Edit tour

Windows Analysis Report
pisun.exe

Overview

General Information

Sample name:	pisun.exe
Analysis ID:	1646174
MD5:	45140e967970cd63521eaa76dc4db7d7
SHA1:	aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
SHA256:	3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
Tags:	exeNjratuser-BastianHein
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

pisun.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\pisun.exe" MD5: 45140E967970CD63521EAA76DC4DB7D7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{
  "Host": "such-captain.gl.at.ply.gg",
  "Port": "7723",
  "Version": "<- NjRAT 0.7d Horror Edition ->",
  "Registry Name": "f9f7ecca9c9e7996304b914cc137e66d",
  "Campaign ID": "Victim",
  "Network Seprator": "Y262SUCZ4UJJ"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
pisun.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
pisun.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x933c:$a1: get_Registry 0xc344:$a2: SEE_MASK_NOZONECHECKS 0xb14e:$a3: Download ERROR 0xc59f:$a4: cmd.exe /c ping 0 -n 2 & del "
pisun.exe	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa4d5:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
pisun.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc59f:$x1: cmd.exe /c ping 0 -n 2 & del " 0xafae:$s1: winmgmts:\\.\root\SecurityCenter2 0xb174:$s3: Executed As 0x9b5f:$s5: Stub.exe 0xb14e:$s6: Download ERROR 0xaf70:$s8: Select * From AntiVirusProduct
pisun.exe	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xcad5:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xadbc:$s2: https://pastebin.com/raw/ 0xce1f:$s3: My.Computer 0xcaaf:$s4: MyTemplate
pisun.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xc5b5:$: ping 0 0xa8f6:$: TiGeR-Firewall 0xa938:$: NetSnifferCs 0xa8e2:$: IPBlocker 0xa952:$: Sandboxie Control
pisun.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc344:$a2: SEE_MASK_NOZONECHECKS 0xc627:$b1: [TAP] 0xc59f:$c3: cmd.exe /c ping
pisun.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc344:$reg: SEE_MASK_NOZONECHECKS 0xb12a:$msg: Execute ERROR 0xb18e:$msg: Execute ERROR 0xc59f:$ping: cmd.exe /c ping 0 -n 2 & del
pisun.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc59f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb12a:$s4: Execute ERROR 0xb18e:$s4: Execute ERROR 0xb14e:$s5: Download ERROR 0xc5dd:$s6: [kl]
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x913c:$a1: get_Registry 0xc144:$a2: SEE_MASK_NOZONECHECKS 0xaf4e:$a3: Download ERROR 0xc39f:$a4: cmd.exe /c ping 0 -n 2 & del "
00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc144:$a2: SEE_MASK_NOZONECHECKS 0xc427:$b1: [TAP] 0xc39f:$c3: cmd.exe /c ping
00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc144:$reg: SEE_MASK_NOZONECHECKS 0xaf2a:$msg: Execute ERROR 0xaf8e:$msg: Execute ERROR 0xc39f:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: pisun.exe PID: 6640	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.pisun.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.0.pisun.exe.1d0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x933c:$a1: get_Registry 0xc344:$a2: SEE_MASK_NOZONECHECKS 0xb14e:$a3: Download ERROR 0xc59f:$a4: cmd.exe /c ping 0 -n 2 & del "
1.0.pisun.exe.1d0000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa4d5:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
1.0.pisun.exe.1d0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc59f:$x1: cmd.exe /c ping 0 -n 2 & del " 0xafae:$s1: winmgmts:\\.\root\SecurityCenter2 0xb174:$s3: Executed As 0x9b5f:$s5: Stub.exe 0xb14e:$s6: Download ERROR 0xaf70:$s8: Select * From AntiVirusProduct
1.0.pisun.exe.1d0000.0.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xcad5:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xadbc:$s2: https://pastebin.com/raw/ 0xce1f:$s3: My.Computer 0xcaaf:$s4: MyTemplate
1.0.pisun.exe.1d0000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xc5b5:$: ping 0 0xa8f6:$: TiGeR-Firewall 0xa938:$: NetSnifferCs 0xa8e2:$: IPBlocker 0xa952:$: Sandboxie Control
1.0.pisun.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc344:$a2: SEE_MASK_NOZONECHECKS 0xc627:$b1: [TAP] 0xc59f:$c3: cmd.exe /c ping
1.0.pisun.exe.1d0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc344:$reg: SEE_MASK_NOZONECHECKS 0xb12a:$msg: Execute ERROR 0xb18e:$msg: Execute ERROR 0xc59f:$ping: cmd.exe /c ping 0 -n 2 & del
1.0.pisun.exe.1d0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc59f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb12a:$s4: Execute ERROR 0xb18e:$s4: Execute ERROR 0xb14e:$s5: Download ERROR 0xc5dd:$s6: [kl]
Click to see the 4 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: pisun.exe

Avira: detected

Found malware configuration

Source: 1.0.pisun.exe.1d0000.0.unpack

Malware Configuration Extractor: Njrat {"Host": "such-captain.gl.at.ply.gg", "Port": "7723", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "f9f7ecca9c9e7996304b914cc137e66d", "Campaign ID": "Victim", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for submitted file

Source: pisun.exe	ReversingLabs: Detection: 86%
Source: pisun.exe	Virustotal: Detection: 80%			Perma Link

Yara detected Njrat

Source: Yara match	File source: pisun.exe, type: SAMPLE
Source: Yara match	File source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pisun.exe PID: 6640, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: pisun.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\pisun.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: pisun.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49721 -> 147.185.221.27:7723

Source: Joe Sandbox View

IP Address: 147.185.221.27 147.185.221.27

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: such-captain.gl.at.ply.gg

Source: pisun.exe

String found in binary or memory: https://pastebin.com/raw/???

