Edit tour

Windows Analysis Report
123123.exe.bin.exe

Overview

General Information

Sample name:	123123.exe.bin.exe
Analysis ID:	1645590
MD5:	f41b17e9ae4d3329d66d526bacf3c503
SHA1:	9169fb9412ffb7def5cc927dfe39eebe9ada0d56
SHA256:	7bdd5165674fec22061a6815ba57c595d99021faa609c1f4ed32677f4f1d9cd3
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Joe Sandbox ML detected suspicious sample

Protects its processes via BreakOnTermination flag

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

123123.exe.bin.exe (PID: 7972 cmdline: "C:\Users\user\Desktop\123123.exe.bin.exe" MD5: F41B17E9AE4D3329D66D526BACF3C503)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{
  "Host": "size-ingredients.gl.at.ply.gg",
  "Port": "8848",
  "Version": "<- NjRAT 0.7d Horror Edition ->",
  "Registry Name": "11390ffcc5e77b5abb8fc1519f8a1de5",
  "Campaign ID": "Victim",
  "Network Seprator": "Y262SUCZ4UJJ"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
123123.exe.bin.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
123123.exe.bin.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x933c:$a1: get_Registry 0xc35c:$a2: SEE_MASK_NOZONECHECKS 0xb166:$a3: Download ERROR 0xc5b1:$a4: cmd.exe /c ping 0 -n 2 & del "
123123.exe.bin.exe	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa4d5:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
123123.exe.bin.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc5b1:$x1: cmd.exe /c ping 0 -n 2 & del " 0xafc6:$s1: winmgmts:\\.\root\SecurityCenter2 0xb18c:$s3: Executed As 0x9b5f:$s5: Stub.exe 0xb166:$s6: Download ERROR 0xaf88:$s8: Select * From AntiVirusProduct
123123.exe.bin.exe	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xcae9:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xadd4:$s2: https://pastebin.com/raw/ 0xce33:$s3: My.Computer 0xcac3:$s4: MyTemplate
123123.exe.bin.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xc5c7:$: ping 0 0xa8f6:$: TiGeR-Firewall 0xa938:$: NetSnifferCs 0xa8e2:$: IPBlocker 0xa952:$: Sandboxie Control
123123.exe.bin.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc35c:$a2: SEE_MASK_NOZONECHECKS 0xc639:$b1: [TAP] 0xc5b1:$c3: cmd.exe /c ping
123123.exe.bin.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc35c:$reg: SEE_MASK_NOZONECHECKS 0xb142:$msg: Execute ERROR 0xb1a6:$msg: Execute ERROR 0xc5b1:$ping: cmd.exe /c ping 0 -n 2 & del
123123.exe.bin.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc5b1:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb142:$s4: Execute ERROR 0xb1a6:$s4: Execute ERROR 0xb166:$s5: Download ERROR 0xc5ef:$s6: [kl]
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x913c:$a1: get_Registry 0xc15c:$a2: SEE_MASK_NOZONECHECKS 0xaf66:$a3: Download ERROR 0xc3b1:$a4: cmd.exe /c ping 0 -n 2 & del "
00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc15c:$a2: SEE_MASK_NOZONECHECKS 0xc439:$b1: [TAP] 0xc3b1:$c3: cmd.exe /c ping
00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc15c:$reg: SEE_MASK_NOZONECHECKS 0xaf42:$msg: Execute ERROR 0xafa6:$msg: Execute ERROR 0xc3b1:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: 123123.exe.bin.exe PID: 7972	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.123123.exe.bin.exe.5f0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.123123.exe.bin.exe.5f0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x933c:$a1: get_Registry 0xc35c:$a2: SEE_MASK_NOZONECHECKS 0xb166:$a3: Download ERROR 0xc5b1:$a4: cmd.exe /c ping 0 -n 2 & del "
0.0.123123.exe.bin.exe.5f0000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa4d5:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
0.0.123123.exe.bin.exe.5f0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc5b1:$x1: cmd.exe /c ping 0 -n 2 & del " 0xafc6:$s1: winmgmts:\\.\root\SecurityCenter2 0xb18c:$s3: Executed As 0x9b5f:$s5: Stub.exe 0xb166:$s6: Download ERROR 0xaf88:$s8: Select * From AntiVirusProduct
0.0.123123.exe.bin.exe.5f0000.0.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xcae9:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xadd4:$s2: https://pastebin.com/raw/ 0xce33:$s3: My.Computer 0xcac3:$s4: MyTemplate
0.0.123123.exe.bin.exe.5f0000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xc5c7:$: ping 0 0xa8f6:$: TiGeR-Firewall 0xa938:$: NetSnifferCs 0xa8e2:$: IPBlocker 0xa952:$: Sandboxie Control
0.0.123123.exe.bin.exe.5f0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc35c:$a2: SEE_MASK_NOZONECHECKS 0xc639:$b1: [TAP] 0xc5b1:$c3: cmd.exe /c ping
0.0.123123.exe.bin.exe.5f0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc35c:$reg: SEE_MASK_NOZONECHECKS 0xb142:$msg: Execute ERROR 0xb1a6:$msg: Execute ERROR 0xc5b1:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.123123.exe.bin.exe.5f0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc5b1:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb142:$s4: Execute ERROR 0xb1a6:$s4: Execute ERROR 0xb166:$s5: Download ERROR 0xc5ef:$s6: [kl]
Click to see the 4 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• Operating System Destruction
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 123123.exe.bin.exe

Avira: detected

Found malware configuration

Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack

Malware Configuration Extractor: Njrat {"Host": "size-ingredients.gl.at.ply.gg", "Port": "8848", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "11390ffcc5e77b5abb8fc1519f8a1de5", "Campaign ID": "Victim", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for submitted file

Source: 123123.exe.bin.exe	Virustotal: Detection: 75%			Perma Link
Source: 123123.exe.bin.exe	ReversingLabs: Detection: 86%

Yara detected Njrat

Source: Yara match	File source: 123123.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 123123.exe.bin.exe PID: 7972, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 123123.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\123123.exe.bin.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 123123.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.4:49725 -> 147.185.221.27:8848

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: size-ingredients.gl.at.ply.gg

Source: 123123.exe.bin.exe, 00000000.00000002.3638559250.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: 123123.exe.bin.exe, 00000000.00000002.3638559250.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: 123123.exe.bin.exe	String found in binary or memory: https://pastebin.com/raw/???

