a0
Instruction Fuzzy Hash: 07C04CA195F3D45FCB435730142D4443F701D6320431941CFC2818D0ABC445815AD356

Function 02D30940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04588a8996ba5413dd6b0f4267be440c6694246e7a136c0135a6da670ddc7d75
Instruction ID: 822a61add2c3866e9c877a6244f8ad6e657845bf14b921ac51cfaa6686030e0e
Opcode Fuzzy Hash: 04588a8996ba5413dd6b0f4267be440c6694246e7a136c0135a6da670ddc7d75
Instruction Fuzzy Hash: 34900271144A0C9B85512795750D955779C95447157C00151A50D555066A55642046A6

Non-executed Functions

Function 02D31C1F Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

4'q, xrefs: 02D31CF9
4'q, xrefs: 02D31CCE

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 5fff1b89fd1bba14e6f90c36a886dad7a4198bc1b1ca0ca274fc718d3e3255e1
Instruction ID: df0d0aca37b72f2ed3b30b78df4fe86405f6c8c5e53f3ea203e05b094b1afa47
Opcode Fuzzy Hash: 5fff1b89fd1bba14e6f90c36a886dad7a4198bc1b1ca0ca274fc718d3e3255e1
Instruction Fuzzy Hash: FE515A76E107448FE71AEF7AF85578ABBE3BBD8244F04C129C1089B369EB355806CB50

Function 02D31C30 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'q, xrefs: 02D31CF9
4'q, xrefs: 02D31CCE

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 4486534fce11c1137a1e83db74c36ae4ea4991ec6e1c08e7e1c4c22c7f7c2ad2
Instruction ID: 31f0342654b947a643f2291376f649ee980f20d00b28c4dbfd916b38cfee7f4a
Opcode Fuzzy Hash: 4486534fce11c1137a1e83db74c36ae4ea4991ec6e1c08e7e1c4c22c7f7c2ad2
Instruction Fuzzy Hash: 1E514775E107448FE71AEF7AF85578ABBE3BBD8244F04C12AC1089B369EB355806CB51

Function 02D347E5 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28471773b61233ae6623bc08d12df8a61b4294afe3cdf8dfe5cad11f34f78d9
Instruction ID: b10f03b37aeaf513df4cb9086c272c7e675fdfe0c8954962fb8e9a6ab24bef8f
Opcode Fuzzy Hash: b28471773b61233ae6623bc08d12df8a61b4294afe3cdf8dfe5cad11f34f78d9
Instruction Fuzzy Hash: B0B15C71A0165ACFDB02CF68C8952EEFBB1FF49314F5885A9C455EB201D738994ACF90

Function 02D348A0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4117ecf7fad0ca740a44d80a9e91c8f8805257696728a988486114572aaff54
Instruction ID: db891673bffb771ff3d1895ded4e57b8132d652ad871e8ffcface647c8ac411a
Opcode Fuzzy Hash: a4117ecf7fad0ca740a44d80a9e91c8f8805257696728a988486114572aaff54
Instruction Fuzzy Hash: 5FB15A71E045298FDB15CBA8C8806AEFBF1FB48304F588669D465E7306D778ED42CB94

Function 02D3469D Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a140730c20bf7c744d50e0aa40e1076998d203ddad92a5c3dc50f55bdc2d532e
Instruction ID: d0c544c1a1aac00312d735db0d31e2eb76243b00e35d0cdb0c47e5f2418d24dc
Opcode Fuzzy Hash: a140730c20bf7c744d50e0aa40e1076998d203ddad92a5c3dc50f55bdc2d532e
Instruction Fuzzy Hash: C4515E71546682DFE7134F34C1AA1D6FFB1EE87224B9958D9C8828F502C72A489FDF90

Function 02D34589 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.18000541539.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_WZ6RvDzQeq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e04c0976d52b73d41607b7e50cafc2b2f8a7a613054039bfa351c14f251e8c3
Instruction ID: a8d93e5097032d78cac569784210c71bbea2e81e3c3fbd27242e3ab027e01b33
Opcode Fuzzy Hash: 5e04c0976d52b73d41607b7e50cafc2b2f8a7a613054039bfa351c14f251e8c3
Instruction Fuzzy Hash: 2D41E332916782DBE7034F20C5AA192FFB0FF53260B5459EAC8829F141C729598EDF85

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WZ6RvDzQeq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WZ6RvDzQeq.exePID: 2084, Parent PID: 2124

Windows Analysis Report
WZ6RvDzQeq.exe