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: pisun.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: pisun.exe, type: SAMPLE
Source: Yara match	File source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pisun.exe PID: 6640, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: pisun.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: pisun.exe, type: SAMPLE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: pisun.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: pisun.exe, type: SAMPLE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: pisun.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: pisun.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: pisun.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: pisun.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\pisun.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\pisun.exe

Code function: 1_2_00CC0360

1_2_00CC0360

Source: pisun.exe, 00000001.00000002.3737489797.000000000060E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs pisun.exe

Source: pisun.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: pisun.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: pisun.exe, type: SAMPLE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: pisun.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: pisun.exe, type: SAMPLE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: pisun.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: pisun.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: pisun.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: pisun.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\pisun.exe	Code function: 1_2_049E0F32 AdjustTokenPrivileges,		1_2_049E0F32
Source: C:\Users\user\Desktop\pisun.exe	Code function: 1_2_049E0EFB AdjustTokenPrivileges,		1_2_049E0EFB

Source: C:\Users\user\Desktop\pisun.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\pisun.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\pisun.exe	Mutant created: \Sessions\1\BaseNamedObjects\f9f7ecca9c9e7996304b914cc137e66d

Source: pisun.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pisun.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\pisun.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pisun.exe	ReversingLabs: Detection: 86%
Source: pisun.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\pisun.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\pisun.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: pisun.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\pisun.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: pisun.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: pisun.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pisun.exe	Binary or memory string: WIRESHARK.EXE9HTTPS://PASTEBIN.COM/RAW/???NULL
Source: pisun.exe, 00000001.00000002.3738364787.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\pisun.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Memory allocated: 4810000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\pisun.exe	Window / User API: threadDelayed 1367	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Window / User API: threadDelayed 3733	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Window / User API: threadDelayed 4415	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe	Window / User API: foregroundWindowGot 1764	Jump to behavior

Source: C:\Users\user\Desktop\pisun.exe TID: 6644	Thread sleep count: 1367 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe TID: 6644	Thread sleep time: -1367000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe TID: 8264	Thread sleep count: 3733 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe TID: 6644	Thread sleep count: 4415 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pisun.exe TID: 6644	Thread sleep time: -4415000s >= -30000s	Jump to behavior

Source: pisun.exe	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: pisun.exe, 00000001.00000002.3737489797.000000000063F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\pisun.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\pisun.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: pisun.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: pisun.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: pisun.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: pisun.exe	Binary or memory string: Program Manager
Source: pisun.exe	Binary or memory string: Progman
Source: pisun.exe	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed
Source: pisun.exe, 00000001.00000002.3738364787.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, pisun.exe, 00000001.00000002.3738364787.00000000028D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\pisun.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\Desktop\pisun.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Source: pisun.exe, 00000001.00000002.3738364787.0000000002811000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: pisun.exe, type: SAMPLE
Source: Yara match	File source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pisun.exe PID: 6640, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: pisun.exe, type: SAMPLE
Source: Yara match	File source: 1.0.pisun.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pisun.exe PID: 6640, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	1 Input Capture	111 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	11 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pisun.exe	86%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
pisun.exe	81%	Virustotal		Browse
pisun.exe	100%	Avira	TR/Dropper.Gen7

Name	IP	Active	Malicious	Antivirus Detection	Reputation
such-captain.gl.at.ply.gg	147.185.221.27	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/???	pisun.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.27	such-captain.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646174
Start date and time:	2025-03-23 14:58:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pisun.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 66 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20, 20.12.23.50, 20.96.153.111, 150.171.28.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:59:37	API Interceptor	1197990x Sleep call for process: pisun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.27	XClient.exe	Get hash	malicious	XWorm	Browse
	Server.exe.bin.exe	Get hash	malicious	Njrat	Browse
	RobloxInstaller.exe	Get hash	malicious	Unknown	Browse
	tsetup-x64.5.9.0.exe	Get hash	malicious	RDPWrap Tool	Browse
	123123.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload1234.exe.bin.exe	Get hash	malicious	Njrat	Browse
	remover.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
such-captain.gl.at.ply.gg	XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.27

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.27
	winupdate.scr.exe	Get hash	malicious	Unknown	Browse	147.185.221.26
	Bootstrapper.exe	Get hash	malicious	XWorm	Browse	147.185.221.26
	Microsoft Word Host.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	Client.exe.bin.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	Server.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	8M42o4UI1xlnUeX.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	147.185.221.26
	RobloxInstaller.exe	Get hash	malicious	Unknown	Browse	147.185.221.27
	tsetup-x64.5.9.0.exe	Get hash	malicious	RDPWrap Tool	Browse	147.185.221.27
	ZGZ3X_nig.exe	Get hash	malicious	Chaos, StormKitty, TrojanRansom	Browse	147.185.221.26

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.616094873873246
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	pisun.exe
File size:	55'808 bytes
MD5:	45140e967970cd63521eaa76dc4db7d7
SHA1:	aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
SHA256:	3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
SHA512:	d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
SSDEEP:	768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg
TLSH:	5C432944BBE68A01E2BD8F7468F655150B74AA23E932DB1F8CD558DB13327C68C80FE5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................>.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40f03e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67DD8E03 [Fri Mar 21 16:04:19 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xefe8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd044	0xd200	cc9ca2dc8d5fc1df659b46b6abfcd3c7	False	0.45202752976190474	data	5.636936645908858	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x240	0x400	0da1702fee35fb285b88cc25720ab75a	False	0.310546875	data	4.964962934397579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	a44a373176d72c27a795808f061fdec2	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x10058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 55
• 7723 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 14:59:08.763803959 CET	49721	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:09.779674053 CET	49721	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:11.795562029 CET	49721	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:15.808643103 CET	49721	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:23.808676958 CET	49721	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:31.842751980 CET	49729	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:32.842094898 CET	49729	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:34.840379000 CET	49729	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:38.839937925 CET	49729	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:46.839942932 CET	49729	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:54.858201027 CET	49734	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:55.855571985 CET	49734	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 14:59:57.871213913 CET	49734	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:01.949345112 CET	49734	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:09.949364901 CET	49734	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:17.982551098 CET	49735	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:18.980628014 CET	49735	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:20.980627060 CET	49735	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:24.980662107 CET	49735	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:32.980686903 CET	49735	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:41.005840063 CET	49736	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:42.011986017 CET	49736	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:44.027559042 CET	49736	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:48.027684927 CET	49736	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:00:56.027580976 CET	49736	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:04.044759989 CET	49737	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:05.215116024 CET	49737	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:07.215131044 CET	49737	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:11.215131998 CET	49737	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:19.215188980 CET	49737	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:27.263868093 CET	49738	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:28.433962107 CET	49738	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:30.434058905 CET	49738	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:34.449522018 CET	49738	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:42.465187073 CET	49738	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:50.513664007 CET	49739	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:51.699680090 CET	49739	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:53.715270042 CET	49739	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:01:57.730899096 CET	49739	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:05.746464014 CET	49739	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:13.795100927 CET	49740	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:14.965236902 CET	49740	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:16.981004953 CET	49740	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:20.996453047 CET	49740	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:29.012209892 CET	49740	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:37.045190096 CET	49741	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:38.059001923 CET	49741	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:40.059040070 CET	49741	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:44.074620008 CET	49741	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:02:52.090311050 CET	49741	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:03:00.108047009 CET	49742	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:03:01.121618986 CET	49742	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:03:03.137269020 CET	49742	7723	192.168.2.5	147.185.221.27
Mar 23, 2025 15:03:07.278201103 CET	49742	7723	192.168.2.5	147.185.221.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 14:59:08.576785088 CET	61484	53	192.168.2.5	1.1.1.1
Mar 23, 2025 14:59:08.760263920 CET	53	61484	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 23, 2025 14:59:08.576785088 CET	192.168.2.5	1.1.1.1	0x9466	Standard query (0)	such-captain.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 23, 2025 14:59:08.760263920 CET	1.1.1.1	192.168.2.5	0x9466	No error (0)	such-captain.gl.at.ply.gg		147.185.221.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• pisun.exe