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 123123.exe.bin.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 123123.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 123123.exe.bin.exe PID: 7972, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Code function: 0_2_00CDB50A NtSetInformationProcess,		0_2_00CDB50A
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Code function: 0_2_00CDB4E8 NtSetInformationProcess,		0_2_00CDB4E8

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Code function: 0_2_04DC0360

0_2_04DC0360

Source: 123123.exe.bin.exe, 00000000.00000002.3638559250.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs 123123.exe.bin.exe

Source: 123123.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 123123.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Code function: 0_2_00CDB1BA AdjustTokenPrivileges,		0_2_00CDB1BA
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Code function: 0_2_00CDB183 AdjustTokenPrivileges,		0_2_00CDB183

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Mutant created: \Sessions\1\BaseNamedObjects\11390ffcc5e77b5abb8fc1519f8a1de5
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 123123.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 123123.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 123123.exe.bin.exe	Virustotal: Detection: 75%
Source: 123123.exe.bin.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\123123.exe.bin.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 123123.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\123123.exe.bin.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 123123.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 123123.exe.bin.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 123123.exe.bin.exe	Binary or memory string: WIRESHARK.EXE9HTTPS://PASTEBIN.COM/RAW/???NULL
Source: 123123.exe.bin.exe, 00000000.00000002.3640321082.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Memory allocated: 1150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Memory allocated: 4C00000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\123123.exe.bin.exe	Window / User API: threadDelayed 760	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Window / User API: threadDelayed 3711	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Window / User API: threadDelayed 5017	Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior

Source: C:\Users\user\Desktop\123123.exe.bin.exe TID: 7976	Thread sleep time: -760000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\123123.exe.bin.exe TID: 7976	Thread sleep time: -5017000s >= -30000s			Jump to behavior

Source: 123123.exe.bin.exe	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: 123123.exe.bin.exe, 00000000.00000002.3638559250.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 123123.exe.bin.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 123123.exe.bin.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 123123.exe.bin.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: 123123.exe.bin.exe, 00000000.00000002.3640321082.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, 123123.exe.bin.exe, 00000000.00000002.3640321082.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9tl
Source: 123123.exe.bin.exe	Binary or memory string: Program Manager
Source: 123123.exe.bin.exe	Binary or memory string: Progman
Source: 123123.exe.bin.exe	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\Desktop\123123.exe.bin.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Source: 123123.exe.bin.exe, 00000000.00000002.3640321082.0000000002C01000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 123123.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 123123.exe.bin.exe PID: 7972, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 123123.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.123123.exe.bin.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 123123.exe.bin.exe PID: 7972, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	1 Input Capture	111 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	11 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
123123.exe.bin.exe	75%	Virustotal		Browse
123123.exe.bin.exe	86%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
123123.exe.bin.exe	100%	Avira	TR/Dropper.Gen7

Source	Detection	Scanner	Label	Link
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
size-ingredients.gl.at.ply.gg	147.185.221.27	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	123123.exe.bin.exe, 00000000.00000002.3638559250.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.microsoft.LinkId=42127	123123.exe.bin.exe, 00000000.00000002.3638559250.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/???	123123.exe.bin.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.27	size-ingredients.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645590
Start date and time:	2025-03-21 23:13:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	123123.exe.bin.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20, 204.79.197.222, 4.245.163.56
Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:15:24	API Interceptor	1277298x Sleep call for process: 123123.exe.bin.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.27	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload1234.exe.bin.exe	Get hash	malicious	Njrat	Browse
	remover.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
size-ingredients.gl.at.ply.gg	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	Payload1234.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	u6bEt4VkGJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.26
	Augustus b2.6 crack by soda.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	btoawpdtjhjawd.exe	Get hash	malicious	XWorm	Browse	147.185.221.25
	jkse.ppc.elf	Get hash	malicious	Unknown	Browse	147.185.65.227
	remover.exe	Get hash	malicious	Unknown	Browse	147.185.221.27
	45.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.26
	hoho.m68k.elf	Get hash	malicious	Unknown	Browse	147.168.203.72
	FortVIP.bat	Get hash	malicious	Unknown	Browse	147.185.221.22

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.616097766331929
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	123123.exe.bin.exe
File size:	55'808 bytes
MD5:	f41b17e9ae4d3329d66d526bacf3c503
SHA1:	9169fb9412ffb7def5cc927dfe39eebe9ada0d56
SHA256:	7bdd5165674fec22061a6815ba57c595d99021faa609c1f4ed32677f4f1d9cd3
SHA512:	90b0557532f64059db93011a19f13e8fa54c17361c59bd303e04f665eb37a8ebc91297770787cc020f9a3a8df249186886d83dcd14c396c2581f6a71c4347c05
SSDEEP:	768:rlUUbwoZ2EsltZgh753K7JSNlexWQG35bmaePD5PvGEXXJdxIEpmwg:rlU01GtZgt5EGlMWQcGDjX3xIEpmwg
TLSH:	4D432844BBDA8A05E2BE8F3468F655150B34AA23E532EB1F8CD559DB13327C58C40FE6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9..g............................N.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40f04e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67DD7F39 [Fri Mar 21 15:01:13 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeffc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd054	0xd200	36f73514f023d83b5e9b839d10f1e6cb	False	0.4524739583333333	data	5.636918388748024	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x240	0x400	0da1702fee35fb285b88cc25720ab75a	False	0.310546875	data	4.964962934397579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	6c2f2a8f35bbe74a1264d0d950d69aa6	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x10058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 55
• 8848 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 23:14:55.201809883 CET	49725	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:14:56.207144022 CET	49725	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:14:58.223679066 CET	49725	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:02.234920979 CET	49725	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:10.235114098 CET	49725	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:18.252928972 CET	49729	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:19.275823116 CET	49729	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:21.282058001 CET	49729	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:25.297709942 CET	49729	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:33.297987938 CET	49729	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:41.343981028 CET	49732	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:42.344798088 CET	49732	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:44.344861031 CET	49732	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:48.344919920 CET	49732	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:15:56.345114946 CET	49732	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:04.378285885 CET	49734	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:05.392221928 CET	49734	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:07.392235041 CET	49734	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:11.407799959 CET	49734	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:19.407856941 CET	49734	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:27.441029072 CET	49735	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:28.454828024 CET	49735	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:30.470436096 CET	49735	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:34.486118078 CET	49735	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:42.501894951 CET	49735	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:50.519220114 CET	49736	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:51.533195019 CET	49736	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:53.548847914 CET	49736	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:16:57.548880100 CET	49736	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:05.548962116 CET	49736	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:13.568031073 CET	49737	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:14.580302000 CET	49737	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:16.595959902 CET	49737	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:20.611649990 CET	49737	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:28.627464056 CET	49737	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:36.662070990 CET	49738	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:37.674297094 CET	49738	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:39.690851927 CET	49738	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:43.690064907 CET	49738	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:51.705717087 CET	49738	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:17:59.738735914 CET	49739	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:00.752690077 CET	49739	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:02.752710104 CET	49739	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:06.752754927 CET	49739	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:14.752857924 CET	49739	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:22.772342920 CET	49740	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:23.784177065 CET	49740	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:25.799796104 CET	49740	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:29.815469980 CET	49740	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:37.832345963 CET	49740	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:45.864136934 CET	49741	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:46.878217936 CET	49741	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:48.878302097 CET	49741	8848	192.168.2.4	147.185.221.27
Mar 21, 2025 23:18:52.893821001 CET	49741	8848	192.168.2.4	147.185.221.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 23:14:55.017972946 CET	54534	53	192.168.2.4	1.1.1.1
Mar 21, 2025 23:14:55.198551893 CET	53	54534	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 21, 2025 23:14:55.017972946 CET	192.168.2.4	1.1.1.1	0x6175	Standard query (0)	size-ingredients.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 21, 2025 23:14:55.198551893 CET	1.1.1.1	192.168.2.4	0x6175	No error (0)	size-ingredients.gl.at.ply.gg		147.185.221.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• 123123.exe.bin.exe

