Edit tour

Windows Analysis Report
bleorigin.exe

Overview

General Information

Sample name:	bleorigin.exe
Analysis ID:	1615022
MD5:	0cd79e1837ecc2651611323ce6c009a7
SHA1:	6bd16567c5b2c2724c7590f1aebc082f37066fbf
SHA256:	b9aa15b40149a14595782f3138816babd5aa6a2cae761d9f6a2c1a7b52256bc7
Tags:	196-251-92-64AgentTeslaexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Stores large binary data to the registry

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bleorigin.exe (PID: 5168 cmdline: "C:\Users\user\Desktop\bleorigin.exe" MD5: 0CD79E1837ECC2651611323CE6C009A7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{
  "Exfil Mode": "SMTP",
  "Port": "587",
  "Host": "mail.worlorderbillions.top",
  "Username": "niggabguy22jan2024@worlorderbillions.top",
  "Password": "~lhTqZ3?QKP@                       "
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bleorigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
bleorigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
bleorigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3351f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33591:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3361b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33717:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33789:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3381f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bleorigin.exe PID: 5168	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bleorigin.exe PID: 5168	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bleorigin.exe.7f0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.bleorigin.exe.7f0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.bleorigin.exe.7f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3351f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33591:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3361b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33717:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33789:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3381f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.174.173.22, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\bleorigin.exe, Initiated: true, ProcessId: 5168, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bleorigin.exe

Avira: detected

Found malware configuration

Source: bleorigin.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "niggabguy22jan2024@worlorderbillions.top", "Password": "~lhTqZ3?QKP@ "}

Multi AV Scanner detection for submitted file

Source: bleorigin.exe	Virustotal: Detection: 73%			Perma Link
Source: bleorigin.exe	ReversingLabs: Detection: 76%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: bleorigin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bleorigin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 185.174.173.22:587

Source: Joe Sandbox View	IP Address: 185.174.173.22 185.174.173.22
Source: Joe Sandbox View	IP Address: 185.174.173.22 185.174.173.22

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 185.174.173.22:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.worlorderbillions.top

Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.worlorderbillions.top
Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/09
Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://worlorderbillions.top
Source: bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: bleorigin.exe	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: bleorigin.exe, POq2Ux.cs

.Net Code: kHSOsUTD

System Summary

Malicious sample detected (through community Yara rule)

Source: bleorigin.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_02B04AA0	0_2_02B04AA0
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_02B09BFA	0_2_02B09BFA
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_02B03E88	0_2_02B03E88
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_02B0CDC8	0_2_02B0CDC8
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_02B041D0	0_2_02B041D0
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE878B	0_2_05EE878B
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE2700	0_2_05EE2700
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE96E0	0_2_05EE96E0
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EEB908	0_2_05EEB908
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EED89D	0_2_05EED89D
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE0040	0_2_05EE0040
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE3B48	0_2_05EE3B48
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE52E0	0_2_05EE52E0
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE4C00	0_2_05EE4C00
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_05EE2E33	0_2_05EE2E33
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_0602CD31	0_2_0602CD31
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_060296B8	0_2_060296B8
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_0602B198	0_2_0602B198
Source: C:\Users\user\Desktop\bleorigin.exe	Code function: 0_2_060299D4	0_2_060299D4

Source: bleorigin.exe, 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamee8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe4 vs bleorigin.exe
Source: bleorigin.exe, 00000000.00000002.3279318601.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bleorigin.exe
Source: bleorigin.exe, 00000000.00000002.3279172343.00000000009B8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs bleorigin.exe
Source: bleorigin.exe	Binary or memory string: OriginalFilenamee8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe4 vs bleorigin.exe

Source: bleorigin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bleorigin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: bleorigin.exe, ZTFEpdjP8zw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, WnRNxU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, 2njIk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, I5ElxL.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: bleorigin.exe, QQSiOsa4hPS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: bleorigin.exe, FdHU4eb83Z7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: bleorigin.exe, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: bleorigin.exe

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.W

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\bleorigin.exe

Mutant created: NULL

Source: bleorigin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bleorigin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\bleorigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\bleorigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\bleorigin.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bleorigin.exe	Virustotal: Detection: 73%
Source: bleorigin.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: bleorigin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bleorigin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\bleorigin.exe

Code function: 0_2_060230B7 push AC0675DAh; retf

0_2_0602310D

Source: C:\Users\user\Desktop\bleorigin.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\bleorigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\bleorigin.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe	Window / User API: threadDelayed 1230			Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Window / User API: threadDelayed 5422			Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 6660	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99870s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 6660	Thread sleep count: 5422 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99748s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99528s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -99077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -96844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -96391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\bleorigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\bleorigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99870	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99748	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99528	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 99077	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98967	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98746	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97388	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 96844	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: bleorigin.exe, 00000000.00000002.3282358973.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\bleorigin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe	Queries volume information: C:\Users\user\Desktop\bleorigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\bleorigin.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: bleorigin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bleorigin.exe PID: 5168, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\bleorigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\bleorigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\bleorigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: bleorigin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bleorigin.exe PID: 5168, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: bleorigin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bleorigin.exe PID: 5168, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Disable or Modify Tools	1 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bleorigin.exe	74%	Virustotal		Browse
bleorigin.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
bleorigin.exe	100%	Avira	TR/Spy.Gen8

Source	Detection	Scanner	Label	Link
http://mail.worlorderbillions.top	0%	Avira URL Cloud	safe
http://worlorderbillions.top	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
worlorderbillions.top	185.174.173.22	true	true		unknown
mail.worlorderbillions.top	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r11.i.lencr.org/09	bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.worlorderbillions.top	bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	bleorigin.exe	false		high
http://r11.o.lencr.org0#	bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://worlorderbillions.top	bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.174.173.22	worlorderbillions.top	Ukraine		21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1615022
Start date and time:	2025-02-14 12:30:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bleorigin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:31:18	API Interceptor	33x Sleep call for process: bleorigin.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.174.173.22	FATURA.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/0804/
	TAX INVOICE.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/0804/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/4f6v/
	Hesap.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/0804/
	QNBSWIFT.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/0804/
	ekte.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/0804/
	EKTEDIR.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/0804/
	sse5JV1aR1.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/jdqu/
	9vhyFG1hNa.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/zckq/
	RQ#071024.exe	Get hash	malicious	FormBook	Browse	www.rockbull.pro/zckq/?O47=yt+/CYY17yfZsUzW1dzpXI0PtNsveO0es5mNBWZLxvJYS159teOgxf1K62P/A3Nk2I+sCuZ6Gvq/1Opx8wxJUkw6vtEbl6N+fnEOWCFb3RhlmuBmrQ==&LT=aZbPzzPX3H