Click to jump to process

Memory Usage

• pisun.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	1
Start time:	09:58:58
Start date:	23/03/2025
Path:	C:\Users\user\Desktop\pisun.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pisun.exe"
Imagebase:	0x1d0000
File size:	55'808 bytes
MD5 hash:	45140E967970CD63521EAA76DC4DB7D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000000.1269492282.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	111
Total number of Limit Nodes:	4

Executed Functions

Function 049E0EFB Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049E0F7B

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: cf3b35390b61dd167a3e92af12a28417ee73dbc6f4d34306ff61bd9fdf7fefe8
Instruction ID: 1bb19e8926b69932c556bebc58a098735a8c241142e7c76b7ba2ea9a1283a7e8
Opcode Fuzzy Hash: cf3b35390b61dd167a3e92af12a28417ee73dbc6f4d34306ff61bd9fdf7fefe8
Instruction Fuzzy Hash: B4219F755097849FDB238F25DC44B62BFB8EF06310F0984EAE9858B163D271A918CB62

Function 049E0F32 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049E0F7B

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7a0b93d70e5aa7a0b7a908ed02530ae106ada4d76f3f6b0d70302df3dc542751
Instruction ID: c8149d5221933c7cccda4aef96b4d292d0aa8a3222d57fc81d4ac5799e91c6f4
Opcode Fuzzy Hash: 7a0b93d70e5aa7a0b7a908ed02530ae106ada4d76f3f6b0d70302df3dc542751
Instruction Fuzzy Hash: BB1191715003049FDB21CF55D944B66FBE8EF04210F08C86AEE858B652D371E418DF61

Function 00CC0360 Relevance: .9, Instructions: 928COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3738284261.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cc0000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d40b320593dd2e8d43ca3e7b385f3995c27acf64db833bc260653f840c3ee6
Instruction ID: 8033791139f431d0be3d37e198723c2c1d7239e53055c79f3501f66c09d59cf9
Opcode Fuzzy Hash: 49d40b320593dd2e8d43ca3e7b385f3995c27acf64db833bc260653f840c3ee6
Instruction Fuzzy Hash: 42925974A00208CFDB18EF74D994BADB7B6BF88308F1041A9D909AB795DB35AD85CF50

Function 00CC1550 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00CC1577

Memory Dump Source

Source File: 00000001.00000002.3738284261.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cc0000_pisun.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a3044d227a55dbc92bf66f979f8dec98c8196ed21b747b839a13846f82cfb967
Instruction ID: d20ac2d286df62e7c70b335401702c802f0b2dfa3726d857c6afe9be9218ded4
Opcode Fuzzy Hash: a3044d227a55dbc92bf66f979f8dec98c8196ed21b747b839a13846f82cfb967
Instruction Fuzzy Hash: 11418671A002048FCB04EF79C5856ADB7F2EF88354B188169E819DB399DB34DD45C7A4

Function 00CC1541 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00CC1577

Memory Dump Source

Source File: 00000001.00000002.3738284261.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cc0000_pisun.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a7e96c7df9ea6abd030d175d5d8dfcb080091295d48dfe1889d7ddc4f452ab66
Instruction ID: e49a60075baf57a1cfb3aaa11389579fbc83d2efb97e66131292a3e08fbcd23c
Opcode Fuzzy Hash: a7e96c7df9ea6abd030d175d5d8dfcb080091295d48dfe1889d7ddc4f452ab66
Instruction Fuzzy Hash: 49413271A002048FCB04DF79C595AADB7F2EF89344B188569E809DB39ADB34DD85CBA4

Function 00AEB6E2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00AEB7A1

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 40e008acec435dc6ce4ed571ea8b60763a5daea798cd6a9d7042c36ce5f5b7b1
Instruction ID: b9b3bcfa88d6fa36ec5aded0b5b3d40df702e67e1645650c6708db196cb12b17
Opcode Fuzzy Hash: 40e008acec435dc6ce4ed571ea8b60763a5daea798cd6a9d7042c36ce5f5b7b1
Instruction Fuzzy Hash: 5931B271505380AFE722CF26DC44BA6BFE8EF46314F08849EE9858B653D335A809CB71

Function 049E14A8 Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 049E1565

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5f405f16cb1dd90188c5e0f42b951fc76977ec95d05c638eea921b5226d18148
Instruction ID: 6653592d6ed5d249029501f97b74d3104db45775fd96b2dc2c95b88d39ed6900
Opcode Fuzzy Hash: 5f405f16cb1dd90188c5e0f42b951fc76977ec95d05c638eea921b5226d18148
Instruction Fuzzy Hash: 04318EB2504344AFEB228B26CC45FA7BBFCEF09614F08855AF985C7652D220E909CB61

Function 00AEBC4F Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00AEBD16

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 40c9220cbc2e422c9b54a17de7287f21729104fa79c350986e7463400dfd5462
Instruction ID: 7092834498cebca2f297c74732eb1db4898dc0e612da4d930d462ab2ef49671e
Opcode Fuzzy Hash: 40c9220cbc2e422c9b54a17de7287f21729104fa79c350986e7463400dfd5462
Instruction Fuzzy Hash: 98318D7510E3C06FD3138B258C65A62BFB4EF47610B0E45CBD8C48B6A3D2296809C7B2

Function 00AEA7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00AEA879

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9a5f59503535308c8cb4454bf93c62478dbce3d6bcf8407ea7c5f9f9f5a3055d
Instruction ID: b0c52a9c7037bfe26d0da401e902e61ab6b01bd22fd68ae606252ca08eb0e24b
Opcode Fuzzy Hash: 9a5f59503535308c8cb4454bf93c62478dbce3d6bcf8407ea7c5f9f9f5a3055d
Instruction Fuzzy Hash: 0731B8764083846FE7228B51DC44FA7BFBCEF16714F04449AE985CB653D264A90DC771