Click to jump to process

Memory Usage

• 123123.exe.bin.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	18:14:45
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\123123.exe.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\123123.exe.bin.exe"
Imagebase:	0x5f0000
File size:	55'808 bytes
MD5 hash:	F41B17E9AE4D3329D66D526BACF3C503
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1175163455.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.7%
Total number of Nodes:	105
Total number of Limit Nodes:	4

Executed Functions

Function 04DC0360 Relevance: 12.2, Strings: 9, Instructions: 932
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2tl, xrefs: 04DC059E
2tl, xrefs: 04DC123D
:@Ml, xrefs: 04DC1078
:@Ml, xrefs: 04DC1034
:@Ml, xrefs: 04DC10BC
:@Ml, xrefs: 04DC119B
:@Ml, xrefs: 04DC0DBA
:@Ml, xrefs: 04DC0FF0
2tl, xrefs: 04DC0607

Memory Dump Source

Source File: 00000000.00000002.3642224196.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dc0000_123123.jbxd

Similarity

API ID:
String ID: :@Ml$:@Ml$:@Ml$:@Ml$:@Ml$:@Ml$2tl$2tl$2tl
API String ID: 0-1714320386
Opcode ID: 13ae192d0343cd719e526d6989b6b9dacdd8d40f29276d1eaf3cfc97e81923a6
Instruction ID: 20cf8da99cb3c76370f9b63a55da8997e241fd89499d7547ac30d8dc16b5d745
Opcode Fuzzy Hash: 13ae192d0343cd719e526d6989b6b9dacdd8d40f29276d1eaf3cfc97e81923a6
Instruction Fuzzy Hash: 9A926A34A00244CFDB14EF74D994BADB7B2BF89308F1180A9D90AAB795DB31AD85CF54

Function 00CDB183 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00CDB203

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 2b5d6e8563fde0430641510d3646c7c3d569eb7f0fc1dd8cb4c2f6c629c320c9
Instruction ID: 15964dc3aa8ea90c6f77fbb821ad80efc7a18f64ed90a3cce272c713c34a28c6
Opcode Fuzzy Hash: 2b5d6e8563fde0430641510d3646c7c3d569eb7f0fc1dd8cb4c2f6c629c320c9
Instruction Fuzzy Hash: 3121BF76509380AFEB228F25DC40B52BFF4AF06310F0984DAE9858B663D370A908CB61

Function 00CDB1BA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00CDB203

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ce9a8b3b8e8870b9d60b66fd522b2d4a3fbee2fccf58a71256cde189f7d467b1
Instruction ID: 6d203d0c1c0259b2e44318869776cf61ffa23774e87bbd1a68492c1c693bd670
Opcode Fuzzy Hash: ce9a8b3b8e8870b9d60b66fd522b2d4a3fbee2fccf58a71256cde189f7d467b1
Instruction Fuzzy Hash: 3A11A072904200DFEB20CF56D884B66FBE4EF08320F08C4AAEE498B751D331E904DB61

Function 00CDB4E8 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00CDB545

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 708c5a7551191be334423678c8bc52e75e7b1bb57f1f3dedb96a7e66fda90985
Instruction ID: 8aa48660d3f2e13f8748ff90bad803e2bbbf244fc776f910c92e86d31f5cbcc0
Opcode Fuzzy Hash: 708c5a7551191be334423678c8bc52e75e7b1bb57f1f3dedb96a7e66fda90985
Instruction Fuzzy Hash: 9911A075408380AFDB228F11DC45F62FFB4EF06320F09C49AEE844B262D275A918CB62

Function 00CDB50A Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00CDB545

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 670b1cc870be5071818659b9e54bf6d2feda992974697bd245dc2b26a6addd62
Instruction ID: 4d10303001f66e49c332938439d1419dfb3d7228fbc82fc6816a1f41d5d581d8
Opcode Fuzzy Hash: 670b1cc870be5071818659b9e54bf6d2feda992974697bd245dc2b26a6addd62
Instruction Fuzzy Hash: B3018F35804244DFEB20CF45E944B61FBE0EF04720F08C09ADE490B361E375A918DBA2

Function 04DC1550 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 04DC1577

Memory Dump Source

Source File: 00000000.00000002.3642224196.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dc0000_123123.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5db53c7d327fddd9e372804783bfe3a3032e412b56109182be249495086e230f
Instruction ID: 1a4f5ecd7c34b8b6f3d94948b8ff65a033486b17b247889c20276e91d6f4d233
Opcode Fuzzy Hash: 5db53c7d327fddd9e372804783bfe3a3032e412b56109182be249495086e230f
Instruction Fuzzy Hash: FB418331A002118FCB14EF78C8946ADB7F2EF88208F198079D909DB39ADB349D41CBA5

Function 04DC1541 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 04DC1577

Memory Dump Source

Source File: 00000000.00000002.3642224196.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dc0000_123123.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 55131ab22fd7569f28237dddfb1702103bf905a008d956d09cb7dd35788ff27f
Instruction ID: e9218bd007e1a25379fe927519146830a1c50513b83960b2f05c088f18d9c2c3
Opcode Fuzzy Hash: 55131ab22fd7569f28237dddfb1702103bf905a008d956d09cb7dd35788ff27f
Instruction Fuzzy Hash: 77414E31A102558FDB14DF78C8986ADB7F2EF88204B198179D805DB39ADB34AD46CBA4

Function 04F002E6 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04F003A5

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ef3e8b16686f4a7c9daba611cb2ef76676a9aa0e452528aec215e1052361035c
Instruction ID: c10b8973021d7f72acb731e9dabcd3c37a11966eb8504ab25caf2a3058c8b856
Opcode Fuzzy Hash: ef3e8b16686f4a7c9daba611cb2ef76676a9aa0e452528aec215e1052361035c
Instruction Fuzzy Hash: 8631C571504380AFE722CF25DC45FA6BFF8EF46310F08889AE9848B292D775A509D771