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	nvtPp8Gj2Q.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	DCV78I939025789245.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.174.173.22
	j66xcjuMKP.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	54B0E7E0Mk.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	5.34.180.213
	PAYMENT RECEIPT.html	Get hash	malicious	HTMLPhisher	Browse	185.174.173.22
	Mg5bMQ2lWi.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	cNF6fXdjPw.dll	Get hash	malicious	Socks5Systemz	Browse	185.237.206.129
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.000803375749883
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	bleorigin.exe
File size:	240'128 bytes
MD5:	0cd79e1837ecc2651611323ce6c009a7
SHA1:	6bd16567c5b2c2724c7590f1aebc082f37066fbf
SHA256:	b9aa15b40149a14595782f3138816babd5aa6a2cae761d9f6a2c1a7b52256bc7
SHA512:	dadb31dc48cb8e390c044e9de9cc67ce34896da4e1d224eb42d9ddf6b1bc8f8086f62b388fec4e379c682ed2e9fcc569eda2c77736991ad4655f9c358097df9c
SSDEEP:	3072:yRA0lRVpl1D2lVbTWQdVudhBEe5TyCSGqG:yRDlRVpl1D2vbTWQwSVCx
TLSH:	8B340F037E88EB15E1A93D3782EF6C2413B2B4C71633C60B6F49AFA518516825D7E72D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.e............................n.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43bf6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65AE2D9B [Mon Jan 22 08:55:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
cmp byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bf14	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39f74	0x3a000	32cba4e28d94814962803f813aa67e61	False	0.3577544113685345	data	5.012248399343291	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x546	0x600	346171ad3e9f4a2ca3ed5c40c281237c	False	0.3997395833333333	data	3.9912193590907696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	47722ed4378cb86afb4b1954e8c92277	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c0a0	0x2bc	data			0.44
RT_MANIFEST	0x3c35c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
FileDescription
FileVersion	1.0.0.0
InternalName	e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe
LegalCopyright
OriginalFilename	e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 22
• 587 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 12:31:20.230366945 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:20.235234976 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:20.235338926 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.007343054 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.011890888 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.018244028 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.185740948 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.185909033 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.190723896 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.360076904 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.368634939 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.373651028 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.551501036 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.551597118 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.551610947 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.551654100 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.589638948 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.595242023 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.764240980 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.810322046 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.826391935 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:21.832910061 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:21.999372005 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.000447035 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.007203102 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.175662041 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.176665068 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.181687117 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.373688936 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.374535084 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.379440069 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.547530890 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.547939062 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.552915096 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.728388071 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.728619099 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.733514071 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.901664019 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.902321100 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.902441978 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.902462006 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.902522087 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:31:22.907105923 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.907344103 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.907354116 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:22.907365084 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:23.198755980 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:31:23.247834921 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:32:59.560571909 CET	49704	587	192.168.2.5	185.174.173.22
Feb 14, 2025 12:32:59.565499067 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:32:59.735508919 CET	587	49704	185.174.173.22	192.168.2.5
Feb 14, 2025 12:32:59.738759041 CET	49704	587	192.168.2.5	185.174.173.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 12:31:19.535444021 CET	61278	53	192.168.2.5	1.1.1.1
Feb 14, 2025 12:31:20.222647905 CET	53	61278	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 14, 2025 12:31:19.535444021 CET	192.168.2.5	1.1.1.1	0xdaf4	Standard query (0)	mail.worlorderbillions.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 14, 2025 12:31:20.222647905 CET	1.1.1.1	192.168.2.5	0xdaf4	No error (0)	mail.worlorderbillions.top	worlorderbillions.top		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2025 12:31:20.222647905 CET	1.1.1.1	192.168.2.5	0xdaf4	No error (0)	worlorderbillions.top		185.174.173.22	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 14, 2025 12:31:21.007343054 CET	587	49704	185.174.173.22	192.168.2.5	220-cp8nl.hyperhost.ua ESMTP Exim 4.98 #2 Fri, 14 Feb 2025 13:31:20 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 14, 2025 12:31:21.011890888 CET	49704	587	192.168.2.5	185.174.173.22	EHLO 210979
Feb 14, 2025 12:31:21.185740948 CET	587	49704	185.174.173.22	192.168.2.5	250-cp8nl.hyperhost.ua Hello 210979 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Feb 14, 2025 12:31:21.185909033 CET	49704	587	192.168.2.5	185.174.173.22	STARTTLS
Feb 14, 2025 12:31:21.360076904 CET	587	49704	185.174.173.22	192.168.2.5	220 TLS go ahead

Statistics

CPU Usage

• bleorigin.exe

Click to jump to process

Memory Usage

• bleorigin.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	06:31:17
Start date:	14/02/2025
Path:	C:\Users\user\Desktop\bleorigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bleorigin.exe"
Imagebase:	0x7f0000
File size:	240'128 bytes
MD5 hash:	0CD79E1837ECC2651611323CE6C009A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	66.7%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	7

Executed Functions

Function 05EE0040 Relevance: 8.4, Strings: 6, Instructions: 932COMMON

Download Yara Rule

Strings

$]q, xrefs: 05EE0D10
$]q, xrefs: 05EE0CC3
$]q, xrefs: 05EE0D04
$]q, xrefs: 05EE0CEC
$]q, xrefs: 05EE0CE0
$]q, xrefs: 05EE0CB7

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 38808f8a838292b060afcf745794225ef4cb505d0daa0f68179f07cd2618b673
Instruction ID: 9f2cee4739e8295ac6c06865eaefc9745dd139cf6b8665a966838ca2cd1d686c
Opcode Fuzzy Hash: 38808f8a838292b060afcf745794225ef4cb505d0daa0f68179f07cd2618b673
Instruction Fuzzy Hash: FE825B30A10709CFDB24DF64C598A9DB7B2FF85304F54D6A9D449AB264EB70ED86CB80