Function 049E0AE8 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 049E0BAF

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 0dbfdc52f0853b9cf89ff14330b09713e520015cdd7406613aea0100dce486c5
Instruction ID: b7f4d3ccf49fb6f2dd7ceba0cfc4d36e88d4145333b11095ec3f8d4562b56758
Opcode Fuzzy Hash: 0dbfdc52f0853b9cf89ff14330b09713e520015cdd7406613aea0100dce486c5
Instruction Fuzzy Hash: 5331A2B1504344AFEB21CB51DC44FAAFBACEF04714F04889AFA489B692D375A949CB71

Function 00AEA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00AEA6B9

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d5eecfa827a474a20f664688604e6597326822f11781c47acc0d9c445ce21513
Instruction ID: 0854e143ac1110d0a13ad79f679e0c5adc9dfa76991b0410002cb2dc76780344
Opcode Fuzzy Hash: d5eecfa827a474a20f664688604e6597326822f11781c47acc0d9c445ce21513
Instruction Fuzzy Hash: 813193755093845FE712CB25CC95B96BFF8EF06314F08849AE984CB293D375E909C762

Function 049E02DC Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 049E0373

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 127f6f104f80ad3616005c0e9bfe52b7041d409d59265fbe19d97a1e093b730d
Instruction ID: 5b1fd434d8620dea9e6f2e1c6a6de175f8c031f9c3a821c77bd9c8b7390c8be1
Opcode Fuzzy Hash: 127f6f104f80ad3616005c0e9bfe52b7041d409d59265fbe19d97a1e093b730d
Instruction Fuzzy Hash: 18318471505384AFD722CF65DC45FABBFACEF05210F0884AAE944CB552D364E808CB71

Function 049E09E0 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E0A7D

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 92413ddf05a26686a24b1a8289fb1b669371ecad93398db74abd5095f91e88a7
Instruction ID: c6dd38b507502297aea6ca5e1508f726dc7d0ab4f7a500ac9418c92f69c62165
Opcode Fuzzy Hash: 92413ddf05a26686a24b1a8289fb1b669371ecad93398db74abd5095f91e88a7
Instruction Fuzzy Hash: 6331F772409380AFE722CF61DC45BA6BFB8EF06310F08849BE9848F193D361A509CB75

Function 00AEA8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00AEA97D

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 45725cbf1cadd9efc11bc187c7ea51136fd81ef13b04dfce4e639931b0e19a98
Instruction ID: ea7379fe54a2833d6ffdfcd26e1a4684e8ad96946a149ae576ea04c217e6d484
Opcode Fuzzy Hash: 45725cbf1cadd9efc11bc187c7ea51136fd81ef13b04dfce4e639931b0e19a98
Instruction Fuzzy Hash: A231C271009384AFEB228F61CC45FA6BFB8EF06314F08849AE9858B553D275A809CB65

Function 049E14CA Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 049E1565

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9c92dfe05bddb97d18fcbb8a1ced6703f35c5fb4f89c17c9884fe9c4362f7ca7
Instruction ID: f833cc845969592c26a3f0c082e0bef611436510e7813754f43b7ac3cb8c0ba6
Opcode Fuzzy Hash: 9c92dfe05bddb97d18fcbb8a1ced6703f35c5fb4f89c17c9884fe9c4362f7ca7
Instruction Fuzzy Hash: 88215172500204AFEB21DF16CC45FBBBBECEF08614F04856AE946D7652D730F548CA61

Function 00AEA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEA40C

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fddd745a04ebb712cb6b9d57cc8408ce60f7a3edbe85bd68c481c402951e9be9
Instruction ID: 26f8b99f51577f671cd734ebd3daf7cde43176b7bad59fc9ef58f98799de3579
Opcode Fuzzy Hash: fddd745a04ebb712cb6b9d57cc8408ce60f7a3edbe85bd68c481c402951e9be9
Instruction Fuzzy Hash: 79318175505784AFD722CF11CC84F96BBF8EF05710F08849AE9858B693D364E949CB72

Function 049E0B0A Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 049E0BAF

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 5c4567fb3a9e42cbbac88b312cdc78ec8915fc398b43ddf17cfa59129293f58a
Instruction ID: 10163ed1f35ae37e34c0f3f8a47229c3ebf00475b65ec75416c21bf4a809fc4a
Opcode Fuzzy Hash: 5c4567fb3a9e42cbbac88b312cdc78ec8915fc398b43ddf17cfa59129293f58a
Instruction Fuzzy Hash: 6621BF71100204AEEB21DB51CC84FBAF7ACEF04714F14885AFA489B681D7B5B54DCB71

Function 00AEB7F8 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEB88D

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 26a47d903df04198675ce84a3e42b58fe9d065bf1af0e9fdf06a8622b8bec71b
Instruction ID: fbc3afd2cad9323957eb0516bdc71b1b29574e467e2035c9ac879e0f9dd480d1
Opcode Fuzzy Hash: 26a47d903df04198675ce84a3e42b58fe9d065bf1af0e9fdf06a8622b8bec71b
Instruction Fuzzy Hash: B521F8B54093C46FE7128B21DC85BA6BFACEF47720F0880D6E9808B693D264A909C775

Function 049E1880 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 049E1922

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 113247376822b710b96be6b31eb74664a6a5b67b13c55dd53b5d8f0ec4cdb075
Instruction ID: b0d2a20b9d93fe68416d28dccb34ba529a4057ff762d028739d66d2de1b0039c
Opcode Fuzzy Hash: 113247376822b710b96be6b31eb74664a6a5b67b13c55dd53b5d8f0ec4cdb075
Instruction Fuzzy Hash: 4321D17150D3C46FD302CB658C65B66BFB4EF87610F0980CBD8849F6A3D624A919C7B2

Function 049E107D Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E1104

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 2a243fc874f0bf20edcd94fc7b56104eba540e7fe3669820db3e81c9809ff5b8
Instruction ID: 560560e1f5dbd943402764400ca56cdce41c14c06a37359578c67104fb731488
Opcode Fuzzy Hash: 2a243fc874f0bf20edcd94fc7b56104eba540e7fe3669820db3e81c9809ff5b8
Instruction Fuzzy Hash: A121C1715093846FE712CB25CC45FA6BFA8EF06714F0884EBE984CF593D264A908C775

Function 00AEA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEA4F8

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a7b7c94e1998a4a5e01e9ddfcc1167cc52136e3bb774351eddd5c0de2de39c9a
Instruction ID: 3c5b63eb50cb64f17235915abba98fabdd065503b064eebee6bb4e4af003c6b4
Opcode Fuzzy Hash: a7b7c94e1998a4a5e01e9ddfcc1167cc52136e3bb774351eddd5c0de2de39c9a
Instruction Fuzzy Hash: EE2190765053846FD7228F15DC44FA7BFB8EF46710F08849AE985CB692D264E848C772