Function 04F01A68 Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04F01B25

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: df4aeb04d8472f9d44503211095dfa251ef8f8b7080df174ddcf4b76275890c3
Instruction ID: 3befc9c058f8e231d89107711f1ac99509b5a6bd0bb14d6d1043f65cb34aecea
Opcode Fuzzy Hash: df4aeb04d8472f9d44503211095dfa251ef8f8b7080df174ddcf4b76275890c3
Instruction Fuzzy Hash: D231AFB6504344AFEB228B61CC44F67BBECEF49710F08855AF989CB192E365E509CB71

Function 04F00853 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04F0091A

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1312116bf29f9c717801d939df57ac1b2dde9624175ca82d945309828ad7ad63
Instruction ID: 1d62add5d918787e23a3530b4cfe9864a8cb86d323fa31cb5b9029bc0bac0707
Opcode Fuzzy Hash: 1312116bf29f9c717801d939df57ac1b2dde9624175ca82d945309828ad7ad63
Instruction Fuzzy Hash: 29318D6550E3C06FD3138B219C65B21BFB4EF47610B0E85CBD8848F6A3D619A909D7B2

Function 00CDA7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CDA879

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e90c62bb31693b96335a4a399ba3a5800b0dc571d14d9dcc5c7077fbe06b5757
Instruction ID: e3566241892a2c48cd0aea5606aa231f909933e8ad6e5e17e6795853d734e9f7
Opcode Fuzzy Hash: e90c62bb31693b96335a4a399ba3a5800b0dc571d14d9dcc5c7077fbe06b5757
Instruction Fuzzy Hash: 4E3187B64083846FE7228B51DC45FA7BFBCEF06314F05459BE985CB193D264A909C771

Function 04F01480 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04F01547

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 70a0868584d75a898ada0e2ffe3ade2a9c60794fdfce781df73d8ff6a1226d16
Instruction ID: 2815114bc758df0c7ef6d21ee7657b7111bf714d9fc74883b6eb36378ef54234
Opcode Fuzzy Hash: 70a0868584d75a898ada0e2ffe3ade2a9c60794fdfce781df73d8ff6a1226d16
Instruction Fuzzy Hash: 9E31C4B1404344AFEB21CB50CC44FB6FBACEF44314F04489AFA499B191D375A909CB71

Function 04F01B6D Relevance: 1.6, APIs: 1, Instructions: 92
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 04F01C32

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d66eea0e5ceb124aa1b004050f42e0c1dd79ad537f528512e93923cd66934895
Instruction ID: 66c499bb30bd16e2110a5d181f6035f61cd2ef2c7490ed757442d1c623d0ab56
Opcode Fuzzy Hash: d66eea0e5ceb124aa1b004050f42e0c1dd79ad537f528512e93923cd66934895
Instruction Fuzzy Hash: 36318D7250D3C05FD7038B758C65B66BFB4AF47610F0A84CBD8848F2A3E624A909D7A2

Function 04F01378 Relevance: 1.6, APIs: 1, Instructions: 90
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F01415

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: a200ee72c30962a6616ec77d499e0ce61c16f48485fbda877e58cdbe660f5484
Instruction ID: 203647c104bf7d6542692da0da8b6f565a8a25b34c72b0339bae53f2f67fbbbd
Opcode Fuzzy Hash: a200ee72c30962a6616ec77d499e0ce61c16f48485fbda877e58cdbe660f5484
Instruction Fuzzy Hash: 2E3139764093805FEB228F21DC45F66BFB8EF46314F0984DFE9848B193D221A509C771

Function 00CDA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CDA6B9

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8e8c072b6e26034eb3f74d4e009db519cea7a82f10b329c201ebaf235736193e
Instruction ID: 784bf4a920f8c6b23bc305f3404b81cd5c324f030372f4da80cd43e79a39ccd9
Opcode Fuzzy Hash: 8e8c072b6e26034eb3f74d4e009db519cea7a82f10b329c201ebaf235736193e
Instruction Fuzzy Hash: BC3193755093805FE712CB25CC85B96BFF8EF06310F09889AE944CF292D375E909C762

Function 04F00D6C Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04F00E03

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 5ce2949fd15ef4fbe434b16e5e685ff11bb021f07a893e7d3a4daf0248b77ae7
Instruction ID: af49861c9d2531d012ae6f1fdd4c1de349c67f1ddb0e338db6535a91e627d87e
Opcode Fuzzy Hash: 5ce2949fd15ef4fbe434b16e5e685ff11bb021f07a893e7d3a4daf0248b77ae7
Instruction Fuzzy Hash: 9431B172508340AFEB21CF64DC45F67BBE8EF05310F09889AE944DB192D764A909CB61

Function 00CDA8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00CDA97D

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 7d6dad36338206cdcb2c0118a86b0860f84bab26c948c7d36edae3d6cf4bb09d
Instruction ID: b8b5966e2b91e09f0777349d67deed4578ab7a2b462a71c42925a17fc8682942
Opcode Fuzzy Hash: 7d6dad36338206cdcb2c0118a86b0860f84bab26c948c7d36edae3d6cf4bb09d
Instruction Fuzzy Hash: 9B31E871009784AFEB228F61CC45FA2FFB8EF06314F19849EEA854B193D375A508CB65

Function 00CDB3F0 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 00CDB484

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: f1e00efa501b918da227e16f3f236c64628cf925dffb061da1ed086886bbaf26
Instruction ID: d4ec6d3d609726acfccc6c6f5f5bc2178607bbe0631b580257d98d3210211f67
Opcode Fuzzy Hash: f1e00efa501b918da227e16f3f236c64628cf925dffb061da1ed086886bbaf26
Instruction Fuzzy Hash: 0D21E7764097805FE7128B61DC45BA6BFB8DF07324F0984DBE988CF193D264A909CB61

Function 04F01A8A Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04F01B25

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ee94ecb02753b3cd854877654dfea466cd246204a4aa0ee86073a7f0b9569f53
Instruction ID: 158903a6f04401bac1fc20ad3f0b4eae4094f9352f205bf876e55bcda4dd3064
Opcode Fuzzy Hash: ee94ecb02753b3cd854877654dfea466cd246204a4aa0ee86073a7f0b9569f53
Instruction Fuzzy Hash: 2221CEB6A00204AFEB21CF51CD44F67BBECEF08314F08851AEA45C7292E321E509DAB1

Function 00CDA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 00CDA40C

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 58d9cac42a638355c398d3558c8b2f2f10563b23c713d429046a252478aaf01a
Instruction ID: a5d4c4af567f6fa625ca124c700b313d2b76fbcd3ef566cad37b254bf181f39b
Opcode Fuzzy Hash: 58d9cac42a638355c398d3558c8b2f2f10563b23c713d429046a252478aaf01a
Instruction Fuzzy Hash: B23164755097449FE721CF11CC84F62BBF8EF05710F09859BE9458B292D364E949CB62

Function 04F014A2 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04F01547

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ed5dc9ffb7ca8c3e65e47e27c6447233df29c28a404c0ecf932b17da8154f041
Instruction ID: b84390c4c9b19f86887769a85912f925f365af7a8d8d8589e6953d8146b80a0b
Opcode Fuzzy Hash: ed5dc9ffb7ca8c3e65e47e27c6447233df29c28a404c0ecf932b17da8154f041
Instruction Fuzzy Hash: 9321BFB2504204AEFB30DF50CD85FB6F7ACEF44314F14885AEA499B281E7B5E5498BB1

Function 04F0170E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F017A3

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 950ffeb1d86b832730101366b708d0daa774dcd09434fe502249d5a4494acff4
Instruction ID: 44cc7bbfa0d606ae3b6b79c4f2199e43e2bd269f454f7bb21980aa59edb971b5
Opcode Fuzzy Hash: 950ffeb1d86b832730101366b708d0daa774dcd09434fe502249d5a4494acff4
Instruction Fuzzy Hash: 1B21D3764093C06FEB22CB61DC55BA6BFF8EF47314F0984DAE9848F193D624A908C765

Function 04F003FC Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F00491

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c07286393bdcd96b8d08e49cfda8d00b2a7be3e257d77ca903e3b4f325a10f14
Instruction ID: cd45b8c02d1cc65f7f58f8930db4340170a42a3ef37094265b79fcb47746d02d
Opcode Fuzzy Hash: c07286393bdcd96b8d08e49cfda8d00b2a7be3e257d77ca903e3b4f325a10f14
Instruction Fuzzy Hash: 62213A754097806FE7128F21DC45BA2BFBCDF47320F0984DAE9848B193D264A909C7B5

Function 00CDA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 00CDA4F8

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 116027bde13e230464a4786ae20629f615582800662fd3f24c1f15a1889e93ff
Instruction ID: 8d388f22bb747a551ca7bee872bf176e86fdd626dd894d3a7602d7ee7aa97b4c
Opcode Fuzzy Hash: 116027bde13e230464a4786ae20629f615582800662fd3f24c1f15a1889e93ff
Instruction Fuzzy Hash: 162192765087806FEB228F11DC44F67BFB8DF46310F08849AE985CB292D364E948C772

Function 04F00946 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04F009D2

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 6c95f5d86aeb82e46a64de6e87c50747362b3e1f70106707245e73a2ea9486e4
Instruction ID: cd5ac194f6e439e4fb47c3d19240e994ce5c3af8aa48c8013332574fbcc13b03
Opcode Fuzzy Hash: 6c95f5d86aeb82e46a64de6e87c50747362b3e1f70106707245e73a2ea9486e4
Instruction Fuzzy Hash: 74217171409380AFE721CF55DC45FA6FFF8EF05310F04889AE9858B292D375A509CB62

Function 04F00F22 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04F00FB6

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: fa75a68cb1924ede5cd4289f9b9bd295d118aefd3e7f844211edb086b0701c24
Instruction ID: e64f5e094a4158333b7600ab564bc03b41c3af186f5fbe7e626edc4029d22083
Opcode Fuzzy Hash: fa75a68cb1924ede5cd4289f9b9bd295d118aefd3e7f844211edb086b0701c24
Instruction Fuzzy Hash: 5F218275409340AFE722CF55DC45F66FBF8EF09314F04849EE9858B192D365A508CB61

Function 04F00C7A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F00D18

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b4ac478b1352357c58450eb98c3915ba6b90c26afec4182ab2ea4fbe46f1f4db
Instruction ID: e7d00c309306e9d490cfcdfa411620001411a506bc3c7c7bcd6e0963e7e58fe9
Opcode Fuzzy Hash: b4ac478b1352357c58450eb98c3915ba6b90c26afec4182ab2ea4fbe46f1f4db
Instruction Fuzzy Hash: A921AE76509380AFE722CF11DC44F67BBF8EF45310F08849AE9899B292D725E908CB71

Function 04F00326 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04F003A5

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6c33bf1c16ab5327d9c81ed3611890226ecdaa2b6732e9aa505f438c08218dc7
Instruction ID: 54211a5196fc72d559ef53b61d87b15812df43b56c08e553bbb1064961abb3f7
Opcode Fuzzy Hash: 6c33bf1c16ab5327d9c81ed3611890226ecdaa2b6732e9aa505f438c08218dc7
Instruction Fuzzy Hash: 89219075904240AFEB21CF65DD85F66FBE8EF08310F048869EA458B291E771F505DB71

Function 04F00D92 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04F00E03

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: a0a6651042e5801aeba1fba961398effa1e6a3036bbd62a6c865918e82298a70
Instruction ID: 945a4ea3c85845c45c685e592008623d3bf37cfd50428f9f94406abd922a214c
Opcode Fuzzy Hash: a0a6651042e5801aeba1fba961398effa1e6a3036bbd62a6c865918e82298a70
Instruction Fuzzy Hash: 7521D476A04204AFEB20DF25DC45F6ABBECEF44710F04C86AEA05DB281DB74E5058AB1

Function 00CDA7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CDA879

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ef910a4efa2f1790c861f526bf8db67fc13423b77d1d04327c61748d40b3544f
Instruction ID: 20f15b7c094c7278fc58ac1e485a7cafff0a7d1d4a4edd969564588823abe02e
Opcode Fuzzy Hash: ef910a4efa2f1790c861f526bf8db67fc13423b77d1d04327c61748d40b3544f
Instruction Fuzzy Hash: A1219F76504204AEFB219A51DC44FABFBECEF04314F14885AEE458B291D774E5098AB6

Function 04F0180B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F01887

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 9cf5ca803686b54b7bdbddb737a341170cd5ec8791cc20845d6e49c189c38b7f
Instruction ID: 05b278b435ac0d240d08d0374b9bbd43e1963e90ad98ab2daec9346277356a0a
Opcode Fuzzy Hash: 9cf5ca803686b54b7bdbddb737a341170cd5ec8791cc20845d6e49c189c38b7f
Instruction Fuzzy Hash: AD21C2754093846FEB22CF51CC49F66BFA8EF45310F08C49AE9488B192D374A508CBA5

Function 00CDA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CDA6B9

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 061a22577b2e35b719eb2814016dfc08f40e785f762cf77aaca9fce18578877d
Instruction ID: a828396cb8ac0d7aadd583bab79d22871598d6fb346a9823733d5c9d82b74a49
Opcode Fuzzy Hash: 061a22577b2e35b719eb2814016dfc08f40e785f762cf77aaca9fce18578877d
Instruction Fuzzy Hash: 6321A7755042409FF720CF25CD45B66F7E8EF04314F19886AEA458F381D775E905CA76

