Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe

Overview

General Information

Sample name:WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
Analysis ID:1592387
MD5:cd3907a311e1b27e1ca9c5c2fe79b586
SHA1:117f92784c165cf878794a4879355697b175d35b
SHA256:8c98088aa44045c4b7a4a7bebe5d98480fe5cad627b772554ebd0a324cafa37c
Tags:exeMassLoggeruser-threatcat_ch
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xf061:$a1: get_encryptedPassword
        • 0xf389:$a2: get_encryptedUsername
        • 0xedea:$a3: get_timePasswordChanged
        • 0xef0b:$a4: get_passwordField
        • 0xf077:$a5: set_encryptedPassword
        • 0x109dc:$a7: get_logins
        • 0x1068d:$a8: GetOutlookPasswords
        • 0x1047f:$a9: StartKeylogger
        • 0x1092c:$a10: KeyLoggerEventArgs
        • 0x104dc:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd461:$a1: get_encryptedPassword
                • 0xd789:$a2: get_encryptedUsername
                • 0xd1ea:$a3: get_timePasswordChanged
                • 0xd30b:$a4: get_passwordField
                • 0xd477:$a5: set_encryptedPassword
                • 0xeddc:$a7: get_logins
                • 0xea8d:$a8: GetOutlookPasswords
                • 0xe87f:$a9: StartKeylogger
                • 0xed2c:$a10: KeyLoggerEventArgs
                • 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
                0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data
                • 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 20 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T03:42:58.733990+010028032742Potentially Bad Traffic192.168.2.449730132.226.8.16980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeAvira: detected
                Found malware configuration
                Source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "Port": 587}
                Multi AV Scanner detection for submitted file
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Machine Learning detection for sample
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49731 version: TLS 1.0
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679922624.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679479570.0000000001070000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 4x nop then jmp 02FC8922h1_2_02FC8508
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 4x nop then jmp 02FC81F9h1_2_02FC7F48
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 4x nop then jmp 02FC8922h1_2_02FC84F8
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 4x nop then jmp 02FC8922h1_2_02FC884F
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 4x nop then jmp 02FCFAF8h1_2_02FCF7F8
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.8.169:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49731 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000327B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000327B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 0_2_00D97AE80_2_00D97AE8
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 0_2_00D97AD80_2_00D97AD8
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCAC081_2_02FCAC08
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FC2DD11_2_02FC2DD1
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCF1281_2_02FCF128
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FC7F481_2_02FC7F48
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCE7701_2_02FCE770
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCABF81_2_02FCABF8
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCEF081_2_02FCEF08
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCF7F81_2_02FCF7F8
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FC7F371_2_02FC7F37
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679922624.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679922624.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1678875020.0000000000C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679851066.0000000002B40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679922624.0000000002B81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000000.1675254953.00000000005FA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametenEleven.exe4 vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679479570.000000000107C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920003143.00000000011B7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeBinary or memory string: OriginalFilenametenEleven.exe4 vs WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.logJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMutant created: NULL
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000032BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe"
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess created: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe"
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess created: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679922624.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679479570.0000000001070000.00000004.08000000.00040000.00000000.sdmp
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: 0x95727CE5 [Mon Jun 14 18:31:01 2049 UTC]
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeStatic PE information: section name: .text entropy: 7.779566822353382

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: doc.scrStatic PE information: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: 3030000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920078707.00000000014A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeCode function: 1_2_02FCF128 LdrInitializeThunk,LdrInitializeThunk,1_2_02FCF128
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeMemory written: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeProcess created: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2920998353.0000000003304000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3ca2290.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.3c8b460.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe PID: 7064, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Obfuscated Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe34%ReversingLabsByteCode-MSIL.Infostealer.Tinba
                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe100%AviraHEUR/AGEN.1308776
                WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://checkip.dyndns.orgd0%Avira URL Cloudsafe
                http://checkip.dyndns.comd0%Avira URL Cloudsafe
                http://reallyfreegeoip.orgd0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.64.1
                		truefalse
                  		high
                  checkip.dyndns.com
                  		132.226.8.169
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189lWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comdWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://checkip.dyndns.org/qWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://reallyfreegeoip.orgdWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000327B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://reallyfreegeoip.org/xml/8.46.123.189dWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://reallyfreegeoip.orgWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000327B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.orgdWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://reallyfreegeoip.orgWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.orgWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.comWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.org/dWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot-/sendDocument?chat_id=WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              https://reallyfreegeoip.org/xml/WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2920998353.000000000325F000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe, 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                132.226.8.169
                                                		checkip.dyndns.comUnited States
                                                		16989UTMEMUSfalse
                                                104.21.64.1
                                                		reallyfreegeoip.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1592387
                                                Start date and time:2025-01-16 03:42:04 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 2s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:6
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 22
                                                • Number of non-executed functions: 1
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                132.226.8.169Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • checkip.dyndns.org/
                                                PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                tN8GsMV1le.exeGet hashmaliciousMassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                QUOTATION REQUIRED_Enatel s.r.l..bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                PDF-3093900299039 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                Receipt-2502-AJL2024.exeGet hashmaliciousMassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                104.21.64.1NVIDIAShare.exe.bin.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
                                                gem2.exeGet hashmaliciousUnknownBrowse
                                                • securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
                                                SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                • www.mffnow.info/0pqe/
                                                4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                • www.vilakodsiy.sbs/w7eo/
                                                1162-201.exeGet hashmaliciousFormBookBrowse
                                                • www.mzkd6gp5.top/utww/
                                                QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                • www.mzkd6gp5.top/3u0p/
                                                Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                                                • ordrr.statementquo.com/QCbxA/
                                                SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                • adsfirm.com/administrator/index.php
                                                PO2412010.exeGet hashmaliciousFormBookBrowse
                                                • www.bser101pp.buzz/v89f/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                reallyfreegeoip.orgorder6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.48.1
                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.32.1
                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.16.1
                                                NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.96.1
                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.112.1
                                                PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.96.1
                                                PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.80.1
                                                1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                • 104.21.112.1
                                                Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.96.1
                                                Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.48.1
                                                checkip.dyndns.comMV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.6.168
                                                order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 132.226.247.73
                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.6.168
                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                • 132.226.247.73
                                                NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                • 132.226.247.73
                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 158.101.44.242
                                                PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 193.122.130.0
                                                PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 193.122.130.0
                                                1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                • 193.122.130.0
                                                Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                • 193.122.6.168