Function 00AEBD42 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00AEBDCE

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1c021d414e31da8c1fb72cb9c720086c6cf02bd5ee94218ed56b3cd041b0810d
Instruction ID: 6970008a07d8d808f4067c455e7b7cfe87af39ee235cc9749cca950823dd1732
Opcode Fuzzy Hash: 1c021d414e31da8c1fb72cb9c720086c6cf02bd5ee94218ed56b3cd041b0810d
Instruction Fuzzy Hash: 17217E71405384AFD722CF55DC49F96FFB8EF05314F08889EE9858B692D375A818CB62

Function 049E0492 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 049E0526

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7ee6516182b172ce2348145f2e9f5a386af17ea5a668ae0306f0d5c126d8e92e
Instruction ID: b5828c4a7c62b846ad3387b66ecd61b355b3ebb3bad7187a88d7556e95367884
Opcode Fuzzy Hash: 7ee6516182b172ce2348145f2e9f5a386af17ea5a668ae0306f0d5c126d8e92e
Instruction Fuzzy Hash: 3721A071405384AFE722CF16DC44F96FFF8EF09224F04849EE9858B652D365A508CB65

Function 00AEB722 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00AEB7A1

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4e7aaf3f6e8d996332956f3e06903512b88c24a4b431fcbda08a7369cf9851b
Instruction ID: ff64ce682e0a1ebd72191d8a8b7436bd84bf5223c46939030955f990d78126ae
Opcode Fuzzy Hash: a4e7aaf3f6e8d996332956f3e06903512b88c24a4b431fcbda08a7369cf9851b
Instruction Fuzzy Hash: C621AE71501244AFEB20CF26CD89B66FBE8EF08314F04846EE9858BA52D371E808CB71

Function 049E0302 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 049E0373

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: bd1518cd4ac8a315cb29e3761262a5ddf522272fc932d60ab4fdb955125009e5
Instruction ID: 767da5cc4c8d040bb5b8e221c1745a223d0c452d7ff5ce7d215ca12627b193c1
Opcode Fuzzy Hash: bd1518cd4ac8a315cb29e3761262a5ddf522272fc932d60ab4fdb955125009e5
Instruction Fuzzy Hash: 70219F72600244AFEB21DF25DC45BBAFBACEF04714F04886AE945DB642D774E4088A71

Function 049E01F6 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E0288

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4adc3d03339dc3ec85e0dca06a3f07f6a4c6f1194ea3cfd585e8de8061515f65
Instruction ID: 32cc46698d9996d0766fdb809a1c93a3c62e8f26bb4661b0b8e51977b98a7bf3
Opcode Fuzzy Hash: 4adc3d03339dc3ec85e0dca06a3f07f6a4c6f1194ea3cfd585e8de8061515f65
Instruction Fuzzy Hash: 74219D72505384AFD722CF12DC44FA7BBFCEF05610F08849AE9858B652D365E948CB75

Function 049E0D76 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 049E0DFA

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2e6f4ac7c1ae38605c02a67f84521edb73ebdca0350e7f37cb403c19ffc60235
Instruction ID: 2634bbcc8cffbacf53e58e112ce4b95e3b4446e548dd18547396ff0f1e1b49a9
Opcode Fuzzy Hash: 2e6f4ac7c1ae38605c02a67f84521edb73ebdca0350e7f37cb403c19ffc60235
Instruction Fuzzy Hash: 65217F725093805FDB22CB25DC55BA6BFE8AF06210F0984EAD8C5CB263D264E849C761

Function 00AEA7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00AEA879

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a4b303cd7fb5ca7d4aaec24b4f5094b60636c2fc6eebcb2f952e637d12ab886e
Instruction ID: 41ce26c6e2a45409901aa9573d396c19691d3a9fdeb0ccf04543909f9d873d68
Opcode Fuzzy Hash: a4b303cd7fb5ca7d4aaec24b4f5094b60636c2fc6eebcb2f952e637d12ab886e
Instruction Fuzzy Hash: 2121CF72500244AEE7209B52CC44FABFBACEF14314F04845AFA458BA42D330E80DCAB2

Function 049E124B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E12C7

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 6bad1755e801fcfe449c34d0892e4c3a1474d7a7d7f7c80e056ce7ac17be5e0b
Instruction ID: cbb8e44c6c1bcb0161ebaf810d1bcee9956aeed17cf7d7843b607c93b63d3c50
Opcode Fuzzy Hash: 6bad1755e801fcfe449c34d0892e4c3a1474d7a7d7f7c80e056ce7ac17be5e0b
Instruction Fuzzy Hash: 0E2195715053846FD722CF15DC49BAABFA8EF45310F0884ABE9858B552D374A508CB65

Function 049E1167 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E11E3

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 6bad1755e801fcfe449c34d0892e4c3a1474d7a7d7f7c80e056ce7ac17be5e0b
Instruction ID: da7c85934355e3ec9eba6f0c331842777fdd37667dbb5620aa387f52676fc13d
Opcode Fuzzy Hash: 6bad1755e801fcfe449c34d0892e4c3a1474d7a7d7f7c80e056ce7ac17be5e0b
Instruction Fuzzy Hash: 6F21C2715093846FD722CF55DC49FAABFA8EF06210F0884ABE944CB652D274A908CB65

Function 00AEA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00AEA6B9

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f90ea74cbc005199bb9fa56547d0c2beb15d223569712780845240397ff1e523
Instruction ID: 94b3d9fcc8de2165fc07de0502351e808c4b2afecffff6407a7788e5b7e18c55
Opcode Fuzzy Hash: f90ea74cbc005199bb9fa56547d0c2beb15d223569712780845240397ff1e523
Instruction Fuzzy Hash: 4121D4716002449FE720DF26CD85BA6FBE8EF14314F08846AE945CB742D371F809CA72

Function 00AEBADA Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEBB59

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3f9e9cfa590d849e02ddcda6135aee4d0fb1b9f10583f2d61d48b9313b9f79e9
Instruction ID: a9a2359b5d993b1ce5f353edec67d0f5c29f976103422201edd2765648cd124c
Opcode Fuzzy Hash: 3f9e9cfa590d849e02ddcda6135aee4d0fb1b9f10583f2d61d48b9313b9f79e9
Instruction Fuzzy Hash: FA219F71405384AFDB22CF51DC48FABBFB8EF45710F08849AE9858B552D325A808CBB6