Function 00CDAF6F Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00CDAFE6

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4395a9eb302d98e0f683034f7a5020e38ba0930c9e70c9edecd5a779135caed5
Instruction ID: bdf6a71ca2a7a558592c42bac3c02551c67d469f72f71a87bce77a66fe9fe61b
Opcode Fuzzy Hash: 4395a9eb302d98e0f683034f7a5020e38ba0930c9e70c9edecd5a779135caed5
Instruction Fuzzy Hash: E52184B15083805FEB228F65DC54B63BFF8EF06210F1884DAED85CB252D265E908D761

Function 04F006DE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F0075D

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bfc78c5ab334762e9e600b2e72b925e9412e5bd7f0227505453cccacfaf7bd50
Instruction ID: 97544b98c81a6e32044cbaa93aebe0459ddb35183fc64d482c5334ee1ef035a5
Opcode Fuzzy Hash: bfc78c5ab334762e9e600b2e72b925e9412e5bd7f0227505453cccacfaf7bd50
Instruction Fuzzy Hash: C321A476409380AFEB22CF51DC44F67FFB8EF45310F08889AE9458B192D234A508CBB5

Function 00CDA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 00CDA40C

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9f396942504a4bb6a2298e8c50030e091f20095b6fde022d0fb3ec32413418cc
Instruction ID: 5cf592bda190ff4fcc6d4534ad7684c72e690636b022425a73238576567876ba
Opcode Fuzzy Hash: 9f396942504a4bb6a2298e8c50030e091f20095b6fde022d0fb3ec32413418cc
Instruction Fuzzy Hash: 16219075504604AFEB20CF15CC84F66F7ECEF04710F14845AEA458B391D7A0EA05CAB6

Function 04F00966 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04F009D2

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: a688fb7f074ee97e24674c8d93ded8c6bd69236680e5d6d5e7ad5e5cd358ebb5
Instruction ID: 64e11b51dc8f3dbb0e8b020c97a5cb86b774671140976dd22b99ed111608d6ff
Opcode Fuzzy Hash: a688fb7f074ee97e24674c8d93ded8c6bd69236680e5d6d5e7ad5e5cd358ebb5
Instruction Fuzzy Hash: 7521AE71904200AFEB21CF55DC45FA6FBE8EF08324F04C86AEA458B292D775A505DBB2

Function 04F01652 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04F016CE

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 92a63fe5d3eda720bf28a777b84bcbde622ec1a56bde401b27d908d0074b54dd
Instruction ID: db9e7d3af286064d1fc7328740d28e3cc838b1a4fb562e983e743b7e80244965
Opcode Fuzzy Hash: 92a63fe5d3eda720bf28a777b84bcbde622ec1a56bde401b27d908d0074b54dd
Instruction Fuzzy Hash: C0219275408380AFDB228F51DD44B52BFF4EF46310F0884DAE9858B2A3D335A819DB61

Function 04F00F42 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04F00FB6

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c140fffff09f868a5e66a5c805ad23e31cc0765f2e023ed931b8156897f70a0a
Instruction ID: 90d3f74fdd381f2cff712660fa34160ef3d519526a3f70c47733999b236865d5
Opcode Fuzzy Hash: c140fffff09f868a5e66a5c805ad23e31cc0765f2e023ed931b8156897f70a0a
Instruction Fuzzy Hash: 7421AE75508200AFEB21CF15DC49FA6FBE8EF08324F04C85AEA458B291D775F509DBA2

Function 00CDA902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00CDA97D

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 494d762a01338bba4c97366e997ac45979c9872c3070e7775244b6f1a359416f
Instruction ID: 5a2e06db9f88cf3e8493f5225aae0039be4d55ad68f5af893164396b0b98b42d
Opcode Fuzzy Hash: 494d762a01338bba4c97366e997ac45979c9872c3070e7775244b6f1a359416f
Instruction Fuzzy Hash: B121B175404600AFEB318F51DC45F66FBA8EF04710F14885AEE454B291D375E508DBB6

Function 00CDA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 00CDA4F8

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 830b0c26a7542b7109b78f87058df27281108493a50db980b18067a88bf7c47c
Instruction ID: 0b377ce5295c955d9726bdce2d017d9ede2a52657f528519267541d7acffc382
Opcode Fuzzy Hash: 830b0c26a7542b7109b78f87058df27281108493a50db980b18067a88bf7c47c
Instruction Fuzzy Hash: 6A11BE76504600AFEB218E11DC45F67FBECEF04714F04845AEE458B391E760E904CAB6

Function 04F00CA6 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F00D18

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4f63d39754051e0415587d09266bf6361d99727db30bb42e74722b3aa2ee8ad2
Instruction ID: c7c1b370b95d77d003892fb6e3caba7c55f03448c8e88815c0a25467a81e7fbf
Opcode Fuzzy Hash: 4f63d39754051e0415587d09266bf6361d99727db30bb42e74722b3aa2ee8ad2
Instruction Fuzzy Hash: 3011AC76A04204AFEB21CF11DC44FA6FBE8EF44714F08C45AEA458B291DB60F545DAB2

Function 04F013B6 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F01415

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 60b0772957a35f1101b469b9825bbf946629d50559686716aa2906d318254bf1
Instruction ID: e81385e1d7f0708d9e19042c7e3aa9a063bd85964c867487482d3854fefe6550
Opcode Fuzzy Hash: 60b0772957a35f1101b469b9825bbf946629d50559686716aa2906d318254bf1
Instruction Fuzzy Hash: 7E112276504200AFEB21CF11CD44FABFBE8EF44724F04C86AEA098B291D731A405DBB2

Function 04F0174A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F017A3

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 159180832f500590565e46561d2c7c5de10aec4d8b23407595232c6692379512
Instruction ID: cdf247d48dacb7f07a45cb38ad3809319209b2048b8cb0c0060f414c3f0c1090
Opcode Fuzzy Hash: 159180832f500590565e46561d2c7c5de10aec4d8b23407595232c6692379512
Instruction Fuzzy Hash: 4011C176904200AFEB21CF55DD85BAAF7E8EF44324F04C46AEE058B281D775A504DBB6

Function 04F0182E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F01887

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 159180832f500590565e46561d2c7c5de10aec4d8b23407595232c6692379512
Instruction ID: 88eeb43f5b5a13f5e1bf15ba8389100d114f573ca64f0cd23f9cef15f6d781d6
Opcode Fuzzy Hash: 159180832f500590565e46561d2c7c5de10aec4d8b23407595232c6692379512
Instruction Fuzzy Hash: 64110176904200AFFB20CF51CD45BAAF7E8EF44324F04C86AEE09CB281D771A5048BB6

Function 00CDB42E Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 00CDB484

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: b17f1d4cbd77144616e2a192311bbeb1cb2a8c6062ab3cec25e2502390f556aa
Instruction ID: f06e8760eaa4314d187ecd8d8dda9d5eec6a1077939e93ab697dda3dc29e898a
Opcode Fuzzy Hash: b17f1d4cbd77144616e2a192311bbeb1cb2a8c6062ab3cec25e2502390f556aa
Instruction Fuzzy Hash: C811C175504204AFEB20CB15DC85BAAB7A8DF04724F14886AEE498B282D774A904CAA5

Function 04F006FE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F0075D

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3e995a53fc562f8c10622d543e8366e35c8ea885fadeefa7722df87e5e8ef16d
Instruction ID: 3466748b67cf6c9de486c5d10ffe05c9313cf716a4793784e02abfc44b5a1967
Opcode Fuzzy Hash: 3e995a53fc562f8c10622d543e8366e35c8ea885fadeefa7722df87e5e8ef16d
Instruction Fuzzy Hash: 7911C476504200AFEB21CF51DC44FA6FBE8EF44324F04C85AEE458B291D774A505DBB5

Function 00CDBA20 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDBA86

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dbf6da507c466873840f5e2ca893da24246e37bb0bdd64876b1712060833316e
Instruction ID: 1420d44309fb8f3e416515dc7c2e20e98b00b2ab99013681645d8699cc625d78
Opcode Fuzzy Hash: dbf6da507c466873840f5e2ca893da24246e37bb0bdd64876b1712060833316e
Instruction Fuzzy Hash: E61196314083809FDB218F55DD44B52FFF4EF09310F09849EE9898B262D375A918DB61

Function 00CDA2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CDA330

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 696a4b5bf078686d5a4fb646f2009f255da5862cff09ea494ded4649a7252def
Instruction ID: 6e612c9cbe47018d8f8564a8a0527472181eed1ea5121d32c7858fb6be4366c1
Opcode Fuzzy Hash: 696a4b5bf078686d5a4fb646f2009f255da5862cff09ea494ded4649a7252def
Instruction Fuzzy Hash: FF1151754093C46FEB228B15DD44B62BFA4EF47624F0980DBED848B263D265A908DB62

Function 00CDAF9E Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00CDAFE6

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b99ad4beb406081f856eb35c990ebb63ec74467e485b6e9a33ade6af765dfa00
Instruction ID: 714ed3b07d1eca63c2adc07898ff61ddb9d1fc9de53691fe4989fa32145291cc
Opcode Fuzzy Hash: b99ad4beb406081f856eb35c990ebb63ec74467e485b6e9a33ade6af765dfa00
Instruction Fuzzy Hash: 721182B19042409FEB20CF56D885B66FBE8EF04320F08C4AADE19CB341D770E904CA62

Function 04F0043E Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,FE28964E,00000000,00000000,00000000,00000000), ref: 04F00491

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d4699d19f68d4030c747a3619b46f63faf5c7b2d74bef097eb0c07beaa1250db
Instruction ID: d63515a457cf421057b3f0690b1f744c1edd7f9e313ed70f45930ef2631bfd4f
Opcode Fuzzy Hash: d4699d19f68d4030c747a3619b46f63faf5c7b2d74bef097eb0c07beaa1250db
Instruction Fuzzy Hash: 3501C479904204AEE720CF11DC45FA6F798DF44724F14C49AEE048B282D774A5448ABA

Function 00CDB8B4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00CDB908

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: feb9cfbb5caed15ec05c5a5aae3c0420a52e6810cf5156ed91f3095962a9c5bf
Instruction ID: 44495297d530f991983749edc1933f60ac792cb0bac83b587b9d7d3e0f96230b
Opcode Fuzzy Hash: feb9cfbb5caed15ec05c5a5aae3c0420a52e6810cf5156ed91f3095962a9c5bf
Instruction Fuzzy Hash: 2E118E714083809FDB21CF15DD84B56BFB4EF46220F09849AED889F396D275A908CBA2

Function 04F01682 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04F016CE

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: b277a2e22e738a74a30f15e0ade907adb0c6d2facf693a4404933c6654617981
Instruction ID: 82a133beabde4f85d2073860749783aa57811f0e5588e42b8943142fd8957418
Opcode Fuzzy Hash: b277a2e22e738a74a30f15e0ade907adb0c6d2facf693a4404933c6654617981
Instruction Fuzzy Hash: 68119E319042009FDB21CF55CD44B52FBE4EF48310F08C49ADD458B2A1D332E404EBA1

Function 04F01BE2 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 04F01C32

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 727892d6b8d7a13e9dac043867eb5b50b8ba08613e559fa03f9fe93459d128fe
Instruction ID: ef1ffec9dd413e75da8afdd6334ba1cfdbe2cb6ae5c96f2951277ccf79169906
Opcode Fuzzy Hash: 727892d6b8d7a13e9dac043867eb5b50b8ba08613e559fa03f9fe93459d128fe
Instruction Fuzzy Hash: 8901BC72900200AFD310DF16DC86B26FBE8EB88A20F14856AED089B741E731B915CBE1

Function 00CDBA42 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDBA86

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0dedec9113b93a70ddf3afe9a963179101a83f72b1c3db5b1cd8efc3a1d490cc
Instruction ID: 3d42bddbd6db7dfdf5aea2b363e74615afdb5822aaf7ab46ac33a537c58f6275
Opcode Fuzzy Hash: 0dedec9113b93a70ddf3afe9a963179101a83f72b1c3db5b1cd8efc3a1d490cc
Instruction Fuzzy Hash: D8016D31804640DFDB218F95D944B66FBE0EF08320F08C89ADE494B751D376A914EFA2

Function 04F008CA Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04F0091A

Memory Dump Source

Source File: 00000000.00000002.3642671624.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f00000_123123.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 11fc9f070b7c6ef0b1329d9aad74c62f14473e84917b285715545211e39d339c
Instruction ID: f9e3efa8b6f67e8f8b2e14f295ad5b1959f7f0a1e27ebb9107222056e956d8b6
Opcode Fuzzy Hash: 11fc9f070b7c6ef0b1329d9aad74c62f14473e84917b285715545211e39d339c
Instruction Fuzzy Hash: 5A01A271540200AFD210DF16DC46B26FBE8FB88A20F14815AED085B781D771F915CBE5

Function 00CDB8D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00CDB908

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 98a108a82e6c4c9c3479005be6b5bbfe51b00d2e2ad18d6d257b370a39d76216
Instruction ID: 81f9322dba4bba49438ba7302464955608ed4f3563dc9f35fc34c5a1bad0f4d4
Opcode Fuzzy Hash: 98a108a82e6c4c9c3479005be6b5bbfe51b00d2e2ad18d6d257b370a39d76216
Instruction Fuzzy Hash: E7018B70804284DFEB20CF16D985766FBE4EF05320F19C4ABDE498F356D375A904CAA2

Function 00CDA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CDA330

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 04c0233aac9367dc50262a8ab47c0896939bcd6abedc350fc5db9e656089484b
Instruction ID: 7a30bc93312048a41da18df1ee5a7bbf9513b5994d516cd70f442bc6be92dcf4
Opcode Fuzzy Hash: 04c0233aac9367dc50262a8ab47c0896939bcd6abedc350fc5db9e656089484b
Instruction Fuzzy Hash: 3BF081348082449FEB208F06D984765FBE0EF04320F18C49ADE494F3A2D275E544CAA2

Function 00CDA710 Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDA780

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20cc5dc0d962395f327bac85d3bc53d68d8cfa8ea2510d91b6646f2e4c387712
Instruction ID: 9a3b4d024ea6c2b38e575d13ebf2f0e76b3a765c35809b59e0d2d519d4d7c198
Opcode Fuzzy Hash: 20cc5dc0d962395f327bac85d3bc53d68d8cfa8ea2510d91b6646f2e4c387712
Instruction Fuzzy Hash: 492127B54083809FDB128F25DD85751BFB4EF02320F0A80EBDD448F293D2359909CBA2

Function 00CDB250 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDB2BC

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 06f2bd8a02ffc803ae42da6cdda8c2a8dc30df9432c2961707bc9cde84c45127
Instruction ID: e76dd822b7b07395e0392f6aa84578ba7ca82f959e65e5f65f088c8215405d5d
Opcode Fuzzy Hash: 06f2bd8a02ffc803ae42da6cdda8c2a8dc30df9432c2961707bc9cde84c45127
Instruction Fuzzy Hash: 1721A1725093C05FDB128B25DD55B92BFF4AF07324F0984DBE9858F663D264A908CB61

Function 00CDA74E Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDA780

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 34db688ee61e2bdfe0df32318d8edd05db5b25825692a56fb8f2892357cf0ac5
Instruction ID: f0337d885ba3eb44181574b0251c12e8b59a3f747562af1e4d317f26385c1363
Opcode Fuzzy Hash: 34db688ee61e2bdfe0df32318d8edd05db5b25825692a56fb8f2892357cf0ac5
Instruction Fuzzy Hash: 0901DF759042409FEB208F16D985766FBE4DF04320F09C4ABDE098F392D374E904CAA2

Function 00CDB28A Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDB2BC

Memory Dump Source

Source File: 00000000.00000002.3639165162.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cda000_123123.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3d32bb828a6ba96eea53a64d873eb003cd47db15e984bebb22716b20a947df8b
Instruction ID: f2ed139fbe4c58f8fb13b3a3b39484a5bc47f10c67503702ab7daa12e36a31f3
Opcode Fuzzy Hash: 3d32bb828a6ba96eea53a64d873eb003cd47db15e984bebb22716b20a947df8b
Instruction Fuzzy Hash: 4A01B1729042408FDB10CF1AD98575AFBE4DF04320F19C0ABDE098F755D774E904CAA2

Function 011A08CE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3640098028.00000000011A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a94fc43adadf05f1bbbeb8c0a583e0a847d87c42da538c7b5ef2c057c522965
Instruction ID: af726e30ad8b90d3408dcf958d06c9fa8b6298b6a421920f82216ce511b4abf8
Opcode Fuzzy Hash: 5a94fc43adadf05f1bbbeb8c0a583e0a847d87c42da538c7b5ef2c057c522965
Instruction Fuzzy Hash: 392178751093C08FD70BCB20C990B60BFA1EB4B318F1985DEE4884B6A3C33A9806DB91

Function 011A0904 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3640098028.00000000011A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073bd66a8b8fc9506783112c3b40120bda36a128d0c1c27c33711c7066fed18c
Instruction ID: 3a09a2a54fbab252442867a4482a5af1d8f3177db8a10278cf5f0acfd0cf9cd9
Opcode Fuzzy Hash: 073bd66a8b8fc9506783112c3b40120bda36a128d0c1c27c33711c7066fed18c
Instruction Fuzzy Hash: 0011A2342082449FE71ACB14C940B25BBD5AB8D708F64C99CE54D5B693D77B9813CA52

Function 011A05E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3640098028.00000000011A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e90b143a217544f094b5dce47ef1b9b7b1519c70082a058cf72bb341f51c51
Instruction ID: 24bd0c780814f27ddee863cfbc0cf9cf7c15653de6d69aee5490f0f85963b71b
Opcode Fuzzy Hash: 04e90b143a217544f094b5dce47ef1b9b7b1519c70082a058cf72bb341f51c51
Instruction Fuzzy Hash: AD0186B650D7805FE7128B16AC40862FFA8DE86620709C49BE94D8B652D225A909C776

Function 011A09C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3640098028.00000000011A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05cdb7f214e239aa91d766f391dffd0ca2371259be4fa2c6d7f0f99ca3569340
Instruction ID: 51421063100a8d1ac42800c133f6a8dd5692b118a1f22104b60cf804b60e2e46
Opcode Fuzzy Hash: 05cdb7f214e239aa91d766f391dffd0ca2371259be4fa2c6d7f0f99ca3569340
Instruction Fuzzy Hash: CBF01D35144644DFD306CF04D540B25FBA2EB8D718F24C6ADE94907762C737D813DA81

Function 011A0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3640098028.00000000011A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b90c4100108a779ed2ee11228d936c03507ce9f5818abd9118d7782829cae9
Instruction ID: f57b5f6893aa32a6a27b0f3b0016aa98bdcb0edd8b7c30a2c005ff362db131c6
Opcode Fuzzy Hash: 79b90c4100108a779ed2ee11228d936c03507ce9f5818abd9118d7782829cae9
Instruction Fuzzy Hash: BCE092B6A086044B9650CF0BED41452F7D8EB84630718C07FDC0D8B711E675B504CAA5

Function 00CD23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3639127475.0000000000CD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd2000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7423e358c32fa064d4928488b3ae558763b29e9b214798063ae37003aa89dae
Instruction ID: 599457c41421cac6e7e38ce09fcfb5e1ae2c334e33086910c3530e46de66b23a
Opcode Fuzzy Hash: c7423e358c32fa064d4928488b3ae558763b29e9b214798063ae37003aa89dae
Instruction Fuzzy Hash: A6D05E792096814FE3179A1CC1A4B9937D4AB61714F4A44FBAC408B767C768DA81E600

Function 00CD23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3639127475.0000000000CD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd2000_123123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb31ae7c1d05c0e1e4c9375e66aa7bff144c4e517dd4926a87186d774ecf90a
Instruction ID: b53ceb8c94883a2a0d6e417c4f58605a4a2ee9ef9fa6d0669654251351137084
Opcode Fuzzy Hash: 1cb31ae7c1d05c0e1e4c9375e66aa7bff144c4e517dd4926a87186d774ecf90a
Instruction Fuzzy Hash: C8D05E342042814BD715DA0CC2D4F5933D8AB90714F0A44E9AD208B376C7B8D9C0CA00

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 123123.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
123123.exe.bin.exe

Function 04DC0360 Relevance: 12.2, Strings: 9, Instructions: 932
COMMON