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                UTMEMUSorder6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 132.226.247.73
                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                • 132.226.247.73
                                                NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                • 132.226.247.73
                                                330tqxXVzm.dllGet hashmaliciousWannacryBrowse
                                                • 132.224.47.164
                                                QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 132.226.247.73
                                                Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 132.226.8.169
                                                TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 132.226.247.73
                                                RENH3RE2025QUOTE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 132.226.247.73
                                                PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 132.226.8.169
                                                tN8GsMV1le.exeGet hashmaliciousMassLogger RATBrowse
                                                • 132.226.8.169
                                                CLOUDFLARENETUSorder6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.16.1
                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.32.1
                                                Subscription_Renewal_Invoice_2025_FGHDCS.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 104.17.25.14
                                                https://yogalisbon.gitcz.pw/sign-inGet hashmaliciousUnknownBrowse
                                                • 104.21.112.1
                                                http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887Get hashmaliciousHTMLPhisherBrowse
                                                • 188.114.97.3
                                                http://docs-wltconnect.gitbook.io/us-enGet hashmaliciousHTMLPhisherBrowse
                                                • 172.64.147.209
                                                https://inhospitality.shop/Get hashmaliciousUnknownBrowse
                                                • 104.17.25.14
                                                http://shorten.so/fVj82Get hashmaliciousPorn ScamBrowse
                                                • 104.21.54.29
                                                https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTMLGet hashmaliciousHTMLPhisherBrowse
                                                • 188.114.96.3
                                                http://hrpibzdeam.xyz/Get hashmaliciousUnknownBrowse
                                                • 172.67.196.118

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                54328bd36c14bd82ddaa0c04b25ed9adorder6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.64.1
                                                Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.64.1
                                                BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.64.1
                                                PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.64.1
                                                1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.64.1
                                                rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.64.1

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):609
                                                Entropy (8bit):5.356231720746034
                                                Encrypted:false
                                                SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCq1KDLI4M6:ML9E4KlKDE4KhKiKhIE4Kx1qE4j
                                                MD5:96CC94FC13A30D01C0D672AE291242F6
                                                SHA1:96A1D1362646EB1904805C8D008A1C23B6818CD6
                                                SHA-256:87AC5F82270362FA03819438BBF1AF7BFE89F3B2116BD08BCCA4836DB38CDDE7
                                                SHA-512:D70D9B54A67AAD21444B6BDE3FA72AED2BEA5AE851646D1145D6280C0A72C3C0CB643E1930BAE23795A842C7F6B37C3D33104372CF8221B898890710126BC957
                                                Malicious:true
                                                Reputation:low
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.765650504588911
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                File size:235'520 bytes
                                                MD5:cd3907a311e1b27e1ca9c5c2fe79b586
                                                SHA1:117f92784c165cf878794a4879355697b175d35b
                                                SHA256:8c98088aa44045c4b7a4a7bebe5d98480fe5cad627b772554ebd0a324cafa37c
                                                SHA512:21270a775a8f532ef30f853370476c3cd512db248ee7c7f77b0b10fb7334710a814b7c49a62746d81178c8e66410050c046b32510268472f2faeabbf24c0914f
                                                SSDEEP:3072:B8C9NzwHKpHbwVAeu0Y8GC1UyAd9g8QwOTWvUMR6AR+xx7CG9UH3tSsPT:1NhpHYAbm1Uld9grwhUMR66cZodn
                                                TLSH:6F340598B2D3651EFBBD49F910D86BB40764F925261FEEBD4F24F2012C1328C2798A75
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|r...............0..h..........~.... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:2e272325acd37560

                                                Static PE Info

                                                General

                                                Entrypoint:0x43867e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x95727CE5 [Mon Jun 14 18:31:01 2049 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x386300x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x2bc0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x366840x36800545e6bb0d65310c56830e59e56f023ccFalse0.7070581278669725data7.779566822353382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x3a0000x2bc00x2c0075aea0495ac80e5dd3730772defbfb97False0.9067826704545454data7.623650691699043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x3e0000xc0x200ccd6070a380d8d5eb329b2851ccebc95False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x3a1300x2574PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9800792657488527
                                                RT_GROUP_ICON0x3c6a40x14data0.9
                                                RT_VERSION0x3c6b80x31cdata0.4258793969849246
                                                RT_MANIFEST0x3c9d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-16T03:42:58.733990+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730132.226.8.16980TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 16, 2025 03:42:57.564424038 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:42:57.569454908 CET8049730132.226.8.169192.168.2.4
                                                Jan 16, 2025 03:42:57.569546938 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:42:57.571408987 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:42:57.576250076 CET8049730132.226.8.169192.168.2.4
                                                Jan 16, 2025 03:42:58.401911020 CET8049730132.226.8.169192.168.2.4
                                                Jan 16, 2025 03:42:58.405699015 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:42:58.410649061 CET8049730132.226.8.169192.168.2.4
                                                Jan 16, 2025 03:42:58.686181068 CET8049730132.226.8.169192.168.2.4
                                                Jan 16, 2025 03:42:58.697426081 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:58.697498083 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:58.697566986 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:58.709299088 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:58.709316015 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:58.733989954 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:42:59.186619997 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:59.186716080 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:59.260021925 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:59.260076046 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:59.261209965 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:59.312309027 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:59.531163931 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:59.571362019 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:59.642122030 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:59.642271042 CET44349731104.21.64.1192.168.2.4
                                                Jan 16, 2025 03:42:59.642347097 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:42:59.649393082 CET49731443192.168.2.4104.21.64.1
                                                Jan 16, 2025 03:44:03.864228964 CET8049730132.226.8.169192.168.2.4
                                                Jan 16, 2025 03:44:03.864618063 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:44:38.704382896 CET4973080192.168.2.4132.226.8.169
                                                Jan 16, 2025 03:44:38.709218025 CET8049730132.226.8.169192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 16, 2025 03:42:57.552094936 CET5490053192.168.2.41.1.1.1
                                                Jan 16, 2025 03:42:57.559305906 CET53549001.1.1.1192.168.2.4
                                                Jan 16, 2025 03:42:58.688998938 CET4918653192.168.2.41.1.1.1
                                                Jan 16, 2025 03:42:58.696816921 CET53491861.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 16, 2025 03:42:57.552094936 CET192.168.2.41.1.1.10xe727Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.688998938 CET192.168.2.41.1.1.10x23dcStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 16, 2025 03:42:57.559305906 CET1.1.1.1192.168.2.40xe727No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Jan 16, 2025 03:42:57.559305906 CET1.1.1.1192.168.2.40xe727No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:57.559305906 CET1.1.1.1192.168.2.40xe727No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:57.559305906 CET1.1.1.1192.168.2.40xe727No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:57.559305906 CET1.1.1.1192.168.2.40xe727No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:57.559305906 CET1.1.1.1192.168.2.40xe727No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                Jan 16, 2025 03:42:58.696816921 CET1.1.1.1192.168.2.40x23dcNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • reallyfreegeoip.org
                                                • checkip.dyndns.org

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449730132.226.8.169807064C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 16, 2025 03:42:57.571408987 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 16, 2025 03:42:58.401911020 CET273INHTTP/1.1 200 OK
                                                Date: Thu, 16 Jan 2025 02:42:58 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                Jan 16, 2025 03:42:58.405699015 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 16, 2025 03:42:58.686181068 CET273INHTTP/1.1 200 OK
                                                Date: Thu, 16 Jan 2025 02:42:58 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449731104.21.64.14437064C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-16 02:42:59 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-16 02:42:59 UTC861INHTTP/1.1 200 OK
                                                Date: Thu, 16 Jan 2025 02:42:59 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 2310168
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dWS3HdXIokp7ivrFDBlE8i1cC9ZbTlpLwbKqQbza6FS2oz0J1jYHJF%2FFfU97XGejKYrJkwr%2FB5GY9SsuCsl6%2FdLKVQEB80kJAQRRG55HFCei%2FP0o3c%2BqqrdArAZ3Z7tkPf%2B8LW1r"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 902ac16268d9c358-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1524&rtt_var=600&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1916010&cwnd=155&unsent_bytes=0&cid=c712dba00f255e7e&ts=476&x=0"
                                                2025-01-16 02:42:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:21:42:56
                                                Start date:15/01/2025
                                                Path:C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe"
                                                Imagebase:0x5c0000
                                                File size:235'520 bytes
                                                MD5 hash:CD3907A311E1B27E1CA9C5C2FE79B586
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1679997247.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:21:42:56
                                                Start date:15/01/2025
                                                Path:C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe"
                                                Imagebase:0xff0000
                                                File size:235'520 bytes
                                                MD5 hash:CD3907A311E1B27E1CA9C5C2FE79B586
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2919733627.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2920998353.0000000003304000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:9%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:81.8%
                                                  Total number of Nodes:33
                                                  Total number of Limit Nodes:0
                                                  execution_graph 7742 d97ae8 7743 d97b1b 7742->7743 7771 d97658 7743->7771 7775 d9764e 7743->7775 7744 d97c99 7745 d97dbb 7744->7745 7757 d97088 Wow64SetThreadContext 7744->7757 7758 d97080 Wow64SetThreadContext 7744->7758 7765 d97428 ReadProcessMemory 7745->7765 7766 d97420 ReadProcessMemory 7745->7766 7746 d97ee5 7763 d971aa VirtualAllocEx 7746->7763 7764 d971b0 VirtualAllocEx 7746->7764 7747 d9806b 7767 d972ca WriteProcessMemory 7747->7767 7768 d972d0 WriteProcessMemory 7747->7768 7748 d98379 7753 d972ca WriteProcessMemory 7748->7753 7754 d972d0 WriteProcessMemory 7748->7754 7749 d983b7 7751 d984b5 7749->7751 7755 d97088 Wow64SetThreadContext 7749->7755 7756 d97080 Wow64SetThreadContext 7749->7756 7750 d9814d 7750->7748 7769 d972ca WriteProcessMemory 7750->7769 7770 d972d0 WriteProcessMemory 7750->7770 7761 d96f98 ResumeThread 7751->7761 7762 d96f90 ResumeThread 7751->7762 7752 d985b2 7753->7749 7754->7749 7755->7751 7756->7751 7757->7745 7758->7745 7761->7752 7762->7752 7763->7747 7764->7747 7765->7746 7766->7746 7767->7750 7768->7750 7769->7750 7770->7750 7772 d976df CreateProcessA 7771->7772 7774 d97934 7772->7774 7774->7774 7776 d976df CreateProcessA 7775->7776 7778 d97934 7776->7778 7778->7778

                                                  Executed Functions

                                                  Function 00D97AE8 Relevance: 1.9, Strings: 1, Instructions: 650COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 d97ae8-d97b19 1 d97b1b 0->1 2 d97b20-d97c94 0->2 1->2 126 d97c97 call d97658 2->126 127 d97c97 call d9764e 2->127 7 d97c99-d97cb9 8 d97cbb-d97cf2 7->8 9 d97cfd-d97d67 7->9 8->9 16 d97d69 9->16 17 d97d6e-d97d9a 9->17 16->17 19 d97da0-d97db6 17->19 20 d97e25-d97e60 17->20 124 d97db9 call d97088 19->124 125 d97db9 call d97080 19->125 23 d97ea3 20->23 24 d97e62-d97e98 20->24 22 d97dbb-d97ddb 25 d97ddd-d97e13 22->25 26 d97e1e-d97e20 22->26 27 d97ea4-d97eae 23->27 24->23 25->26 26->27 28 d97eb0 27->28 29 d97eb5-d97ee0 27->29 28->29 132 d97ee3 call d97428 29->132 133 d97ee3 call d97420 29->133 32 d97ee5-d97f05 35 d97f48-d97f61 32->35 36 d97f07-d97f3d 32->36 37 d98008-d98066 35->37 38 d97f67-d97fc4 35->38 36->35 130 d98069 call d971aa 37->130 131 d98069 call d971b0 37->131 47 d98007 38->47 48 d97fc6-d97ffc 38->48 47->37 48->47 50 d9806b-d98091 51 d9812c-d98148 50->51 52 d98097-d980e8 50->52 134 d9814b call d972ca 51->134 135 d9814b call d972d0 51->135 59 d9812b 52->59 60 d980ea-d98120 52->60 54 d9814d-d9816d 57 d9816f-d981a5 54->57 58 d981b0-d981e5 54->58 57->58 65 d98357-d98373 58->65 59->51 60->59 66 d98379-d983b2 65->66 67 d981ea-d9826e 65->67 120 d983b5 call d972ca 66->120 121 d983b5 call d972d0 66->121 80 d9834c-d98351 67->80 81 d98274-d982e3 67->81 74 d983b7-d983d7 76 d983d9-d9840f 74->76 77 d9841a-d9844a 74->77 76->77 83 d9844c-d9844f 77->83 84 d98452-d98462 77->84 80->65 136 d982e6 call d972ca 81->136 137 d982e6 call d972d0 81->137 83->84 86 d98469-d98494 84->86 87 d98464 84->87 92 d9849a-d984b0 86->92 93 d9851f-d9855a 86->93 87->86 122 d984b3 call d97088 92->122 123 d984b3 call d97080 92->123 99 d9859d 93->99 100 d9855c-d98592 93->100 94 d982e8-d98308 96 d9834b 94->96 97 d9830a-d98340 94->97 96->80 97->96 98 d984b5-d984d5 101 d98518-d9851a 98->101 102 d984d7-d9850d 98->102 103 d9859e-d985ad 99->103 100->99 101->103 102->101 128 d985b0 call d96f98 103->128 129 d985b0 call d96f90 103->129 107 d985b2-d985d2 109 d98615-d98685 107->109 110 d985d4-d9860a 107->110 110->109 120->74 121->74 122->98 123->98 124->22 125->22 126->7 127->7 128->107 129->107 130->50 131->50 132->32 133->32 134->54 135->54 136->94 137->94
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (
                                                  • API String ID: 0-3887548279
                                                  • Opcode ID: c516bb9af418240f3149f1c2279a0a5e35b8f321924d4d303c69d7fc7de91231
                                                  • Instruction ID: 1162d9f09d71f8ed55fd79aeb2e10aef114e29cf539cfd9717f5cc8f057135f5
                                                  • Opcode Fuzzy Hash: c516bb9af418240f3149f1c2279a0a5e35b8f321924d4d303c69d7fc7de91231
                                                  • Instruction Fuzzy Hash: 0062C170E002288FDB64DF65C994BDDBBB2BF89300F1485EAD409AB295DB719E85CF50
                                                  Function 00D97AD8 Relevance: .5, Instructions: 519COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19e99cf40b0ac6a4de75d094ffbce93fec03d664d45aec9bc4c851d6ed927e48
                                                  • Instruction ID: 7a961446ac86fdbc59ae152ef0daffaeb7ca0ea96b9b140350bcbe165c4ee28b
                                                  • Opcode Fuzzy Hash: 19e99cf40b0ac6a4de75d094ffbce93fec03d664d45aec9bc4c851d6ed927e48
                                                  • Instruction Fuzzy Hash: 5242E271E002288FDB64DF65C994BDDBBB2BF89300F1485EAD409AB291DB719E85CF40
                                                  Function 00D97658 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 202 d97658-d976f1 204 d9773a-d97762 202->204 205 d976f3-d9770a 202->205 208 d977a8-d977fe 204->208 209 d97764-d97778 204->209 205->204 210 d9770c-d97711 205->210 219 d97800-d97814 208->219 220 d97844-d97932 CreateProcessA 208->220 209->208 217 d9777a-d9777f 209->217 211 d97713-d9771d 210->211 212 d97734-d97737 210->212 214 d9771f 211->214 215 d97721-d97730 211->215 212->204 214->215 215->215 218 d97732 215->218 221 d97781-d9778b 217->221 222 d977a2-d977a5 217->222 218->212 219->220 227 d97816-d9781b 219->227 238 d9793b-d97a20 220->238 239 d97934-d9793a 220->239 223 d9778d 221->223 224 d9778f-d9779e 221->224 222->208 223->224 224->224 228 d977a0 224->228 229 d9781d-d97827 227->229 230 d9783e-d97841 227->230 228->222 232 d97829 229->232 233 d9782b-d9783a 229->233 230->220 232->233 233->233 234 d9783c 233->234 234->230 251 d97a30-d97a34 238->251 252 d97a22-d97a26 238->252 239->238 254 d97a44-d97a48 251->254 255 d97a36-d97a3a 251->255 252->251 253 d97a28 252->253 253->251 256 d97a58-d97a5c 254->256 257 d97a4a-d97a4e 254->257 255->254 258 d97a3c 255->258 260 d97a5e-d97a87 256->260 261 d97a92-d97a9d 256->261 257->256 259 d97a50 257->259 258->254 259->256 260->261 265 d97a9e 261->265 265->265
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00D9791F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 65a7b0f1a02cefad60a6214314c787ab90db57f4e78ca53a2f9b27bec5d5286b
                                                  • Instruction ID: 084bb22819878dc9d370de49bb6383d17ebc3a65497704dec24f5bdd135b1051
                                                  • Opcode Fuzzy Hash: 65a7b0f1a02cefad60a6214314c787ab90db57f4e78ca53a2f9b27bec5d5286b