Function 00AEA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEA40C

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1e7db82fc6e65a4944ead8cb8e7b58fa9f531afe9507ec9656aa002a094081cd
Instruction ID: 2395d51f81a660bec3fbdb00a2963a0988359635678daf71ee5e8807bb245def
Opcode Fuzzy Hash: 1e7db82fc6e65a4944ead8cb8e7b58fa9f531afe9507ec9656aa002a094081cd
Instruction Fuzzy Hash: E6219DB5600244AFE720CF16CC84FA6F7ECEF14710F08845AE9468B692D370F849CA72

Function 00AEBD62 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00AEBDCE

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 01f6efd738165afa959b9d4372c3c5105ca9cfaac41df13329f7e33cf7521443
Instruction ID: da9823c6d42e7d9d9ebcf37ebc740ff8481c3b7378973929768ce858d36919a2
Opcode Fuzzy Hash: 01f6efd738165afa959b9d4372c3c5105ca9cfaac41df13329f7e33cf7521443
Instruction Fuzzy Hash: 96212671400244AFE721CF56DC49FA6FBE8EF04314F04845EEA458B652D375E418CB71

Function 049E0CBA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 049E0D36

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: d41f3e0a84bc75eeb5bcea635cfa06b18d489049864d59115109de6e79a3654d
Instruction ID: 2d703fa88457149585e0e728fe994f4c0933154f946d3afc15ced202bd2bae2a
Opcode Fuzzy Hash: d41f3e0a84bc75eeb5bcea635cfa06b18d489049864d59115109de6e79a3654d
Instruction Fuzzy Hash: BE218E71409384AFDB228F55DC44BA2FFF8EF0A310F08849AE9858B163D275A859DB61

Function 049E04B2 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 049E0526

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 76254fafdd7f40cf8976c2a9c139e33a7fe23cdf7e159d22c4c9d143700e1d95
Instruction ID: 75d73cf3ab1c442087949518328164757e340ed0bbe187f5c7af89b049f42b38
Opcode Fuzzy Hash: 76254fafdd7f40cf8976c2a9c139e33a7fe23cdf7e159d22c4c9d143700e1d95
Instruction Fuzzy Hash: 4621D171500244AFE721CF16DC44FAAFBE8EF08224F048459E9858B652D775F408CBA5

Function 00AEA902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00AEA97D

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 02b38d39daf7c31777e4368bcbf7b9df1a8a525b345fd73a46e3a535925d2f86
Instruction ID: e393e89d5df77ba755ec67720aeddc1c9a21876d615ce23d96c1d1a589ad7d91
Opcode Fuzzy Hash: 02b38d39daf7c31777e4368bcbf7b9df1a8a525b345fd73a46e3a535925d2f86
Instruction Fuzzy Hash: A521D271100244AFEB318F51DC44FA6FBA8EF08710F14845AFE854A652D371B419CB76

Function 00AEA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEA4F8

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 481e42a1160ec66e8187df7b933993b11811231c1e3200d096d8a8bced81b146
Instruction ID: 070c8d14b0e802ecc4e7c70d779ed685a9628cc82613fee4e1667b7175fc036f
Opcode Fuzzy Hash: 481e42a1160ec66e8187df7b933993b11811231c1e3200d096d8a8bced81b146
Instruction Fuzzy Hash: 6F1181B6500644AFE7218F16DC45FA7FBECEF14714F04845AED458AA92D370F848CA76

Function 049E0216 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E0288

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4694d7516eee73ad8d2ec10189160e16d7a18a28849783985a3db26ff8ae10f8
Instruction ID: e7814b95c8f58d68d80e2b078c05a82d51f2b3be16eb89ee0ad0e7c85dfe5040
Opcode Fuzzy Hash: 4694d7516eee73ad8d2ec10189160e16d7a18a28849783985a3db26ff8ae10f8
Instruction Fuzzy Hash: 60119D76500204AFEB21CE16DC44FA6BBECEF04610F04846AE9458A752D7A0E448CAB5

Function 049E0A1E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E0A7D

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 62cca84fb6f5e375b820764bc0516b2cc03a8f552c7d64ca46b81176af291d78
Instruction ID: afe44f28bcf060b194ef0fc43d4926d1ee4b34e56ca736524fd04900b91760a6
Opcode Fuzzy Hash: 62cca84fb6f5e375b820764bc0516b2cc03a8f552c7d64ca46b81176af291d78
Instruction Fuzzy Hash: 4F11E671600204AFEB21CF56DC48BBAFBECEF04310F08846AE9458B652D371E458DBB1

Function 049E118A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E11E3

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 4a55b0bd066f9147f63154087b26a65720e21a6bf3c7d9b3b844eb90bbcbac36
Instruction ID: bbb667dedaed2d6edd03b8a9ebf0a876dd745a09994ac949035f509269e9c8e7
Opcode Fuzzy Hash: 4a55b0bd066f9147f63154087b26a65720e21a6bf3c7d9b3b844eb90bbcbac36
Instruction Fuzzy Hash: 4E11B2715002449FEB21CF56DC45BBAB7A8EF04324F04846AE945CB642D775E448CAA5

Function 049E126E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E12C7

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 4a55b0bd066f9147f63154087b26a65720e21a6bf3c7d9b3b844eb90bbcbac36
Instruction ID: 0a816f5b4e047df64c9b926a9f56cacbc22ab25b440a3a80bbf112fb5b55b6a8
Opcode Fuzzy Hash: 4a55b0bd066f9147f63154087b26a65720e21a6bf3c7d9b3b844eb90bbcbac36
Instruction Fuzzy Hash: 9111BF71600204AFEB21CF56DC45BBAFBE8EF04324F04846AEA45CBA42D774A448CAA5

Function 00AEAD07 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AEAD72

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6fe906216c1fb8036388ad681d3a901f954ce7c55b330974a73f9b662c74c0b6
Instruction ID: aa97528e6cf8f6d576c4ec00be871c7843da041ac4e5b70854bc69260f1c791c
Opcode Fuzzy Hash: 6fe906216c1fb8036388ad681d3a901f954ce7c55b330974a73f9b662c74c0b6
Instruction Fuzzy Hash: E9118471409380AFDB228F55DC44B62FFF4EF4A310F0884DAED858B563D275A819DB62