Function 05EEB908 Relevance: 4.3, Strings: 3, Instructions: 574
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 05EEBB68
Dqs, xrefs: 05EEB9AC
0os, xrefs: 05EEB9A0

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: 0os$Dqs$PH]q
API String ID: 0-4021589656
Opcode ID: 1ffe4592b112cb1e68979ac473cc1ced47d169ec81cf4c7d2d7863ca02ef0bf0
Instruction ID: b429c5cbb8d10cf9811ed9f9096d92c00f9f37424832f94861022d1dbbb98a98
Opcode Fuzzy Hash: 1ffe4592b112cb1e68979ac473cc1ced47d169ec81cf4c7d2d7863ca02ef0bf0
Instruction Fuzzy Hash: 0B22AC30B101058FDB24DF68D494AAEB7EAFF88318F208469D44ADB365DB35EC46CB91

Function 05EE52E0 Relevance: 3.0, Strings: 2, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 05EE564F
$]q, xrefs: 05EE5643

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 7395f2c5ed3ff89e1f74ade9a0ff30b8feb3083aa3fd4c9ea68487f1d797304a
Instruction ID: 5074104d211fcbf00d70cf9f6cdca3c84e9ac15292b073d57797ec033446243b
Opcode Fuzzy Hash: 7395f2c5ed3ff89e1f74ade9a0ff30b8feb3083aa3fd4c9ea68487f1d797304a
Instruction Fuzzy Hash: 15028D31B102059FDB18DB68D580AAEB7E3FF84318F14856AD44ADB398DB75EC46CB81

Function 05EED89D Relevance: 2.8, Strings: 2, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 05EEDA1F
$]q, xrefs: 05EEDA06

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 282ea3d47f430afca37bcfd57ed7146294b3f30cc710ffb7dfb4d6ee62c1cefc
Instruction ID: d43318b24f00eac7df1caf4cdf3ebc0f0fc669db3c7bdba70db58f475a0b5c04
Opcode Fuzzy Hash: 282ea3d47f430afca37bcfd57ed7146294b3f30cc710ffb7dfb4d6ee62c1cefc
Instruction Fuzzy Hash: 1DB1C230B142188BDB1CEB7899542BEBBA7BFC8750B14856DE447E7388DE34CC428796

Function 02B09BFA Relevance: 2.7, Instructions: 2737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a07984bcf2a7489731b71e6068bd1a137ef78165d2af1c4b506e84deb1004dd
Instruction ID: 6cf0f1fe164430c6de730980a32de73cf07091e85032dd9ca4ecc7c11c983fac
Opcode Fuzzy Hash: 0a07984bcf2a7489731b71e6068bd1a137ef78165d2af1c4b506e84deb1004dd
Instruction Fuzzy Hash: FD53EA31C10B1A8ACB51EF68C8905A9FBB1FF99300F11D79AE45877121FB70AAD5CB81

Function 02B0CDC8 Relevance: 2.3, Instructions: 2306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e936ed8811aad1b4f4f2f7627d8bfb4314762a4510a3f741387444e983211a2
Instruction ID: 687c0cebccf125dbf5d83ca51559b375d1b21909e87bfb1713cf2f67b3a52d21
Opcode Fuzzy Hash: 5e936ed8811aad1b4f4f2f7627d8bfb4314762a4510a3f741387444e983211a2
Instruction Fuzzy Hash: 9E332D31D107198ECB11EF68C8906ADFBB1FF89300F15D79AD459A7261EB70AAC5CB81

Function 05EE2700 Relevance: 1.8, Strings: 1, Instructions: 591
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 05EE2D66

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 3c492336f13ece89d04784d4f4a6fd22f12f654a231716620702511303c7d7b5
Instruction ID: 3e8335bbc2eab203cc7c2ed0647405bc171819f61cf518254ef064f1056b0655
Opcode Fuzzy Hash: 3c492336f13ece89d04784d4f4a6fd22f12f654a231716620702511303c7d7b5
Instruction Fuzzy Hash: E022F339E102158FEF24DFA4C480AAEB7B6FF84314F209469D699AB344DB35DC42CB91

Function 05EE3B48 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2d9a93ca5540b460007439d60c904775acdc08975cd88f19b54b6116abe509
Instruction ID: 926b995ed1e74d7e3f70b190d7886e3ff4776a80028e8e131370505030d955a7
Opcode Fuzzy Hash: 7c2d9a93ca5540b460007439d60c904775acdc08975cd88f19b54b6116abe509
Instruction Fuzzy Hash: 8E62AC34B102049FEB14DB68D584AADBBF2FF88314F149869E446EB394DB35EC46CB90

Function 05EE96E0 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a6573791b48452014e69caf49b7053734e3e87e94a43dfcce09777a0fb28f4
Instruction ID: 6ba9078517b06d458c70032ec2c1278f90782f64feb1699491aa8bd6b8854b5f
Opcode Fuzzy Hash: a0a6573791b48452014e69caf49b7053734e3e87e94a43dfcce09777a0fb28f4
Instruction Fuzzy Hash: 2A32AE31A102098FDB14DF68D980BAEB7F6FB88314F109529E449D7396DB35EC46CB91

Function 05EE878B Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abc579d9b1b1c7cb56a416482c6f59d81c577100d82039b165b0dc34af4de05
Instruction ID: da440f63e776ffb2a5ac5a00d6bc2c04fc639a35cab1de2b8bd8cf205215ee6d
Opcode Fuzzy Hash: 6abc579d9b1b1c7cb56a416482c6f59d81c577100d82039b165b0dc34af4de05
Instruction Fuzzy Hash: B4227070E142098FEF24DBA8D880BADB7B6FB45314F649825E489EB395CB35DC81CB51

Function 0602CD31 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa92b00235a439a9ed91a0df7c077faf4d606201b9301a25f95ff9f7b14b0bba
Instruction ID: dd334b30daf7eeb2068bfdb9c0efc32adf21b2fbfdb80508dfff24d4e6b5a116
Opcode Fuzzy Hash: fa92b00235a439a9ed91a0df7c077faf4d606201b9301a25f95ff9f7b14b0bba
Instruction Fuzzy Hash: 5BB19E35E4031A8FCB45DFB0D894ADDBBBAFF8A310F148615E419AF2A5DB309846CB51

Function 02B04AA0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39eaea69dd084808700eccc79426e8aad715fde02884c0f355f808e438ad7ef9
Instruction ID: 8223088727118c057e49f2bac819d7786693775bf873610182a05eb8be0c696d
Opcode Fuzzy Hash: 39eaea69dd084808700eccc79426e8aad715fde02884c0f355f808e438ad7ef9
Instruction Fuzzy Hash: ACB18CB0E00209DFDB11DFA9D9817ADBFF2EF88318F148669D515E7294EB749881CB81

Function 02B03E88 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88428b2f3a61b7ae8f11b8db8756d764da63cec7a8bf8d900e27e7bd4eb6277
Instruction ID: 5dc06d46bf1f3120e77114aea54406a08966f57bf8e32c0c8dbcbb3b6de9b436
Opcode Fuzzy Hash: c88428b2f3a61b7ae8f11b8db8756d764da63cec7a8bf8d900e27e7bd4eb6277
Instruction Fuzzy Hash: 86915AB0E00209DFDF11DFA9C98579DBFF2EF88314F148569E415A7294EB749886CB81

Function 060299D4 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd98417a34e0e45978ca70117adda19e9c6a1b7aa10852bf0cc75f2da0740f8f
Instruction ID: 3611b199fd5e3dbcb9b138d02b9ad2d813dc27b7b41af6c7c6cf6f3ff356640e
Opcode Fuzzy Hash: cd98417a34e0e45978ca70117adda19e9c6a1b7aa10852bf0cc75f2da0740f8f
Instruction Fuzzy Hash: 58918D75E4031A9FCB44DFB0D8849DDFBBAFF89310F148615E41AAB2A4DB30A985CB51

Function 02B06EDF Relevance: 2.6, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 02B07004
LR]q, xrefs: 02B06F16

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: 70ad17f6076826b5dafc4e3e4122523c7ffbd115fee5b2c6f14d6ac3c0c9cdb3
Instruction ID: 5fadf1810c7a885febda08f0e63641c85c0a94a1cbed82d58bb21b2e2ba9227c
Opcode Fuzzy Hash: 70ad17f6076826b5dafc4e3e4122523c7ffbd115fee5b2c6f14d6ac3c0c9cdb3
Instruction Fuzzy Hash: 2B51D731A102458FDB16DF78C4907AEBFB6FF86304F1085AAE445EB290EB71A847CB51

Function 05EEDDA0 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9916c9512dac32b7e8e48e01b1bdfcb382b9b53c4716ddc3ad8d1212bf1b261
Instruction ID: c821968e5dd1a90d573fea2870e22f738e3dbda3ee0fad1867760bd15edbc5d1
Opcode Fuzzy Hash: f9916c9512dac32b7e8e48e01b1bdfcb382b9b53c4716ddc3ad8d1212bf1b261
Instruction Fuzzy Hash: 82412472D143998FCB04DFB9D9043AEBBF5AF89210F158A6AD444A7291DB789841CBE0

Function 0602CA44 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0602CB62

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3e0b69d5b83f02eaa917c1720b15f84501eb4d294589def1b731241e123a11be
Instruction ID: 6483c116e7306389a4a11828fc173134e634913dfa4d9a457818839faae320c9
Opcode Fuzzy Hash: 3e0b69d5b83f02eaa917c1720b15f84501eb4d294589def1b731241e123a11be
Instruction Fuzzy Hash: A151D0B1D003599FEB54CFA9C884ADEBFF5BF48314F24852AE818AB210D7749845CF90

Function 0602CA50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0602CB62

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fbb28f70384446848ceab1bfa22beba622255e67719a69ac2338f32ad9cb0ef0
Instruction ID: c2cd7e6c9f195076c3c5c40be560a22a1949c35f163c290e5230cefce2eeec07
Opcode Fuzzy Hash: fbb28f70384446848ceab1bfa22beba622255e67719a69ac2338f32ad9cb0ef0
Instruction Fuzzy Hash: 6641C0B1D003199FDB54CF99C884ADEBFB5BF48314F24852AE818AB210D775A885CF90

Function 0602D9DC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0602F251

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 84c6ad76bfd682f0eb8ca99af5445c4c8d2aa73fd044aaf57303b5a02c30cdf5
Instruction ID: 66a7c353a0dd608ded72d7b62ecf05b989fcf18795fc846651c0cefecb7898ff
Opcode Fuzzy Hash: 84c6ad76bfd682f0eb8ca99af5445c4c8d2aa73fd044aaf57303b5a02c30cdf5
Instruction Fuzzy Hash: 1F416AB994034ACFDB54CF99C448AAABBF5FF89314F24C858D519A7321D374A844CFA0

Function 05EEDE88 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(8B550510), ref: 05EEDEEF

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: fbf4c0ca65b4f8605c76d01977348b664f447fccb34546f77e12571ac4b02e72
Instruction ID: a2e343fabdc42861dda6d856e03a81e2b5419e3efdd884c3965aeede99726cbb
Opcode Fuzzy Hash: fbf4c0ca65b4f8605c76d01977348b664f447fccb34546f77e12571ac4b02e72
Instruction Fuzzy Hash: 41111FB1C006599BCB10DF9AC944A9EFBF8BF48320F10812AE818A7240D378A944CFA5

Function 02B0F2F5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH]q, xrefs: 02B0F443

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: a8d30e581d6edbf1bd101f58974aaa2fa6d2b75e58c7b5b49a4efe62db102dba
Instruction ID: dd945ace053dbd3d3146e589b66706b0b98863a45e27ae56b957b96bd02d977a
Opcode Fuzzy Hash: a8d30e581d6edbf1bd101f58974aaa2fa6d2b75e58c7b5b49a4efe62db102dba
Instruction Fuzzy Hash: 0141D331B002018FDB2AAB34D5A066E7FE7EF89264B5484B8D406DB399DF34DD46CB91

Function 02B06F80 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02B07004

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 0c26f9ea1427da9316a45b8e5ac21112c24bb5657ee3d27d01029cdb56d04db7
Instruction ID: b6832c12898518add109b14d88f0c3ead4d495191f89285b017d14f1df722907
Opcode Fuzzy Hash: 0c26f9ea1427da9316a45b8e5ac21112c24bb5657ee3d27d01029cdb56d04db7
Instruction Fuzzy Hash: D8316431E10209DBDB15DF64C490B9EFBB6FF85314F108669E806F7290EB71A942CB91

Function 02B06BA8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02B06BDF

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 7970cd9353ce973f70ca778ba23fb20f3a5f43bac603c966c368fd2672a83c0b
Instruction ID: 90399f0e6a231518df321a1048a3afb95effa782ef349c8c80fb430caf4cad8e
Opcode Fuzzy Hash: 7970cd9353ce973f70ca778ba23fb20f3a5f43bac603c966c368fd2672a83c0b
Instruction Fuzzy Hash: 3911E5317492805FC3176B7884A426E7FB2EF8B310B1549EFC095CB2A6CA35584AC792

Function 02B07910 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1058a4fd33c03afd477597644055465c99be92741bedc14717e03a40fc1456
Instruction ID: 05e8daa66e5328c00b7d1137bb6e2163ea402e504131af5d5e8b01646be99e3e
Opcode Fuzzy Hash: 3a1058a4fd33c03afd477597644055465c99be92741bedc14717e03a40fc1456
Instruction Fuzzy Hash: 64129330710202DBCB29AB38E584719B7A6FB95324B544A7DE006CBBA8CF75EC47D790

Function 02B096E8 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c705f13e7b00ce49fdd61603b861f51a589f613a42047f0a9fc80a2780e7a183
Instruction ID: 721852820f6adac02cca020c21688efc95266b8abafe48cfd14ac8c9f89308ee
Opcode Fuzzy Hash: c705f13e7b00ce49fdd61603b861f51a589f613a42047f0a9fc80a2780e7a183
Instruction Fuzzy Hash: 05C1D031A002058FDB15DF68D8C07AEBBB6FF88710F1085AAE519EB396D770E845CB91

Function 02B0936C Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facb42fef7cb98b20ad7e457287cd5f1bfe10c3bb4c787d3ff958d0a71a2f010
Instruction ID: 0c11c977724ff763ecbda35570aa7f2c9efac3ec1d85f9a8aebf4562ae5c5ace
Opcode Fuzzy Hash: facb42fef7cb98b20ad7e457287cd5f1bfe10c3bb4c787d3ff958d0a71a2f010
Instruction Fuzzy Hash: 0BC18E35B006058FDB15DFA4D584AADBBB2FF88710F2484A9E816D7395DB74EC46CB80

Function 02B04A95 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2511c87a7d2c5688d4f2b23ff6d5c44769b58d5c0cd152866445cb20aa0f0aa5
Instruction ID: 9e84e8106eb3425cf4183695378e7a10e39616901d906f99b9a9f6000a44622a
Opcode Fuzzy Hash: 2511c87a7d2c5688d4f2b23ff6d5c44769b58d5c0cd152866445cb20aa0f0aa5
Instruction Fuzzy Hash: E4B19DB0E00209DFDB11CFA9D98179DBFF2EF88318F148269D915A7294EB749885CB91

Function 02B03E7C Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ee8e9ed247eefad37a03859578526251f08ace31e49d0848ad07db45325efa
Instruction ID: b633acdfe8be83edae8f7398a7932c2ef237d2574d36d8212d743256fe0446d9
Opcode Fuzzy Hash: 03ee8e9ed247eefad37a03859578526251f08ace31e49d0848ad07db45325efa
Instruction Fuzzy Hash: 7BA15AB0E00209DFDB11DFA9C9857DDBFF2EF88314F248569E415A7294EB749886CB81

Function 02B0480C Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b904ce6c0afdf45fde3a48ef39de8c8ee274792b6fc840d47030b3a0c2df47
Instruction ID: 1398c00a8b46d991eda584b06fed144778ef394deb6f6e6ae2d6330ce1f43c73
Opcode Fuzzy Hash: 36b904ce6c0afdf45fde3a48ef39de8c8ee274792b6fc840d47030b3a0c2df47
Instruction Fuzzy Hash: F07188B0E002498FDF11DFA9C88179EBFF2FF88314F148569E519A7294DB349882CB95

Function 02B04818 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884dd8604f118b5d654d111701e3ae3f741e98f3680e75aac70595697ba991f7
Instruction ID: d486597ec217063a7d1b599272d60616406088578f9d68925dabeace30fc9227
Opcode Fuzzy Hash: 884dd8604f118b5d654d111701e3ae3f741e98f3680e75aac70595697ba991f7
Instruction Fuzzy Hash: 287179B0E002498FDF11DFA9C98079EBFF2FF88314F148469E519A7294EB349842CB95

Function 02B06CE4 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7724d89f945e132a66673ca6e273f701552fe64dd65159ddae5f12a487e4b617
Instruction ID: f1c8ba335ae4d867e25fa7e9b2fc1f7b18f7beeaa499b8319d06f4bf822fd6fb
Opcode Fuzzy Hash: 7724d89f945e132a66673ca6e273f701552fe64dd65159ddae5f12a487e4b617
Instruction Fuzzy Hash: E95133B4D002188FDB19CFAAC885B9DBBF5FF48314F14816AE819AB394C774A844CF95

Function 02B06CF0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88de485c7b0986716660a965947659665bbcdf2000efd6e8b844bca4fe7eb09f
Instruction ID: fbc08f2c16940c9a42385c678b5ca2bce962430f5770a1b7deeab77ce85a5799
Opcode Fuzzy Hash: 88de485c7b0986716660a965947659665bbcdf2000efd6e8b844bca4fe7eb09f
Instruction Fuzzy Hash: D45113B4D002188FDB15CFAAC885B9DBBF5FF48314F148569E819AB390D774A844CF95

Function 02B01112 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93dc6be77f6e97c9380f53c9d1bf3032e6ea7ac42acefc921fa83ab6b65cb76
Instruction ID: c13e8a1f66e72c6f91c34685efe3c06caf44f420079c855f7150a65daf1aae63
Opcode Fuzzy Hash: c93dc6be77f6e97c9380f53c9d1bf3032e6ea7ac42acefc921fa83ab6b65cb76
Instruction Fuzzy Hash: CF51FA32A062818FCB7AEF28F980D553F65BB7630430459BDE0854B37EDB386949DB94

Function 02B01138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c691fd23ebcf57d163415cb9835cefbc80debb225e6afc0541f419f01756dfce
Instruction ID: e82491628a158961ac2ac3ba6e5e7b59ffc6b8cdfc8ea522b205694d41dbe8ef
Opcode Fuzzy Hash: c691fd23ebcf57d163415cb9835cefbc80debb225e6afc0541f419f01756dfce
Instruction Fuzzy Hash: C851C532A021419FCB7AEF28F980D553F69FBBA3043009979E0455B33EEB346959DB94

Function 02B0F1B8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444134a46f1b27b83343f3607416044fff4996dd64e5f67384343040b84157b2
Instruction ID: 8144fbf2e031d62b85646a8d0650cbac66bc2f01dc76802eefdb73cc6220e585
Opcode Fuzzy Hash: 444134a46f1b27b83343f3607416044fff4996dd64e5f67384343040b84157b2
Instruction Fuzzy Hash: 9B316F35F102058BDB16CFA4D4946AEBBB2EF89310F108959E856E7790DF74A986CB80

Function 02B026E4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ec7a3e5fa7b33e04476fb436a5946aba9a14b1150d90a4a4845d4916c6a179
Instruction ID: 021657494e916bbb585dc94336997802499ef6c9f82a31b5abf14831b15c3fce
Opcode Fuzzy Hash: 95ec7a3e5fa7b33e04476fb436a5946aba9a14b1150d90a4a4845d4916c6a179
Instruction Fuzzy Hash: 864112B4D003489FDB10DFA9C584ADEBFB5FF48314F208469E809AB254DB75A94ACF90

Function 02B0509F Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2505fc5e160321eca8a6c0657a73dbbe506daf553afe454a4ceebf7a0bafc703
Instruction ID: 0600e0b1b37b7a3401f8831145d56b3712a4ce7d701d028003f0fbc9700fca35
Opcode Fuzzy Hash: 2505fc5e160321eca8a6c0657a73dbbe506daf553afe454a4ceebf7a0bafc703
Instruction Fuzzy Hash: D8314B35A00214CFDB2AEB74C594AAD7BB6FF58344F5004ACD406AB794EB369C82CB91

Function 02B0F1C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205d3dfadf5a3d39902c217ed0df78e4046a2f23769d7e6916c9e71f388428b2
Instruction ID: cda47031d2e38d05662bf2adbe2d72e3a391c0c81e8efdd67f7b4ed755a60850
Opcode Fuzzy Hash: 205d3dfadf5a3d39902c217ed0df78e4046a2f23769d7e6916c9e71f388428b2
Instruction Fuzzy Hash: 8C317035F002059BDB16CFA5C4946AEBBB2FF89310F108919E856E7790DF70AC86CB80

Function 02B026F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5ee19e43802335af189f7dc8b57aff69d4c5f9028eb02c4f1cbd7fe1ccfda6
Instruction ID: 4bce31fb1b33f1504260eedcfad43a832a66c3941e047253332ab6af6ec66e2d
Opcode Fuzzy Hash: eb5ee19e43802335af189f7dc8b57aff69d4c5f9028eb02c4f1cbd7fe1ccfda6
Instruction Fuzzy Hash: 5F410EB4D003489FDB10DFA9C584ADEBFB5FF48314F208469E809AB264DB75A949CB90

Function 02B050B0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54f63c5255850151147eec8ac44b419addabe376b2cbc450fa75e0b7af3e790
Instruction ID: 2b1aeb61f26b61baf332d8aea653691024788974d1da0dbef246abde4c7265c6
Opcode Fuzzy Hash: a54f63c5255850151147eec8ac44b419addabe376b2cbc450fa75e0b7af3e790
Instruction Fuzzy Hash: A6313E34B00214CFDB2AEB74C590AAD7BF6FF58344F5004A8D406AB394EB369C82CB91

Function 02B09258 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145e688e18562368e11870e8f425a511aa206be3378a1bfa51aeee964bd294cb
Instruction ID: 60156875734ad86b8eac14d66a14d3ea854183d8722f1071790f2bb6b91abfa2
Opcode Fuzzy Hash: 145e688e18562368e11870e8f425a511aa206be3378a1bfa51aeee964bd294cb
Instruction Fuzzy Hash: AF318F31E106069BDB06CFA4D99069EBBB2FF89300F14C65AE845AB295DB749886CB50

Function 02B016A7 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b9cf03f0be0f7508177f8e3a6995f0c73483526b337c3c1f68d51af5427ac4
Instruction ID: 4d7324c8d1145f2508e2b24a99dfa53a10c11990fd8ce29c6bd44b61a582b3d7
Opcode Fuzzy Hash: b6b9cf03f0be0f7508177f8e3a6995f0c73483526b337c3c1f68d51af5427ac4
Instruction Fuzzy Hash: C221B2796101015FDF3BAB6CE8C4B293B69EB65304F004AA5D00EC7399DB2CE847CB92

Function 02B09268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db1563ac1391c2c3e3618067ba95645ae2cebc4f8d1e7653a2c6133924aedc7
Instruction ID: 4cb4aabe1f7e4dd981ffd71b8d88463765cecc3386c4ef9ba6149a58d3f3c438
Opcode Fuzzy Hash: 1db1563ac1391c2c3e3618067ba95645ae2cebc4f8d1e7653a2c6133924aedc7
Instruction Fuzzy Hash: AE219131E0060A9BDB06CFA5D88069EFBB2FF89300F14C659E815AB395DB74D886CB50

Function 02B09159 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7767bc5101b2791d0d9f44f9ded9096ae3d48d367ff5aab32f5d2228327b7cfc
Instruction ID: c78d6c7f33248f4afded05a845c67a955250b6d033396d999db716b2380e8172
Opcode Fuzzy Hash: 7767bc5101b2791d0d9f44f9ded9096ae3d48d367ff5aab32f5d2228327b7cfc
Instruction Fuzzy Hash: 8821A331E006059FCB15CFA4C4946DEBBB2EF89700F10855AE816BB391DB709942CB50

Function 02B04F91 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396cd75bf21d90cac5b75472aaadb5b6971233eb764c8a68adf0ca80b81b57a5
Instruction ID: ec7f3d27b9cde92fb226172103a12af1f815f1c32ce91770a73c80a1837ecb4e
Opcode Fuzzy Hash: 396cd75bf21d90cac5b75472aaadb5b6971233eb764c8a68adf0ca80b81b57a5
Instruction Fuzzy Hash: 9A212B35A001048FDB69EB78C599BADBBF5EF49344B1044A8E506EB3A4EB319D41CB91

Function 02B01880 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b28e6eb1aad0302142c4c38938132dca76de0f187969f2d299fd77e321f7093
Instruction ID: a96a9c7f7abaf88ee0d3e7bb35ae2a2c87bd4ed885a359bc1a79bba677ebc784
Opcode Fuzzy Hash: 8b28e6eb1aad0302142c4c38938132dca76de0f187969f2d299fd77e321f7093
Instruction Fuzzy Hash: AC213D30A10205CFEB69EB78C594BAD7BB2EF49304F1004A9D14AEB2A4DB369D42CB55

Function 0112D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279717469.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e36007783126603436cd309032dd4a8194bfbde3537c50af6e6de24c2432c7
Instruction ID: 5ef2311f045a242ee68e374f895c16ae37c488c0674df0c3a1941f25c7f81d8c
Opcode Fuzzy Hash: 00e36007783126603436cd309032dd4a8194bfbde3537c50af6e6de24c2432c7
Instruction Fuzzy Hash: 79212271604204DFCF19DF98E980F26BBA5FB88314F20C56DD9094B266C33ED826CB66

Function 02B01382 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b8b5bd55b9dfeb7c0ad036f76372572a169576403f5f3ff347cbcdb2a1e88e
Instruction ID: adcaca75750722b727f762e1e611c0bfe5b64328fc310ed07b1e009f728d386f
Opcode Fuzzy Hash: c2b8b5bd55b9dfeb7c0ad036f76372572a169576403f5f3ff347cbcdb2a1e88e
Instruction Fuzzy Hash: 43219F30611241AFDF3A172C94C472C3F66EB16315F444AA9D44EC77E4D729C886C742

Function 02B017C8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6f06cec3a31988f3fb5a708716c8c845e37e744c5c197f44dc7d54ba717032
Instruction ID: 03a088cca678709c25a925694e473c7a21c3c930281084ba10948d4539962201
Opcode Fuzzy Hash: 8c6f06cec3a31988f3fb5a708716c8c845e37e744c5c197f44dc7d54ba717032
Instruction Fuzzy Hash: 5B11E775F013019FDF126B78A88476A7FA6EB84750F104A79E90DD3344EB35D8428781

Function 02B09168 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd6f1e6d03caa5913fccfef874ef2f1a498fe5d1d653f342637ad23cf075c32
Instruction ID: 9c963390baabbfaeb19c117cf0c673414f05c46a285356711fa9f8dba0d86dfb
Opcode Fuzzy Hash: fdd6f1e6d03caa5913fccfef874ef2f1a498fe5d1d653f342637ad23cf075c32
Instruction Fuzzy Hash: 9321A430E00609ABCB19DFA5C89469EFBB2EF89700F10C55AE815F7391DB70AD42CB51

Function 02B01890 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b84dec16ba63be20a621a8b209f870d85af8efac5b7078ca2cd9cbed5e3924
Instruction ID: 54f7d5a7c47263ba717b117d867166e09b5c122ac7deeee384de70b510081136
Opcode Fuzzy Hash: b7b84dec16ba63be20a621a8b209f870d85af8efac5b7078ca2cd9cbed5e3924
Instruction Fuzzy Hash: A0213134B10215CFDB29DB68C59479D7BF6EF49344F1004A8D10AEB394DB369D42CB95

Function 02B016B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f41a9b884b1c98f15da34d116a1f8339c00a3200301b824dd30e8801624bff6
Instruction ID: deaa3a63b6c5ab581e33156ba558420f5857323b0f7a3aa4adfd46b6b8fac4e0
Opcode Fuzzy Hash: 6f41a9b884b1c98f15da34d116a1f8339c00a3200301b824dd30e8801624bff6
Instruction Fuzzy Hash: 1E214F796101015FDB2BAB6CF9C4B193B69EB65304F104A65D00EC7399DB28E846CB92

Function 02B01492 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9026c4ca51861e292dbf955c2be25df1ddc9e6c3519eacacd3da170e987d624
Instruction ID: 955fc08f5ccd58de39b590a8888f60f2ae047254bbf7531a65acb57f924d4933
Opcode Fuzzy Hash: b9026c4ca51861e292dbf955c2be25df1ddc9e6c3519eacacd3da170e987d624
Instruction Fuzzy Hash: D1116731A112558FCF2AABBC84D03AD7FA5EB49314F1804FAD809EB291E735D842CF61

Function 02B04FA0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740315f6547152d9fda22b73d0d3d282a7f2306621b0013d0b9052b5b8042942
Instruction ID: 40789109a09c7365e8b4d7e864857541018135c65ed6a0a805e99cb5f697dc71
Opcode Fuzzy Hash: 740315f6547152d9fda22b73d0d3d282a7f2306621b0013d0b9052b5b8042942
Instruction Fuzzy Hash: DC211934B002048FDB69EB78C598B9EBBF5FB4D340B1044A8E506EB3A4EB319D40CB91

Function 02B00838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed65f649ac2dee0419aeb6597ba946baf650eebeacc310cebd819a49f33633a8
Instruction ID: 6f62871558968bc1b587bc93071497ea1d58b4ba3431968f3f142c4cedd9d9f4
Opcode Fuzzy Hash: ed65f649ac2dee0419aeb6597ba946baf650eebeacc310cebd819a49f33633a8
Instruction Fuzzy Hash: EB11C130A043448FEF267675989036A7F95FB86224F144DFAD046CB2D5DB29E8818BD5

Function 02B00848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564ab0f763d18fab666726d47b814dda19243559c1b44a51ea487554907503f4
Instruction ID: 4e1e7b3589d2e95b971dbacd124a3a109266b36bf0a2919c5e0e391f20f9aee2
Opcode Fuzzy Hash: 564ab0f763d18fab666726d47b814dda19243559c1b44a51ea487554907503f4
Instruction Fuzzy Hash: 00119130B003048FEF667A79D88476E7A95FB85224F104DBAD006CB3D5DB25E8818BD5

Function 0112D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279717469.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112d000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 1bfc29488374dcf6903948946695afd594b84138ee4a5effb45ee8ae79b5bd54
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1111EB75504280CFCB16CF58E5C0B15BFA1FB88314F28C6AAD8494B666C33AD41ACB62

Function 02B014A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e33ebd1f05c2c9e69b23cf3908da28fa8a99d79ea4cfb62c3bd53497afaada
Instruction ID: 4bd26fab589f1de3d860589a19b8d0073a78b7c637dd2df26ebe2a55a1e4027e
Opcode Fuzzy Hash: 20e33ebd1f05c2c9e69b23cf3908da28fa8a99d79ea4cfb62c3bd53497afaada
Instruction Fuzzy Hash: 06011B71A112158BCF26EFBC84902AD7AE5EB49310B1504B9D80AEB291E735E941CFA1

Function 02B080F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb92322575be99e91030f816037a802316fc68b02750d7aeb24b854a10013c68
Instruction ID: a69c143c2262354393fc797232f4236372557c80042a5d52c58ac04c9ea7be45
Opcode Fuzzy Hash: bb92322575be99e91030f816037a802316fc68b02750d7aeb24b854a10013c68
Instruction Fuzzy Hash: 2F017C329402099FCB46EFB4F98098C7BB6EF61304B5042B5C008DB368EB396E09C741

Function 02B07098 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8deb7b7c74bc0adfc36ade36b09470ae992a44b061aea230981bebfc78581a
Instruction ID: ccd1656ba1b8c1036ba9820f3c015141cc64f2df84714083ec077d4871c9e4c7
Opcode Fuzzy Hash: 2b8deb7b7c74bc0adfc36ade36b09470ae992a44b061aea230981bebfc78581a
Instruction Fuzzy Hash: 28F0C439B402188FC714EB64D5A8B6DB7B2EF88725F1045A8E50ADB3A4DB35AD42CB40

Function 02B08108 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b6076ed4a4938fcda8ffdead82d6c8b907e092586f119edeeab55f1fbf6a6d
Instruction ID: b342a8fac6df5ac6e2c24b213e267030fb2095a206258be3001a404742815ab7
Opcode Fuzzy Hash: f8b6076ed4a4938fcda8ffdead82d6c8b907e092586f119edeeab55f1fbf6a6d
Instruction Fuzzy Hash: A1F01D35950109AFCB45EFB4F98099D7BB9EF60308F504678C0089B268DB396E09CB81

Non-executed Functions

Function 05EE4C00 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 05EE50B9
$]q, xrefs: 05EE5162
$]q, xrefs: 05EE5158
$]q, xrefs: 05EE4D2D
$]q, xrefs: 05EE50AD
$]q, xrefs: 05EE4CFC
$]q, xrefs: 05EE514C
$]q, xrefs: 05EE4D21
$]q, xrefs: 05EE516E
$]q, xrefs: 05EE4CF0

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 9030ff00760d8d17cb8b571d6875feb8cd474e94c09c54b3cfc7238f6f96074c
Instruction ID: 76da326e390bf442866a101e6189f73b7ed87829074d2cf98d46041b7d073db2
Opcode Fuzzy Hash: 9030ff00760d8d17cb8b571d6875feb8cd474e94c09c54b3cfc7238f6f96074c
Instruction Fuzzy Hash: 3D124230A10619CFDB24DF65C994A9DB7F2BF89304F20996AD44AAB354EB309D45CF41

Function 05EE2E33 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

\Obq, xrefs: 05EE2F65
XPbq, xrefs: 05EE30E9

Memory Dump Source

Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd

Similarity

API ID:
String ID: XPbq$\Obq
API String ID: 0-409418754
Opcode ID: 6fc8d6f2614dacc9f0f0d1d5adf6148f9cf200e5b25b0afdf7935dd27e043569
Instruction ID: 3e60f2a71df7c8b2b9a0853c0ee2200429d1afdbe88293c6c8ba3b40ed2fafbb
Opcode Fuzzy Hash: 6fc8d6f2614dacc9f0f0d1d5adf6148f9cf200e5b25b0afdf7935dd27e043569
Instruction Fuzzy Hash: 95E1F531B201148FDF14DF68C880AADBBF6FB89724F25886AD596DB355CA35EC01C790

Function 02B041D0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6291824f264fa3d9293c64b7a8808a4669ad374427509146980011263947604
Instruction ID: d0c65c4326ca1549f70819b412431c3558c4e53b2453087fa31e2ca401d3eb07
Opcode Fuzzy Hash: f6291824f264fa3d9293c64b7a8808a4669ad374427509146980011263947604
Instruction Fuzzy Hash: 9AB14CB0E00209CFDF11DFA9D9857AEBFF2EF88308F148569D915A7294EB749845CB81

Function 060296B8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb511336298bfa8d61d90a7a0d17fcbc8afbe25fa2cf95a1cc5174f24c7c704
Instruction ID: 8c6015bc40bdac8c16bf715a4192a7a25472baf4858d8a88c98661da326a0efb
Opcode Fuzzy Hash: bcb511336298bfa8d61d90a7a0d17fcbc8afbe25fa2cf95a1cc5174f24c7c704
Instruction Fuzzy Hash: B6A18136F4022A8FCF49DFB5C8405DEBBB2FF85300B15416AE915AB221DB75E945CB80

Function 0602B198 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131e59d7fd46ff08aedd51f342631804a495b06ea8b703c14a82c29700b3d863
Instruction ID: 5f1e47b03587e1889faffa458849855c8a57806cf6bd1509a5e30960922e9e92
Opcode Fuzzy Hash: 131e59d7fd46ff08aedd51f342631804a495b06ea8b703c14a82c29700b3d863
Instruction Fuzzy Hash: A0C11DB0C82B458BD710CF64EA4C3897BB1BB89394FA04F09D161AF2E4DBB4546ACF54

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bleorigin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
bleorigin.exe