                                                  • Instruction Fuzzy Hash: B4C12570D102298FDF24CFA8C841BEDBBB1BF49304F0495A9E849B7250DB749A85CF95
                                                  Function 00D9764E Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 138 d9764e-d976f1 140 d9773a-d97762 138->140 141 d976f3-d9770a 138->141 144 d977a8-d977fe 140->144 145 d97764-d97778 140->145 141->140 146 d9770c-d97711 141->146 155 d97800-d97814 144->155 156 d97844-d97932 CreateProcessA 144->156 145->144 153 d9777a-d9777f 145->153 147 d97713-d9771d 146->147 148 d97734-d97737 146->148 150 d9771f 147->150 151 d97721-d97730 147->151 148->140 150->151 151->151 154 d97732 151->154 157 d97781-d9778b 153->157 158 d977a2-d977a5 153->158 154->148 155->156 163 d97816-d9781b 155->163 174 d9793b-d97a20 156->174 175 d97934-d9793a 156->175 159 d9778d 157->159 160 d9778f-d9779e 157->160 158->144 159->160 160->160 164 d977a0 160->164 165 d9781d-d97827 163->165 166 d9783e-d97841 163->166 164->158 168 d97829 165->168 169 d9782b-d9783a 165->169 166->156 168->169 169->169 170 d9783c 169->170 170->166 187 d97a30-d97a34 174->187 188 d97a22-d97a26 174->188 175->174 190 d97a44-d97a48 187->190 191 d97a36-d97a3a 187->191 188->187 189 d97a28 188->189 189->187 192 d97a58-d97a5c 190->192 193 d97a4a-d97a4e 190->193 191->190 194 d97a3c 191->194 196 d97a5e-d97a87 192->196 197 d97a92-d97a9d 192->197 193->192 195 d97a50 193->195 194->190 195->192 196->197 201 d97a9e 197->201 201->201
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00D9791F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 7a7dcebe8bc001d72c60cd8595da24f1b01d255cb6ba3a9b9e09130b08635b9e
                                                  • Instruction ID: 0771a7bef8b948991bbde10c14b0367b55200cd4a5e1e59f6ecaffe4f3797d17
                                                  • Opcode Fuzzy Hash: 7a7dcebe8bc001d72c60cd8595da24f1b01d255cb6ba3a9b9e09130b08635b9e
                                                  • Instruction Fuzzy Hash: FDC13671D102298FDF24CFA8C841BEDBBB1BF09300F0495A9E849B7250DB749A85CF95
                                                  Function 00D972CA Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 266 d972ca-d9733b 269 d9733d-d9734f 266->269 270 d97352-d973b3 WriteProcessMemory 266->270 269->270 272 d973bc-d9740e 270->272 273 d973b5-d973bb 270->273 273->272
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D973A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 1d3d4c7a18114cdac2ca95f032068b4bbf630cfcb47d325b1a612d8bb9c2ed98
                                                  • Instruction ID: 6714a7e119aefa1cd6bd93cbe285dae145ec8cf14b7265c8dec17abcfce32ca6
                                                  • Opcode Fuzzy Hash: 1d3d4c7a18114cdac2ca95f032068b4bbf630cfcb47d325b1a612d8bb9c2ed98
                                                  • Instruction Fuzzy Hash: 7B4199B5D052589FCF10CFA9D984AEEFBF1BB49310F24902AE818B7210D734AA45DF64
                                                  Function 00D972D0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 278 d972d0-d9733b 280 d9733d-d9734f 278->280 281 d97352-d973b3 WriteProcessMemory 278->281 280->281 283 d973bc-d9740e 281->283 284 d973b5-d973bb 281->284 284->283
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D973A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 531fa7b460184253d92a018011a690638eade383b1bbbca2e25f6a7375096b38
                                                  • Instruction ID: e8ed708ffd9612b3c16336db24ec3e671e6e29e68d825d8dc81b9dc84b61758e
                                                  • Opcode Fuzzy Hash: 531fa7b460184253d92a018011a690638eade383b1bbbca2e25f6a7375096b38
                                                  • Instruction Fuzzy Hash: D241AAB5D052589FCF10CFA9D984AEEFBF1BB49310F24902AE818B7210D734AA45CF64
                                                  Function 00D97428 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 298 d97428-d974ea ReadProcessMemory 301 d974ec-d974f2 298->301 302 d974f3-d97545 298->302 301->302
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D974DA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 50c1505e8282d1b046d2ca8485788d1e65595cc338ad574e3a87ad33d932a080
                                                  • Instruction ID: d3fa52a155715dc6478f4303ec4aa9000403ba10b3cb189789aba7c28b6d8b56
                                                  • Opcode Fuzzy Hash: 50c1505e8282d1b046d2ca8485788d1e65595cc338ad574e3a87ad33d932a080
                                                  • Instruction Fuzzy Hash: 0B4198B5D04258DFCF10CFAAD984AEEFBB1BB49310F14942AE815B7210D735A945CF68
                                                  Function 00D97420 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 289 d97420-d974ea ReadProcessMemory 292 d974ec-d974f2 289->292 293 d974f3-d97545 289->293 292->293
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D974DA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 2ece1d3fdac54a5d1e1c296e00023821ce4312e4e5fef077da60feae6921fa5f
                                                  • Instruction ID: 628f5472643a5a8bf93d1d91b4a48a61717ecf810835d4446f57c3266b8fb214
                                                  • Opcode Fuzzy Hash: 2ece1d3fdac54a5d1e1c296e00023821ce4312e4e5fef077da60feae6921fa5f
                                                  • Instruction Fuzzy Hash: E84196B9D04258DFCF10CFA9D984AEEFBB1BB09310F14942AE815B7210D734A945CF68
                                                  Function 00D971AA Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 307 d971aa-d9726a VirtualAllocEx 311 d9726c-d97272 307->311 312 d97273-d972bd 307->312 311->312
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D9725A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 58598ef0d0b753a8c3b195e717d9e8983e5adc5258831cef70709a9fd33e9d97
                                                  • Instruction ID: 5d174ff4de5598a73465d3e64afee0c70a43d3dcde3a85a4a80d50f7c2563063
                                                  • Opcode Fuzzy Hash: 58598ef0d0b753a8c3b195e717d9e8983e5adc5258831cef70709a9fd33e9d97
                                                  • Instruction Fuzzy Hash: 8E3197B9D142589FCF10CFA9D980ADEFBB1BB49310F20942AE814B7210D735A946CF68
                                                  Function 00D971B0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 317 d971b0-d9726a VirtualAllocEx 320 d9726c-d97272 317->320 321 d97273-d972bd 317->321 320->321
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D9725A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 3251b047b69eb66ee0a26ffbc75244080fd500256418e7f2428412590bbc55b9
                                                  • Instruction ID: 548f957144ce5dd844ce5b9b41cd44c65faa4b2ddfa4bee0a2f4d03458bad000
                                                  • Opcode Fuzzy Hash: 3251b047b69eb66ee0a26ffbc75244080fd500256418e7f2428412590bbc55b9
                                                  • Instruction Fuzzy Hash: D33186B9D142589FCF10CFA9D984ADEFBB1BB49310F20942AE815BB210D735A945CF68
                                                  Function 00D97080 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 326 d97080-d970e8 328 d970ea-d970fc 326->328 329 d970ff-d97147 Wow64SetThreadContext 326->329 328->329 331 d97149-d9714f 329->331 332 d97150-d9719c 329->332 331->332
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00D97137
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 93ad9185607bf97351a04fa007fdc3cef386240b3446496a1160176f9248e05d
                                                  • Instruction ID: d1f0b7a9d3b5eaab9902e6f42ea6d5f506d5206862c466273b387e22de6e59e5
                                                  • Opcode Fuzzy Hash: 93ad9185607bf97351a04fa007fdc3cef386240b3446496a1160176f9248e05d
                                                  • Instruction Fuzzy Hash: 6E41CBB4D152589FCB10CFA9D984AEEFBF0BF49310F24902AE418B7240D738A985CF64
                                                  Function 00D97088 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 337 d97088-d970e8 339 d970ea-d970fc 337->339 340 d970ff-d97147 Wow64SetThreadContext 337->340 339->340 342 d97149-d9714f 340->342 343 d97150-d9719c 340->343 342->343
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00D97137
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: bbc5d15bdc49858c496d88f832902539861edf8ccbbfdab2bcd2da449f4917b8
                                                  • Instruction ID: f5d578244a9e0111cbf524a377440c7633317a88b6774c8dfc06d582b1d58ab2
                                                  • Opcode Fuzzy Hash: bbc5d15bdc49858c496d88f832902539861edf8ccbbfdab2bcd2da449f4917b8
                                                  • Instruction Fuzzy Hash: 0931BEB4D142589FCF10CFA9D884ADEFBF1BB49310F14802AE418B7250C738A985CF64
                                                  Function 00D96F90 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 348 d96f90-d97026 ResumeThread 352 d97028-d9702e 348->352 353 d9702f-d97071 348->353 352->353
                                                  APIs
                                                  • ResumeThread.KERNELBASE(?), ref: 00D97016
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 0161100a3f0e718fac02d2980f4c2fb2e4c556920c46b8168c42b25c6fe5d9a8
                                                  • Instruction ID: ce35af7c548d499dae110c3fb6447c380e081e6038a7031fb6039f16623e14e6
                                                  • Opcode Fuzzy Hash: 0161100a3f0e718fac02d2980f4c2fb2e4c556920c46b8168c42b25c6fe5d9a8
                                                  • Instruction Fuzzy Hash: E231CDB5D102189FCF10CFAAD581ADEFBB4AB49310F14842AE418B7310C735A941CFA8
                                                  Function 00D96F98 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 358 d96f98-d97026 ResumeThread 361 d97028-d9702e 358->361 362 d9702f-d97071 358->362 361->362
                                                  APIs
                                                  • ResumeThread.KERNELBASE(?), ref: 00D97016
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1679289457.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_d90000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: c48e5e935e4d61e6c18b91c4065752455a4ec0e8842667c83a77ccaedbe441dc
                                                  • Instruction ID: f9b2e758bb9ff89ad7eae8bf5a2651b9c3a4009faf78e6e7610a04ca48fd918a
                                                  • Opcode Fuzzy Hash: c48e5e935e4d61e6c18b91c4065752455a4ec0e8842667c83a77ccaedbe441dc
                                                  • Instruction Fuzzy Hash: 3231CCB4D102189FCF10CFAAD480ADEFBB4AB49310F14842AE418B7310C735A941CFA8

                                                  Execution Graph

                                                  Execution Coverage:12.9%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:8.8%
                                                  Total number of Nodes:34
                                                  Total number of Limit Nodes:3
                                                  execution_graph 13949 2fc46d8 13950 2fc46e4 13949->13950 13953 2fc7d10 13950->13953 13954 2fc7d17 13953->13954 13958 2fc7f48 13954->13958 13965 2fc7f37 13954->13965 13955 2fc4713 13959 2fc7f6a 13958->13959 13960 2fc8036 13959->13960 13972 2fcf50c 13959->13972 13978 2fceef9 13959->13978 13984 2fcf128 13959->13984 13990 2fcef08 13959->13990 13960->13955 13966 2fc7f6a 13965->13966 13967 2fc8036 13966->13967 13968 2fcf50c 2 API calls 13966->13968 13969 2fcef08 LdrInitializeThunk 13966->13969 13970 2fcf128 2 API calls 13966->13970 13971 2fceef9 2 API calls 13966->13971 13967->13955 13968->13967 13969->13967 13970->13967 13971->13967 13973 2fcf3c3 13972->13973 13974 2fcf504 LdrInitializeThunk 13973->13974 13977 2fcef08 LdrInitializeThunk 13973->13977 13976 2fcf661 13974->13976 13976->13960 13977->13973 13979 2fcef1f 13978->13979 13980 2fcef1a 13978->13980 13979->13980 13981 2fcf504 LdrInitializeThunk 13979->13981 13983 2fcef08 LdrInitializeThunk 13979->13983 13980->13960 13981->13980 13983->13979 13989 2fcf159 13984->13989 13985 2fcf2b9 13985->13960 13986 2fcf504 LdrInitializeThunk 13986->13985 13988 2fcef08 LdrInitializeThunk 13988->13989 13989->13985 13989->13986 13989->13988 13991 2fcef1a 13990->13991 13993 2fcef1f 13990->13993 13991->13960 13992 2fcf649 LdrInitializeThunk 13992->13991 13993->13991 13993->13992

                                                  Executed Functions

                                                  Function 02FCF128 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1179 2fcf128-2fcf157 1180 2fcf15e-2fcf1f4 call 2fc8e48 1179->1180 1181 2fcf159 1179->1181 1184 2fcf293-2fcf299 1180->1184 1181->1180 1185 2fcf29f-2fcf2b7 1184->1185 1186 2fcf1f9-2fcf20c 1184->1186 1189 2fcf2b9-2fcf2c6 1185->1189 1190 2fcf2cb-2fcf2de 1185->1190 1187 2fcf20e 1186->1187 1188 2fcf213-2fcf264 1186->1188 1187->1188 1208 2fcf266-2fcf274 1188->1208 1209 2fcf277-2fcf289 1188->1209 1193 2fcf661-2fcf75f 1189->1193 1191 2fcf2e5-2fcf301 1190->1191 1192 2fcf2e0 1190->1192 1195 2fcf308-2fcf32c 1191->1195 1196 2fcf303 1191->1196 1192->1191 1198 2fcf767-2fcf771 1193->1198 1199 2fcf761-2fcf766 call 2fc8e48 1193->1199 1204 2fcf32e 1195->1204 1205 2fcf333-2fcf365 1195->1205 1196->1195 1199->1198 1204->1205 1213 2fcf36c-2fcf3ae 1205->1213 1214 2fcf367 1205->1214 1208->1185 1210 2fcf28b 1209->1210 1211 2fcf290 1209->1211 1210->1211 1211->1184 1216 2fcf3b5-2fcf3be 1213->1216 1217 2fcf3b0 1213->1217 1214->1213 1218 2fcf5e6-2fcf5ec 1216->1218 1217->1216 1219 2fcf5f2-2fcf605 1218->1219 1220 2fcf3c3-2fcf3e8 1218->1220 1221 2fcf60c-2fcf627 1219->1221 1222 2fcf607 1219->1222 1223 2fcf3ef-2fcf426 1220->1223 1224 2fcf3ea 1220->1224 1225 2fcf62e-2fcf642 1221->1225 1226 2fcf629 1221->1226 1222->1221 1232 2fcf42d-2fcf45f 1223->1232 1233 2fcf428 1223->1233 1224->1223 1230 2fcf649-2fcf65f LdrInitializeThunk 1225->1230 1231 2fcf644 1225->1231 1226->1225 1230->1193 1231->1230 1235 2fcf461-2fcf486 1232->1235 1236 2fcf4c3-2fcf4d6 1232->1236 1233->1232 1239 2fcf48d-2fcf4bb 1235->1239 1240 2fcf488 1235->1240 1237 2fcf4dd-2fcf502 1236->1237 1238 2fcf4d8 1236->1238 1243 2fcf504-2fcf505 1237->1243 1244 2fcf511-2fcf549 1237->1244 1238->1237 1239->1236 1240->1239 1243->1219 1245 2fcf54b 1244->1245 1246 2fcf550-2fcf5b1 call 2fcef08 1244->1246 1245->1246 1252 2fcf5b8-2fcf5dc 1246->1252 1253 2fcf5b3 1246->1253 1256 2fcf5de 1252->1256 1257 2fcf5e3 1252->1257 1253->1252 1256->1257 1257->1218
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73b5031b29d967508d220257b6a2565e30fc0381cf8f5babee917bcf5893d5f3
                                                  • Instruction ID: d50c780f3fc4de509b2da8a4ec31cbf4c3149fb5bc4a810f15aca3e77a09d9c9
                                                  • Opcode Fuzzy Hash: 73b5031b29d967508d220257b6a2565e30fc0381cf8f5babee917bcf5893d5f3
                                                  • Instruction Fuzzy Hash: 85F1F574E01219CFDB14DFA9D984B9DFBB2BF48304F2082AAE508AB355DB349985CF50
                                                  Function 02FC7F48 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af4c8b714f2457dac2cc96ebace4edac74091d386bdabb16284f093170ee2d83
                                                  • Instruction ID: a524dc5cd941221e8eba1983946d00a32fc819f52bded4b244b97d45ae6e01b2
                                                  • Opcode Fuzzy Hash: af4c8b714f2457dac2cc96ebace4edac74091d386bdabb16284f093170ee2d83
                                                  • Instruction Fuzzy Hash: 10C19074E01218CFDB54DFA5D994B9DBBB2FB88300F2081A9E809AB354DB359E85CF51
                                                  Function 02FC8508 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1feb34385306f31ed10aa72486399d4f6564c534256bd58a6f9756aece87b1ec
                                                  • Instruction ID: 621df65b87b09aff10613b7b94cee389c1c688df7bf7cb8422d7db46db2e56a9
                                                  • Opcode Fuzzy Hash: 1feb34385306f31ed10aa72486399d4f6564c534256bd58a6f9756aece87b1ec
                                                  • Instruction Fuzzy Hash: C9A10270D002098FEB14DFA9C988BDDBBB1FF88314F209269E509AB3A1DB705984CF54
                                                  Function 02FC84F8 Relevance: .2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 820d594f620a633493d831f3289127cffd5791a60a453b8925f1d24c98a1ef77
                                                  • Instruction ID: cfcfb087d15f7c804a96723d01eb6081cc523ee6db9d6f5f5479971272e8734e
                                                  • Opcode Fuzzy Hash: 820d594f620a633493d831f3289127cffd5791a60a453b8925f1d24c98a1ef77
                                                  • Instruction Fuzzy Hash: 17A1F270D002098FEB14DFA9D988BDDBBB1FF88314F209269E509AB391DB745984CF54
                                                  Function 02FC884F Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbba6fb43707f62e45b9ec2102c6eeffd36a988c6fa8138c0f89846b15b49fd9
                                                  • Instruction ID: 177e9217d0177751ce4eef3a6285171b969a1aa01cc44df049e787b3bf5c6590
                                                  • Opcode Fuzzy Hash: bbba6fb43707f62e45b9ec2102c6eeffd36a988c6fa8138c0f89846b15b49fd9
                                                  • Instruction Fuzzy Hash: A7911270D00209CFEB14DFA8C998BDCBBB1FF49354F209269E509AB291DB749984CF15
                                                  Function 02FCF50C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1258 2fcf50c 1259 2fcf5cb-2fcf5dc 1258->1259 1260 2fcf5de 1259->1260 1261 2fcf5e3-2fcf5ec 1259->1261 1260->1261 1263 2fcf5f2-2fcf605 1261->1263 1264 2fcf3c3-2fcf3e8 1261->1264 1265 2fcf60c-2fcf627 1263->1265 1266 2fcf607 1263->1266 1267 2fcf3ef-2fcf426 1264->1267 1268 2fcf3ea 1264->1268 1269 2fcf62e-2fcf642 1265->1269 1270 2fcf629 1265->1270 1266->1265 1276 2fcf42d-2fcf45f 1267->1276 1277 2fcf428 1267->1277 1268->1267 1274 2fcf649-2fcf65f LdrInitializeThunk 1269->1274 1275 2fcf644 1269->1275 1270->1269 1278 2fcf661-2fcf75f 1274->1278 1275->1274 1284 2fcf461-2fcf486 1276->1284 1285 2fcf4c3-2fcf4d6 1276->1285 1277->1276 1281 2fcf767-2fcf771 1278->1281 1282 2fcf761-2fcf766 call 2fc8e48 1278->1282 1282->1281 1289 2fcf48d-2fcf4bb 1284->1289 1290 2fcf488 1284->1290 1287 2fcf4dd-2fcf502 1285->1287 1288 2fcf4d8 1285->1288 1293 2fcf504-2fcf505 1287->1293 1294 2fcf511-2fcf549 1287->1294 1288->1287 1289->1285 1290->1289 1293->1263 1295 2fcf54b 1294->1295 1296 2fcf550-2fcf5b1 call 2fcef08 1294->1296 1295->1296 1302 2fcf5b8-2fcf5ca 1296->1302 1303 2fcf5b3 1296->1303 1302->1259 1303->1302
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(00000000), ref: 02FCF64E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 525c78825883aab7462332b824bad6115f654f4b90821ff4a3bf5ba57885dde8
                                                  • Instruction ID: 8ca0f0746850dbd5b50bcad4187a236485bbe509e435966dc381d68d708350e9
                                                  • Opcode Fuzzy Hash: 525c78825883aab7462332b824bad6115f654f4b90821ff4a3bf5ba57885dde8
                                                  • Instruction Fuzzy Hash: 3F116075E0110A9FDB04DFA8D984EADFBB6FB88344F24962AEA04E7651DB309841CF10
                                                  Function 0195D030 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920649999.000000000195D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0195D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_195d000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 831bbfe289e455c7a0fd1e047a58182832801ec599fd67674327cb773547a685
                                                  • Instruction ID: 441788070404ea7d80eb65216d2c0f5453284a46f22a63c0e019c4914b4b0502
                                                  • Opcode Fuzzy Hash: 831bbfe289e455c7a0fd1e047a58182832801ec599fd67674327cb773547a685
                                                  • Instruction Fuzzy Hash: A6210071504200DFDB55DF68D980B26BBA5EB84314F20C969DC0E5A256C33AD447CB62
                                                  Function 0195D005 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920649999.000000000195D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0195D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_195d000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 620788f6168087ee6a325998f98c7ca1706c3ca947a3e64c66a58d2ad2b44cdd
                                                  • Instruction ID: bf05ccd05c30afddd5ba2d45837ffb485fdabd5a254d8c74a1cdfd83d840abbb
                                                  • Opcode Fuzzy Hash: 620788f6168087ee6a325998f98c7ca1706c3ca947a3e64c66a58d2ad2b44cdd
                                                  • Instruction Fuzzy Hash: 25215C7110D3C09FDB07DF64D990711BFB5AB46214F28C5DBD8898F2A7C23A985ACB62

                                                  Non-executed Functions

                                                  Function 02FCF7F8 Relevance: .3, Instructions: 297COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2920843025.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2fc0000_WOOYANG VENUS_VESSEL_PARTICULARS.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae34a63866a8e853521a973457f5049bea02094a26a6baad4e5b18a578de822b
                                                  • Instruction ID: 1456242489ab5c58911e1529c836d28ff7a3f7a0fcbf2e60a50de379bb32669a
                                                  • Opcode Fuzzy Hash: ae34a63866a8e853521a973457f5049bea02094a26a6baad4e5b18a578de822b
                                                  • Instruction Fuzzy Hash: A4D1E274E01218CFDB54DFA5D954B9DBBB2EF89304F2081AAD808AB364DB359E85CF10