Function 049E10AE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 049E1104

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 964ca9762b7aa4543dc6a44fb99fe47e98ec6ce190b1b7cbb1b256e7a013775b
Instruction ID: f9869a0caf15f501798f62de507fe9e21e67164cb9d8d92ac6973fc4e663867c
Opcode Fuzzy Hash: 964ca9762b7aa4543dc6a44fb99fe47e98ec6ce190b1b7cbb1b256e7a013775b
Instruction Fuzzy Hash: B711E371600244AFEB21CF16DC45FBAF79CEF04724F04846AED04CB642D775E448CAA5

Function 00AEBAFA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEBB59

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0345348aea6e0513b36e2e0613985708ccf4350cc0a42ebe116445df227ac3e4
Instruction ID: 22bcc6f92aca117de487ed73827660e8065a3d2919fc50f8a46fe9fd022208de
Opcode Fuzzy Hash: 0345348aea6e0513b36e2e0613985708ccf4350cc0a42ebe116445df227ac3e4
Instruction Fuzzy Hash: D4110172400244AFEB21CF52CC48FABFBE8EF04320F04845AEA458B646C331A408CBB1

Function 049E0152 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 049E01CE

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: e35949b602026c0eedddea31609dbb5dd5acb83db1534ec690f82491e6059a71
Instruction ID: 66fc753c9b5c9908127251f52eef3d20cd9d5896d113f8b92728480489b65347
Opcode Fuzzy Hash: e35949b602026c0eedddea31609dbb5dd5acb83db1534ec690f82491e6059a71
Instruction Fuzzy Hash: 5011B6715093806FD311CB16CC55F26FFB4EF86610F09818BE8449B693D225B915C7A2

Function 00AEA2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00AEA330

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0637d469cb8c3673870229e614d0341d673381dc60af1730cb72fb859846f264
Instruction ID: d563e05d65ef4bc6144718986441092443c824d301fc33e5659d2cc1227cae41
Opcode Fuzzy Hash: 0637d469cb8c3673870229e614d0341d673381dc60af1730cb72fb859846f264
Instruction Fuzzy Hash: 8E1191754093C4AFD7228B15DC54762BFA4EF56620F0880CAED848B263D265A809DB72

Function 049E0DB2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 049E0DFA

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c0454954b8e3ac0d603e74ae0161403ee55f8624d73a2fd1267cf6d2fb2db0f7
Instruction ID: aa952bc6b6f6091cc9828e59cfb707a148a2bbfd9899016238233068a1da3eba
Opcode Fuzzy Hash: c0454954b8e3ac0d603e74ae0161403ee55f8624d73a2fd1267cf6d2fb2db0f7
Instruction Fuzzy Hash: 1D1130756003058FDB61DF16D845766FBE8EF04620F08847ADD45CB746D675E444CB61

Function 00AEAEA3 Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00AEAF04

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc6819033caaaf947929e76246c3df9cd12130f5d35864754e09f3aa2ffa543
Instruction ID: 169ad4b3de26e773d27c8268d32d85fb6e852b03ad47454ed8a2209b00d6de36
Opcode Fuzzy Hash: 6fc6819033caaaf947929e76246c3df9cd12130f5d35864754e09f3aa2ffa543
Instruction Fuzzy Hash: 90119E714493C49FDB11CF15DC89B52BFB4EF06321F0884DAED888B293D276A809CB62

Function 00AEB83A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,6DCD202F,00000000,00000000,00000000,00000000), ref: 00AEB88D

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7a33e6331b409c20d0a8f27f579acdfa2cf5857563f7db1976fef969c07d279e
Instruction ID: 2b5afceee791426beacc0d5055246dc77fe9d8e7553e8692d8d45cff88697c3f
Opcode Fuzzy Hash: 7a33e6331b409c20d0a8f27f579acdfa2cf5857563f7db1976fef969c07d279e
Instruction Fuzzy Hash: 1601C075500244AEE720DB16DC89BABFBACDF04724F188096EE448B742D374A84CCAB6

Function 049E0CEA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 049E0D36

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 9f938e8ddeff6809e7f460137e57ff254a66dd43adb3a00339272169ccb298c4
Instruction ID: fb4eb5d98f147767e09ef629413b35a852b28e91ad55674db6535ac119b99c88
Opcode Fuzzy Hash: 9f938e8ddeff6809e7f460137e57ff254a66dd43adb3a00339272169ccb298c4
Instruction Fuzzy Hash: 65117C71500704DFDB21CF56D844BA6FBE8EF08710F0888AAEE898B622D375F458DB61

Function 049E18D2 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 049E1922

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: e4ee9ef63ab56bb23778951ebdf84824dc9168f032dddb10825bf3004b53275b
Instruction ID: 75e68a9591c6f8aa9c8d9e2fc167d575a6eec9c2d91668d5380741847cfcfbf7
Opcode Fuzzy Hash: e4ee9ef63ab56bb23778951ebdf84824dc9168f032dddb10825bf3004b53275b
Instruction Fuzzy Hash: 79015E71500204ABD350DF16DC46B66FBA8FB88A20F14855AED089BB42D731B915CBE5

Function 00AEAD2E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AEAD72

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5b66ebd683e1b2c96ffb73d54495e605d154b23a7dbfd9d307995a8739b250f
Instruction ID: c1289ee1467416c4181d35303b9227ec57c096e591023d2de44a8574e8cda266
Opcode Fuzzy Hash: a5b66ebd683e1b2c96ffb73d54495e605d154b23a7dbfd9d307995a8739b250f
Instruction Fuzzy Hash: EA0179724002449FDB218F55DD84B66FBE4EF08320F08889AEE894AA52C236E419DB62

Function 00AEBCC6 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00AEBD16

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dfa143976bdc33f9ca2bb7f3084e460d946ef441ff393e6565c1587c1dc6af7d
Instruction ID: 182ac17a71dd32de5268e13418d9c1088f84f19cf51cd97d81aa8554af5e4bdc
Opcode Fuzzy Hash: dfa143976bdc33f9ca2bb7f3084e460d946ef441ff393e6565c1587c1dc6af7d
Instruction Fuzzy Hash: C501A271500204ABD310DF16CC46B66FBE8FB88A20F14811AED089BB42D771F915CBE5

Function 049E017E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 049E01CE

Memory Dump Source

Source File: 00000001.00000002.3739380110.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_49e0000_pisun.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: eb0fa8a74f7014ecef970f11038df133f33da2cb258450415604499d1da66e4e
Instruction ID: a8962359eeb639321383f13f24475e39f64f4d5c51e96b80b0aaac39ff5262f3
Opcode Fuzzy Hash: eb0fa8a74f7014ecef970f11038df133f33da2cb258450415604499d1da66e4e
Instruction Fuzzy Hash: 0101A271500200ABD310DF16CC46B66FBE8FB88A20F14815AED089BB41D731F915CBE5

Function 00AEAED2 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00AEAF04

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1384db2033b98e5d84538c5887a079ce2de09d3b208082975378344a6909fb14
Instruction ID: 7e8e7713a907a5e1012969f5bf2e1690d6899389a079e843e87c64503147eaf1
Opcode Fuzzy Hash: 1384db2033b98e5d84538c5887a079ce2de09d3b208082975378344a6909fb14
Instruction Fuzzy Hash: 2B01A2B5504284DFDB10CF16D984765FBE4EF14320F08C4AADD498F746D375E448CA62

Function 00AEA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00AEA330

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5fb47e56c003e13f2e6feccfe595cc06d963dc4eb4f066e6edda5acdfc3d0fa3
Instruction ID: e921013e8a0c36a99254004eeb4d331d79cf18db36040ddd93fba2431224414a
Opcode Fuzzy Hash: 5fb47e56c003e13f2e6feccfe595cc06d963dc4eb4f066e6edda5acdfc3d0fa3
Instruction Fuzzy Hash: 73F08C79904684CFDB209F0AD988765FBE4EF14720F08C09ADE594F756D275A848CAA2

Function 00AEA710 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00AEA780

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 79e684c352a17fa1c1c04d54c6061f67ec53fa082023560ef6e1fbc223f2255a
Instruction ID: 66748392a8322197b3e8126687128ea620d7f071ea219659931c0a2eb72be16f
Opcode Fuzzy Hash: 79e684c352a17fa1c1c04d54c6061f67ec53fa082023560ef6e1fbc223f2255a
Instruction Fuzzy Hash: 9821E7B55043809FD711CF25DC95752BFB8EF06324F0984DBED858B253D235A909CB62

Function 00AEA74E Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00AEA780

Memory Dump Source

Source File: 00000001.00000002.3737861829.0000000000AEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aea000_pisun.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 073d3c1a2548685e941582a224ef1e9ce0ba13ea919036562bfcfbbf771cd6d6
Instruction ID: e6c405e00e0ce335432914be41736e6784eecbfe583f30603da0b5c7a40d0ed2
Opcode Fuzzy Hash: 073d3c1a2548685e941582a224ef1e9ce0ba13ea919036562bfcfbbf771cd6d6
Instruction Fuzzy Hash: 9B018F75504244CFDB10CF16D9857A6FBE4EF14720F08C4ABED49CB756D275E848CAA2

Function 00D20814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3738344628.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6f623fa29ac3a94fe2877a7b789933331992a76c3108699dd8a831a74dd709
Instruction ID: 86aeb9d0fe67eb18a0f52499d5c8c72b88b11d6643c1e3594b154bdad86a1d98
Opcode Fuzzy Hash: 4d6f623fa29ac3a94fe2877a7b789933331992a76c3108699dd8a831a74dd709
Instruction Fuzzy Hash: 0211E430208284DFC715EB10E540B26FFA5ABA870CF28C9ACE8490B753C737D807DAA1

Function 00D207ED Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3738344628.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64afcac7d591dcf21d10bcaf45c8b3e0d5695bda4bfa98fbabb8423f14ee11b9
Instruction ID: 33a0c63e9973165f7657d54119f19f4e01f17578d3bcab3fed8cc0e6442c7fa7
Opcode Fuzzy Hash: 64afcac7d591dcf21d10bcaf45c8b3e0d5695bda4bfa98fbabb8423f14ee11b9
Instruction Fuzzy Hash: 34116D3010D3C4CFD712DB14D950B11BFA1AB56718F2986DED4884B6A3C33A9C16CBA2

Function 00D205E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3738344628.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27c638625453601b2b4d8fe5df0824b5a550e029765d5eb9a6516039f6e2572
Instruction ID: 239bbfd0f4084e8a9b4ec7559b4dbe2865702df5b14222f27a246f906f1415ba
Opcode Fuzzy Hash: f27c638625453601b2b4d8fe5df0824b5a550e029765d5eb9a6516039f6e2572
Instruction Fuzzy Hash: 110186755093945FD7118F05EC41862FFA8EF8A660719849BFC898B613D225B849CBB2

Function 00D208D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3738344628.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a8e24a9f260a375dd5c471da3df068d5184580853e9502b8bd4008e6011b53
Instruction ID: 5b8829bd91ebcdc1fca137715c6f4a421b3e844c471753bf14e7186725da2b10
Opcode Fuzzy Hash: 26a8e24a9f260a375dd5c471da3df068d5184580853e9502b8bd4008e6011b53
Instruction Fuzzy Hash: 6EF01D35108644DFC705CF00D580B16FBA2EB99718F28CAADE94917B62C737E813DA91

Function 00D20606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3738344628.0000000000D20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bdc72e290f002c0dc7ae45f4eb89e32329bf425ac78bfe0e4a98b628a98370
Instruction ID: f1caac81341cf9780ccadd5c43db2e105712f161be016665e66dfb878703ab70
Opcode Fuzzy Hash: 40bdc72e290f002c0dc7ae45f4eb89e32329bf425ac78bfe0e4a98b628a98370
Instruction Fuzzy Hash: 03E092B66006448B9650CF0AFC41462F7D8EB88630708C07FDC0D8B701E235B508CAA5

Function 00AE23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3737830367.0000000000AE2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae2000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dffa714d35efb6d425d1c84233b08a0fa0451a144acd7eb1d1f732ce8df9af
Instruction ID: 75b3925e5318e5c1fb7a3f1cbe31f2392f4328729de2fa8938e3299921fde90b
Opcode Fuzzy Hash: b5dffa714d35efb6d425d1c84233b08a0fa0451a144acd7eb1d1f732ce8df9af
Instruction Fuzzy Hash: 97D05E792456C14FD3169B1CD1A4B9A37D8AB51714F4A44F9A800CB7A7C768D981D700

Function 00AE23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3737830367.0000000000AE2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae2000_pisun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7103a66687567d2b4c4e723ab8a771fb466db24ad99289ee48729c55f6b0f5a
Instruction ID: 812323758885dd48d2a3e830e011554334c7ef25b46ea7b832db9b07e5f6c7cd
Opcode Fuzzy Hash: e7103a66687567d2b4c4e723ab8a771fb466db24ad99289ee48729c55f6b0f5a
Instruction Fuzzy Hash: B5D05E342002C24BD716DB0DD2E4F5937D8AB40714F1A44E8AC108F762C7A8D8C0DF00

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pisun.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
pisun.exe

Function 00CC1550 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON