Edit tour

Windows Analysis Report
Payload.exe

Overview

General Information

Sample name:	Payload.exe
Analysis ID:	1646197
MD5:	e3250ba3e962ddf90560e00c92659cf9
SHA1:	f6904cfed503a1009923141b3028875bab2aa08c
SHA256:	92123431a5d7c000dfa423656179055bc8b3e4c96ed94b90cd334b2feb8818b6
Tags:	exeuser-BastianHein
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Payload.exe (PID: 2660 cmdline: "C:\Users\user\Desktop\Payload.exe" MD5: E3250BA3E962DDF90560E00C92659CF9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{
  "Host": "size-ingredients.gl.at.ply.gg",
  "Port": "5407",
  "Version": "<- NjRAT 0.7d Horror Edition ->",
  "Registry Name": "a1cb840a8f8b330a9629751db128f43f",
  "Campaign ID": "Victim",
  "Network Seprator": "Y262SUCZ4UJJ"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Payload.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Payload.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x933c:$a1: get_Registry 0xc34c:$a2: SEE_MASK_NOZONECHECKS 0xb156:$a3: Download ERROR 0xc5a7:$a4: cmd.exe /c ping 0 -n 2 & del "
Payload.exe	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa4d5:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
Payload.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc5a7:$x1: cmd.exe /c ping 0 -n 2 & del " 0xafb6:$s1: winmgmts:\\.\root\SecurityCenter2 0xb17c:$s3: Executed As 0x9b5f:$s5: Stub.exe 0xb156:$s6: Download ERROR 0xaf78:$s8: Select * From AntiVirusProduct
Payload.exe	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xcadd:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xadc4:$s2: https://pastebin.com/raw/ 0xce27:$s3: My.Computer 0xcab7:$s4: MyTemplate
Payload.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xc5bd:$: ping 0 0xa8f6:$: TiGeR-Firewall 0xa938:$: NetSnifferCs 0xa8e2:$: IPBlocker 0xa952:$: Sandboxie Control
Payload.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc34c:$a2: SEE_MASK_NOZONECHECKS 0xc62f:$b1: [TAP] 0xc5a7:$c3: cmd.exe /c ping
Payload.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc34c:$reg: SEE_MASK_NOZONECHECKS 0xb132:$msg: Execute ERROR 0xb196:$msg: Execute ERROR 0xc5a7:$ping: cmd.exe /c ping 0 -n 2 & del
Payload.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc5a7:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb132:$s4: Execute ERROR 0xb196:$s4: Execute ERROR 0xb156:$s5: Download ERROR 0xc5e5:$s6: [kl]
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x913c:$a1: get_Registry 0xc14c:$a2: SEE_MASK_NOZONECHECKS 0xaf56:$a3: Download ERROR 0xc3a7:$a4: cmd.exe /c ping 0 -n 2 & del "
00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc14c:$a2: SEE_MASK_NOZONECHECKS 0xc42f:$b1: [TAP] 0xc3a7:$c3: cmd.exe /c ping
00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc14c:$reg: SEE_MASK_NOZONECHECKS 0xaf32:$msg: Execute ERROR 0xaf96:$msg: Execute ERROR 0xc3a7:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: Payload.exe PID: 2660	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Payload.exe.350000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.Payload.exe.350000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x933c:$a1: get_Registry 0xc34c:$a2: SEE_MASK_NOZONECHECKS 0xb156:$a3: Download ERROR 0xc5a7:$a4: cmd.exe /c ping 0 -n 2 & del "
0.0.Payload.exe.350000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa4d5:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
0.0.Payload.exe.350000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc5a7:$x1: cmd.exe /c ping 0 -n 2 & del " 0xafb6:$s1: winmgmts:\\.\root\SecurityCenter2 0xb17c:$s3: Executed As 0x9b5f:$s5: Stub.exe 0xb156:$s6: Download ERROR 0xaf78:$s8: Select * From AntiVirusProduct
0.0.Payload.exe.350000.0.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xcadd:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xadc4:$s2: https://pastebin.com/raw/ 0xce27:$s3: My.Computer 0xcab7:$s4: MyTemplate
0.0.Payload.exe.350000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0xc5bd:$: ping 0 0xa8f6:$: TiGeR-Firewall 0xa938:$: NetSnifferCs 0xa8e2:$: IPBlocker 0xa952:$: Sandboxie Control
0.0.Payload.exe.350000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc34c:$a2: SEE_MASK_NOZONECHECKS 0xc62f:$b1: [TAP] 0xc5a7:$c3: cmd.exe /c ping
0.0.Payload.exe.350000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc34c:$reg: SEE_MASK_NOZONECHECKS 0xb132:$msg: Execute ERROR 0xb196:$msg: Execute ERROR 0xc5a7:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.Payload.exe.350000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc5a7:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb132:$s4: Execute ERROR 0xb196:$s4: Execute ERROR 0xb156:$s5: Download ERROR 0xc5e5:$s6: [kl]
Click to see the 4 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payload.exe

Avira: detected

Found malware configuration

Source: 0.0.Payload.exe.350000.0.unpack

Malware Configuration Extractor: Njrat {"Host": "size-ingredients.gl.at.ply.gg", "Port": "5407", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "a1cb840a8f8b330a9629751db128f43f", "Campaign ID": "Victim", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for submitted file

Source: Payload.exe	Virustotal: Detection: 80%			Perma Link
Source: Payload.exe	ReversingLabs: Detection: 86%

Yara detected Njrat

Source: Yara match	File source: Payload.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 2660, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Payload.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Payload.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.9:49683 -> 147.185.221.27:5407

Source: Joe Sandbox View

IP Address: 147.185.221.27 147.185.221.27

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: size-ingredients.gl.at.ply.gg

Source: Payload.exe

String found in binary or memory: https://pastebin.com/raw/???

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Payload.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Payload.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 2660, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Payload.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Payload.exe, type: SAMPLE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: Payload.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Payload.exe, type: SAMPLE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: Payload.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: Payload.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Payload.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: Payload.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_04B20360	0_2_04B20360
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_04B20D70	0_2_04B20D70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_04B20D23	0_2_04B20D23

Source: Payload.exe, 00000000.00000002.3361415208.00000000008FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs Payload.exe

Source: Payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payload.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Payload.exe, type: SAMPLE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Payload.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Payload.exe, type: SAMPLE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Payload.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: Payload.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Payload.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Payload.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_04D20F32 AdjustTokenPrivileges,		0_2_04D20F32
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_04D20EFB AdjustTokenPrivileges,		0_2_04D20EFB

Source: C:\Users\user\Desktop\Payload.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Payload.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Payload.exe	Mutant created: \Sessions\1\BaseNamedObjects\a1cb840a8f8b330a9629751db128f43f

Source: Payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payload.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Payload.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payload.exe	Virustotal: Detection: 80%
Source: Payload.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\Payload.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Payload.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Payload.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Payload.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Payload.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payload.exe	Binary or memory string: WIRESHARK.EXE9HTTPS://PASTEBIN.COM/RAW/???NULL
Source: Payload.exe, 00000000.00000002.3362364190.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Payload.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Memory allocated: D10000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe	Window / User API: threadDelayed 3696	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Window / User API: threadDelayed 5570	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Window / User API: foregroundWindowGot 1765	Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe TID: 6164	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe TID: 6164	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe TID: 6340	Thread sleep count: 3696 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe TID: 6164	Thread sleep count: 5570 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe TID: 6164	Thread sleep time: -5570000s >= -30000s	Jump to behavior

Source: Payload.exe	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: Payload.exe, 00000000.00000002.3361415208.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: Payload.exe, 00000000.00000002.3361415208.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payload.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Payload.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Payload.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Payload.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: Payload.exe	Binary or memory string: Program Manager
Source: Payload.exe	Binary or memory string: Progman
Source: Payload.exe	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed
Source: Payload.exe, 00000000.00000002.3362364190.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, Payload.exe, 00000000.00000002.3362364190.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\Payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\Desktop\Payload.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Source: Payload.exe, 00000000.00000002.3362364190.00000000029C1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: Payload.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 2660, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: Payload.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Payload.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 2660, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	1 Input Capture	111 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	11 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payload.exe	80%	Virustotal		Browse
Payload.exe	86%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
Payload.exe	100%	Avira	TR/Dropper.Gen7

Name	IP	Active	Malicious	Antivirus Detection	Reputation
size-ingredients.gl.at.ply.gg	147.185.221.27	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/???	Payload.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.27	size-ingredients.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646197
Start date and time:	2025-03-23 16:17:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payload.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 67 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 23.204.23.20, 2.23.227.208
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:18:56	API Interceptor	1077269x Sleep call for process: Payload.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.27	pisun.exe	Get hash	malicious	Njrat	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Server.exe.bin.exe	Get hash	malicious	Njrat	Browse
	RobloxInstaller.exe	Get hash	malicious	Unknown	Browse
	tsetup-x64.5.9.0.exe	Get hash	malicious	RDPWrap Tool	Browse
	123123.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse
	Payload1234.exe.bin.exe	Get hash	malicious	Njrat	Browse
	remover.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
size-ingredients.gl.at.ply.gg	123123.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
size-ingredients.gl.at.ply.gg	Payload.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	pisun.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	XClient.exe	Get hash	malicious	XWorm	Browse	147.185.221.27
	winupdate.scr.exe	Get hash	malicious	Unknown	Browse	147.185.221.26
	Bootstrapper.exe	Get hash	malicious	XWorm	Browse	147.185.221.26
	Microsoft Word Host.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	Client.exe.bin.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	Server.exe.bin.exe	Get hash	malicious	Njrat	Browse	147.185.221.27
	8M42o4UI1xlnUeX.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	147.185.221.26
	RobloxInstaller.exe	Get hash	malicious	Unknown	Browse	147.185.221.27
	tsetup-x64.5.9.0.exe	Get hash	malicious	RDPWrap Tool	Browse	147.185.221.27

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.617457264202004
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Payload.exe
File size:	55'808 bytes
MD5:	e3250ba3e962ddf90560e00c92659cf9
SHA1:	f6904cfed503a1009923141b3028875bab2aa08c
SHA256:	92123431a5d7c000dfa423656179055bc8b3e4c96ed94b90cd334b2feb8818b6
SHA512:	8e78bf75eec8fc294fc11e5fc6eb69230b7e6d9a8676944cf9b1fe581b6f1fc5d931fd3efedd6ffe63b396ee69de34e18c07501fb7f3b2c8df3a5993c9eafd5d
SSDEEP:	768:CkoLg652Eslt/aNxND3O4JSNjxWQG35bmaePD5Pv+2XXJdxIEpm7g:CkSVGtiNjDTGdWQcGDxX3xIEpm7g
TLSH:	DE432944BBE68A05E2BD8F3468F665150B34AA23E632DB1F8CD558DB13327C68C44FE5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.g............................>.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40f03e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67DC32E8 [Thu Mar 20 15:23:20 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeff0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd044	0xd200	94112bf1b23749053389cd3436bae813	False	0.4519903273809524	data	5.638167311235547	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x240	0x400	0da1702fee35fb285b88cc25720ab75a	False	0.310546875	data	4.964962934397579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	a44a373176d72c27a795808f061fdec2	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x10058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 55
• 5407 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 16:18:27.231443882 CET	49683	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:28.236660004 CET	49683	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:30.252402067 CET	49683	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:34.252348900 CET	49683	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:42.252397060 CET	49683	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:50.342982054 CET	49691	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:51.346162081 CET	49691	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:53.369100094 CET	49691	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:18:57.377439976 CET	49691	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:05.377597094 CET	49691	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:13.410804987 CET	49696	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:14.424447060 CET	49696	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:16.424462080 CET	49696	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:20.424493074 CET	49696	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:28.440207005 CET	49696	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:36.473608017 CET	49697	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:37.502762079 CET	49697	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:39.518446922 CET	49697	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:43.534243107 CET	49697	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:51.549840927 CET	49697	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:19:59.598352909 CET	49698	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:00.690345049 CET	49698	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:02.690352917 CET	49698	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:06.784116030 CET	49698	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:14.785693884 CET	49698	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:22.912817955 CET	49699	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:24.065553904 CET	49699	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:26.159224987 CET	49699	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:30.253002882 CET	49699	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:38.253015041 CET	49699	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:46.270284891 CET	49700	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:47.284344912 CET	49700	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:49.284327030 CET	49700	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:20:53.299974918 CET	49700	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:01.315648079 CET	49700	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:09.384160042 CET	49701	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:10.456304073 CET	49701	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:12.456350088 CET	49701	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:16.550090075 CET	49701	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:24.643882036 CET	49701	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:32.661251068 CET	49702	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:33.753319979 CET	49702	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:35.753312111 CET	49702	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:39.847100019 CET	49702	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:47.956491947 CET	49702	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:55.974251032 CET	49703	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:57.065920115 CET	49703	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:21:59.065917015 CET	49703	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:22:03.065941095 CET	49703	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:22:11.065970898 CET	49703	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:22:19.083786964 CET	49705	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:22:20.253566980 CET	49705	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:22:22.253546953 CET	49705	5407	192.168.2.9	147.185.221.27
Mar 23, 2025 16:22:26.253586054 CET	49705	5407	192.168.2.9	147.185.221.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 16:18:27.047147989 CET	49534	53	192.168.2.9	1.1.1.1
Mar 23, 2025 16:18:27.227035046 CET	53	49534	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 23, 2025 16:18:27.047147989 CET	192.168.2.9	1.1.1.1	0xe88f	Standard query (0)	size-ingredients.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 23, 2025 16:18:27.227035046 CET	1.1.1.1	192.168.2.9	0xe88f	No error (0)	size-ingredients.gl.at.ply.gg		147.185.221.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• Payload.exe

Click to jump to process

Memory Usage

• Payload.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	11:18:16
Start date:	23/03/2025
Path:	C:\Users\user\Desktop\Payload.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payload.exe"
Imagebase:	0x350000
File size:	55'808 bytes
MD5 hash:	E3250BA3E962DDF90560E00C92659CF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.898870038.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	111
Total number of Limit Nodes:	4

Executed Functions

Function 04D20EFB Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04D20F7B

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3a6c2568e8d099842fdd28e1e4b26be5382e97dfbe0a06a6ebcbff55491bb491
Instruction ID: 3e62010240239350801a867a7478c4db15f78c109a66345c30bd643ee756d570
Opcode Fuzzy Hash: 3a6c2568e8d099842fdd28e1e4b26be5382e97dfbe0a06a6ebcbff55491bb491
Instruction Fuzzy Hash: 51219F755097809FDB138F25DC44B52BFB4FF16314F0984DAEA858B163D271A908DB62

Function 04D20F32 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04D20F7B

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 72549f7e7d0248558810b7e87f456308bc85180facc3addfd4fc2fe9d948e683
Instruction ID: 7e0074b6b77a400246bea32cae36a9d3c8de467502cbf4a8974a993e885391c2
Opcode Fuzzy Hash: 72549f7e7d0248558810b7e87f456308bc85180facc3addfd4fc2fe9d948e683
Instruction Fuzzy Hash: 2B11A0715043009FDB21CF55D984B66FBE4FF08224F08C4AAEE458B652D371E414DFA2

Function 04B20360 Relevance: .9, Instructions: 928COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3363349465.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d089a44b90ec26bca2c66e36a9ce833758296af347d2dbf06dc998e604f3cb
Instruction ID: 4436b71906cf16b27eb9af00dfed3effc16ab4a3cb47cd6336621a6c2f2ab47e
Opcode Fuzzy Hash: b3d089a44b90ec26bca2c66e36a9ce833758296af347d2dbf06dc998e604f3cb
Instruction Fuzzy Hash: 58923734A14218CFDB18EF74D990BAD77B2EB88308F5084A9D50AAB795DF31AD85CF50

Function 04B20D23 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3363349465.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29335f2efdcf62a879c1523e570daf16524ef0b21fc58a3eb4773dd9530402f5
Instruction ID: 763bdf0f2e6ff3bb916b75e6bf0bdaa46036c85b02f642b0b765db93a0456d2c
Opcode Fuzzy Hash: 29335f2efdcf62a879c1523e570daf16524ef0b21fc58a3eb4773dd9530402f5
Instruction Fuzzy Hash: 08F13934A142188FDB18EB74C990BAD77B2FB88308F5084A9D509AFB95DF71AD85CF50

Function 04B21550 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 04B21577

Memory Dump Source

Source File: 00000000.00000002.3363349465.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_Payload.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 60c855d5e93be3ff8a3d29dda9ac2b0fc4ac270b4069fdd2b5a87765c356c7ff
Instruction ID: f46a4a5049ac916b7cbdf4913695be0731136e627ebd2d327d7eda77f4222773
Opcode Fuzzy Hash: 60c855d5e93be3ff8a3d29dda9ac2b0fc4ac270b4069fdd2b5a87765c356c7ff
Instruction Fuzzy Hash: 95417435B002148FCB04EF78C5946ADB7E2EF88219B1981A9D809DB759DB34AD85CBA1

Function 04B21541 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 04B21577

Memory Dump Source

Source File: 00000000.00000002.3363349465.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_Payload.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 190b449ab249eaf8c3ed9a3414bf0b8911f536e4173d6409ff5b72be30402791
Instruction ID: 49eea8035706a1dca8447cf1a1c355e5d42e25322401f0eb64a439b5ab56c66b
Opcode Fuzzy Hash: 190b449ab249eaf8c3ed9a3414bf0b8911f536e4173d6409ff5b72be30402791
Instruction Fuzzy Hash: 48418035A00214CFCB04DF38C9856ADB7F2EF88344B1985A9D809DB399DB34ED85CBA0

Function 00B3B6E2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B3B7A1

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 17fa68c2dba58298357c4a5c3e55ea97129a6d655f11343e260d4d2ed53f506c
Instruction ID: 34a00c59f8b9a16e68cbae310aa784e5c7d23df8f0c38e83b4bf51a07c7f4ded
Opcode Fuzzy Hash: 17fa68c2dba58298357c4a5c3e55ea97129a6d655f11343e260d4d2ed53f506c
Instruction Fuzzy Hash: 4F31A271508380AFE712CB65DC45F62BFF8EF46314F08449AE9858B252D375A809DB71

Function 04D21758 Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04D21815

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c8c24d538f4372a404fe3a511bc9d9b30a626df37bad9fabf864087e1bf921c7
Instruction ID: bd9e0c7777ac580308f3aa7753217ce4c0b91adc8165fbb38b5dc8aa81810103
Opcode Fuzzy Hash: c8c24d538f4372a404fe3a511bc9d9b30a626df37bad9fabf864087e1bf921c7
Instruction Fuzzy Hash: 6C318EB2504344AFEB218B65CC44F67FBFCEF49614F08855AEA89CB552D320E908CBB1

Function 00B3BC4F Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00B3BD16

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fa555dbcdd9cf4c3ac6188a5218b71e0c2d33d1d8382f5ed5b70d8d1917a6a62
Instruction ID: e489edfd348adfbf40b5f69fddcb884c206229a4d27089611e3877f0126588e0
Opcode Fuzzy Hash: fa555dbcdd9cf4c3ac6188a5218b71e0c2d33d1d8382f5ed5b70d8d1917a6a62
Instruction Fuzzy Hash: 69317A7510E3C0AFD3138B258C65A21BFB4EF47610F0E85CBD9C48B6A3D6696809C7B2

Function 00B3A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B3A879

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9024d3199a57599a30965c7d7c4c1903b75517614f558bd6c44ac708517e6a2d
Instruction ID: 4912a01afb685e4a6e2e89c5ddb510d3e368ecdd432362f6ba0ba03d2b8eca12
Opcode Fuzzy Hash: 9024d3199a57599a30965c7d7c4c1903b75517614f558bd6c44ac708517e6a2d
Instruction Fuzzy Hash: AB3181B24083846FE7228B55DC44FA7BFB8EF0A314F19449AE9858B193D364A909C7B1

Function 04D20AE8 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04D20BAF

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 688476786c7a5bed47cc8682338744242636cc271f1df23e7ce6e948ac6a6569
Instruction ID: 9e6ee5b60c16e16a1001846608bc59317a537bf8fdf0110ecc69295f3c4a5b12
Opcode Fuzzy Hash: 688476786c7a5bed47cc8682338744242636cc271f1df23e7ce6e948ac6a6569
Instruction Fuzzy Hash: 0F31A4B1504344AFE721CB51DC44FA6FBBCEF08714F04489AFA489B192D375A908CB75

Function 04D2185D Relevance: 1.6, APIs: 1, Instructions: 92
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 04D21922

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 4c1fcab0118963a3464088a90a1b1a0cae5f4bc6995e4aa8bc1e181b7c19828a
Instruction ID: d7b2e32be7343b8e5f0ed443ed688a9213800ba07806a715a7f36976c255eb1c
Opcode Fuzzy Hash: 4c1fcab0118963a3464088a90a1b1a0cae5f4bc6995e4aa8bc1e181b7c19828a
Instruction Fuzzy Hash: BD318D7250D3C05FD7038B758C65A66BFB4EF47610F0E84CBD8848F5A3D624A909C7A2

Function 04D209E0 Relevance: 1.6, APIs: 1, Instructions: 90
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D20A7D

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: c856ffe107fd3d9ee88f49d31ee3717b31bdc3e9cd2e66647e3a9d88a6813f04
Instruction ID: bd9301c017968eab1fe237a8c1d26ebdfc49985cc4e9c457ad97e6b6edecb922
Opcode Fuzzy Hash: c856ffe107fd3d9ee88f49d31ee3717b31bdc3e9cd2e66647e3a9d88a6813f04
Instruction Fuzzy Hash: F631D7724097806FD7128F61DC45B66FFB8EF06314F0984DAE9858F193D324A909CBB5

Function 04D202DC Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04D20373

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 75a5ba875afdff9efff20cb88604073b1556b945db073189fe9401bd97f16ddc
Instruction ID: 1c632c49710930ad2ab6cff92f0681945dc48b181318c58f59ff57bf43658556
Opcode Fuzzy Hash: 75a5ba875afdff9efff20cb88604073b1556b945db073189fe9401bd97f16ddc
Instruction Fuzzy Hash: ED318F72508384AFEB228F65DC45F67BBB8EF05214F08849AEA44DB152D364A808CBB5

Function 00B3A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00B3A6B9

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fa3dc4e06fc5a9106f08fc909b9b077323e99793ccd94ac64941ef8d000b2b0f
Instruction ID: 16c11263772a2115893f543a3b12ff86be3b573bcbae04abf454f88972b6a287
Opcode Fuzzy Hash: fa3dc4e06fc5a9106f08fc909b9b077323e99793ccd94ac64941ef8d000b2b0f
Instruction Fuzzy Hash: F531A1B15093805FE712CB65CC85B66FFF8EF06310F1984DAE984CB292D374A809C762

Function 04D2177A Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04D21815

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 79521941aacd9712c8987e56985f5a1587067e72087b62bb130f28e4e00c9d97
Instruction ID: c545667f21e54c7aa2c41034c2565358ceb9d61f5124ded39138df37d803248f
Opcode Fuzzy Hash: 79521941aacd9712c8987e56985f5a1587067e72087b62bb130f28e4e00c9d97
Instruction Fuzzy Hash: 05218D72504204AFEB219F55CD84F6BFBECEF08714F08855AEA49C7652E720F5088BB5

Function 00B3A8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00B3A97D

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 83bbe1408897171d4e99583fabd012bfcccb4f119098ca39c63f379c25a11039
Instruction ID: 909a530026e3a12df78c94022222bc804d0873dbad493d6b63b02e552ed0cbc4
Opcode Fuzzy Hash: 83bbe1408897171d4e99583fabd012bfcccb4f119098ca39c63f379c25a11039
Instruction Fuzzy Hash: 6531D671009780AFEB228F61CC45F62FFB8EF06314F18849EE9855B193D375A808CB65

Function 00B3A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3A40C

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 592cfc93d6c251a67601182f6ddc2c3094e4b939703b18b6e5460838d04c7241
Instruction ID: ba90fdcc696313d83f931264533d90a4e3704bb83116cdc11e2f78c0573de23c
Opcode Fuzzy Hash: 592cfc93d6c251a67601182f6ddc2c3094e4b939703b18b6e5460838d04c7241
Instruction Fuzzy Hash: EC316175509780AFE721CF15CC84F62FBF8EF05710F1984DAE9858B292D364E909CB66

Function 04D20B0A Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04D20BAF

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: c8e2762a36e74adf77f8c279398be96f844e2df1778c0ebc9cfa3ed8fe3ca63b
Instruction ID: 6b3f962037c9c8a150ff840d1c9270ff83d130507e305a286ed7297686ce8cca
Opcode Fuzzy Hash: c8e2762a36e74adf77f8c279398be96f844e2df1778c0ebc9cfa3ed8fe3ca63b
Instruction Fuzzy Hash: BC21D171104200AEEB319F54CD84FAAF7ACEF08718F14885AFB489A181D7B5B9088BB5

Function 00B3B7F8 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3B88D

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6f45522662ea8729047a53229f1b34e7355b377b18ade888d2be77beca07fc65
Instruction ID: 4a99e143190be41547a8cd88ae653807b9b448bf18dc47023ec57c51ed7db129
Opcode Fuzzy Hash: 6f45522662ea8729047a53229f1b34e7355b377b18ade888d2be77beca07fc65
Instruction Fuzzy Hash: 93212B754093806FE7128B259C44BA2FFBCEF0A720F0980D6E9848B193D3646909C7B1

Function 04D2107D Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D21104

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 14a971652bdb1d49f565badbeef3c8a821dfefab77bc5f38d4662c898ffc5166
Instruction ID: 62c3e488a02b683003b7bbdc0be5d1f4e9d17986b06f4001e0534a64101d4bac
Opcode Fuzzy Hash: 14a971652bdb1d49f565badbeef3c8a821dfefab77bc5f38d4662c898ffc5166
Instruction Fuzzy Hash: EE21C1715093806FE712CB64CC45FA6FFB8EF06214F0880DAE944DF193D264A908C7A5

Function 04D20492 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04D20526

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: fca9e2dc0593c572713ecb1b7b62468ed06f4e298d461ac02c1a161829a33e79
Instruction ID: 3bf271d7e15e69f6e0e684127301387ab86e06bcbe41d99b583466873b9eee40
Opcode Fuzzy Hash: fca9e2dc0593c572713ecb1b7b62468ed06f4e298d461ac02c1a161829a33e79
Instruction Fuzzy Hash: F6218671409384AFE722CF55DC45F66FFF8EF09214F04849EEA858B152D375A508CBA6

Function 00B3A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3A4F8

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f1d33b8fc364b752ebcf453c05389f6405b5ef1b15b9469538369530071e5beb
Instruction ID: c174cabe2f5462fd0f778bf855e905376512e6ced154bded0ab2f15fe899aa55
Opcode Fuzzy Hash: f1d33b8fc364b752ebcf453c05389f6405b5ef1b15b9469538369530071e5beb
Instruction Fuzzy Hash: 672181725083806FD7228B55DC44F67FFF8EF4A610F18849AE9858B292D364E808C7B2

Function 00B3BD42 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00B3BDCE

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 4da0705cb5fef87c15a1f1a0b64f7d1aab9970ff6dfc4a56421e74995cae3db9
Instruction ID: 53986633bc6a53c4ed177d60c7cefeecbc8a31c259a090610c8e5395f9e418ed
Opcode Fuzzy Hash: 4da0705cb5fef87c15a1f1a0b64f7d1aab9970ff6dfc4a56421e74995cae3db9
Instruction Fuzzy Hash: 75218271409380AFD721CF55DC45F66FFF8EF09214F08889EEA858B552D375A818CB66

Function 04D20302 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04D20373

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 190e9d6c25e08bfc1a7352be277eec07c27e58bc7f6826370b87ef0000bad417
Instruction ID: a0e8b7be8de00237b425d3c7c46f0fa1cd1d5c2fce00816cc6161c413752de5b
Opcode Fuzzy Hash: 190e9d6c25e08bfc1a7352be277eec07c27e58bc7f6826370b87ef0000bad417
Instruction Fuzzy Hash: 4F21C271504204AFEB219F65DC45F6BFBACEF04214F08845AEA45CB242D374E8048BB5

Function 00B3B722 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B3B7A1

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 04d3eef4fca8af86e94d85ab00b348f4441035e4ece26c02875e089203979a2a
Instruction ID: d4d390a5cdf56dccddf20159c8d7466e7fc93ff0e21fe401d30adac2e9384a8d
Opcode Fuzzy Hash: 04d3eef4fca8af86e94d85ab00b348f4441035e4ece26c02875e089203979a2a
Instruction Fuzzy Hash: FB21A171504240AFE720CF65DC85F66FBE8EF48310F188899EA458B651D371E804CBA2

Function 04D201F6 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D20288

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ecf374404fa506f7534c48880b16197c08df193c5c192b6cc4a4c2ed4b8a14d8
Instruction ID: 7d0d5841627c74abc185dfc33b8e6bfc1d1f86586bceeb0750a1173ce6e57f8f
Opcode Fuzzy Hash: ecf374404fa506f7534c48880b16197c08df193c5c192b6cc4a4c2ed4b8a14d8
Instruction Fuzzy Hash: D7219D72508380AFD722CF55CC44F66FBF8EF49614F08849AEA458B292D364E948CBA5

Function 04D20D76 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04D20DFA

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4d72a5defe55ce4072f4a58676cc591a085c2a091bb2e0ec68d74d3d04631d1e
Instruction ID: b0cf583e7592257bd27bd19ee14f028143ab54f8b25506ea9980c1bb58ad09d6
Opcode Fuzzy Hash: 4d72a5defe55ce4072f4a58676cc591a085c2a091bb2e0ec68d74d3d04631d1e
Instruction Fuzzy Hash: 6A218E725093C05FDB128B25DC55BA2BFF8AF06214F0D84DAE985CB263D224E848CB61

Function 00B3A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B3A879

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b2a4b9443a57071eb81ac6acbb6778f693ffb91798c0a73963fd8fe2d5acbe1e
Instruction ID: a4cd39d2d7932df1a1c97f8de9ecab10ee83bb3797836bbe119485fe3fc45012
Opcode Fuzzy Hash: b2a4b9443a57071eb81ac6acbb6778f693ffb91798c0a73963fd8fe2d5acbe1e
Instruction Fuzzy Hash: 2021F671408204AFE7209F55CC84F6BFBFCEF08314F24845AEA4587652D770E8098BB6

Function 04D2124B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D212C7

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e4e59a2908724e90fe376a42f1dcf87c41d57175831ce5e55ab92023efd945a2
Instruction ID: f7179c31af30760ce27ff1e039703b6869c49851649d99a6aa2a3599965b60d2
Opcode Fuzzy Hash: e4e59a2908724e90fe376a42f1dcf87c41d57175831ce5e55ab92023efd945a2
Instruction Fuzzy Hash: 3121D4715093806FDB22CF55CC48F6BFFB8EF45224F08849AE944CB192D374A808CBA5

Function 04D21167 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D211E3

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e4e59a2908724e90fe376a42f1dcf87c41d57175831ce5e55ab92023efd945a2
Instruction ID: 02d7040a2628a8cdfa07fdba5d4785f5eaa4e24c62e8f02f8960a92991eb44bc
Opcode Fuzzy Hash: e4e59a2908724e90fe376a42f1dcf87c41d57175831ce5e55ab92023efd945a2
Instruction Fuzzy Hash: EF21D4715093806FD712CF55DC49F6AFFB8EF45214F0884AAF944CB192D374A904CBA5

Function 00B3A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00B3A6B9

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2aa07399f683b32489e341c14c9f704be0a0e4d5dfd0332bd6e6a53b292d149f
Instruction ID: 5be2d32fb16beec3d7ff75caa8365daa18f970d66e4bb2b5e987cba8429ae2f8
Opcode Fuzzy Hash: 2aa07399f683b32489e341c14c9f704be0a0e4d5dfd0332bd6e6a53b292d149f
Instruction Fuzzy Hash: 102195715042409FE710DF65DC85F66F7E8EF04314F2884A9E9498B641D775E805CA66

Function 00B3BADA Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3BB59

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 801b0a10dfde291cdf5ab05de14cfead501da176e9b6371a801ab0d2fed7894b
Instruction ID: a61d7f1121166bc30fe2caaa720b32ab9914453f316e0a1596dedd9522d46efa
Opcode Fuzzy Hash: 801b0a10dfde291cdf5ab05de14cfead501da176e9b6371a801ab0d2fed7894b
Instruction Fuzzy Hash: EA219271409380AFDB22CF55DC44F67FFB8EF49310F08849AEA458B156D364A808CBB5

Function 00B3A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3A40C

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 217773b711aed84ba88fbc3413179aba77fa34df34a6ade203db2b9778fe0940
Instruction ID: a5fe165b8b6b8fe1ce707ea21944b7468bfd938816f8e8834d00a9a050cd3b14
Opcode Fuzzy Hash: 217773b711aed84ba88fbc3413179aba77fa34df34a6ade203db2b9778fe0940
Instruction Fuzzy Hash: 4121A2755042049FE720CF15CC84F66F7ECEF08710F28849AEA85CB291D774E809CAB6

Function 04D204B2 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04D20526

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b6a62b0a741ba1e6bcabafdd06576053b5a0c3b35a6bceaaf1590ca8e841b5e0
Instruction ID: b7f846d002452050e0be8aaae7172edbde2ff627bf621333cc0b920482833cc8
Opcode Fuzzy Hash: b6a62b0a741ba1e6bcabafdd06576053b5a0c3b35a6bceaaf1590ca8e841b5e0
Instruction Fuzzy Hash: 6521F371504200AFE721CF15DD48F66FBF8EF08224F048859EA498B251D375F408CBA6

Function 04D20CBA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04D20D36

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 1babb76f51413dcdc758672ef3c2e757c9e889f5daf301ee4326e491d7c58b2e
Instruction ID: fa0b49a39d4dc2c3ce313b46c46dbab52b0cbb42ed5251acb13b275bd82f142a
Opcode Fuzzy Hash: 1babb76f51413dcdc758672ef3c2e757c9e889f5daf301ee4326e491d7c58b2e
Instruction Fuzzy Hash: 82219F71409380AFDB228F51DC44B62FFF4EF0A310F0884DAEA858B663D375A818DB61

Function 00B3BD62 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00B3BDCE

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 78215aa0ee0fe910dd57155b48c63b7844ddec8641159a4d281dedd5c5b1e302
Instruction ID: 7519f9a4c366da43354a267825fe1657cfdccd603293a3a39f9a72576d58b3bb
Opcode Fuzzy Hash: 78215aa0ee0fe910dd57155b48c63b7844ddec8641159a4d281dedd5c5b1e302
Instruction Fuzzy Hash: 5121F671404240AFE721CF55DC45F66FBF4EF08314F14889EEA458B652D375A814CB62

Function 00B3A902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00B3A97D

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 6b2024928e884e7c7c00bd553d75123b7fec51881411e1f1b788de7c697e15ef
Instruction ID: 971ca7346385e2b5d712d7e0aa4ad6267e7c538cf2463fbd2deb951df014387a
Opcode Fuzzy Hash: 6b2024928e884e7c7c00bd553d75123b7fec51881411e1f1b788de7c697e15ef
Instruction Fuzzy Hash: 1921E171004200AFEB218F51DC84F76FBF8EF08710F28859AEE855A691D371B808DBB6

Function 04D20216 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D20288

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f7e815c1fa9fce01e1cb39ed85243b990dc9db12ad363c75fdd707903b5262eb
Instruction ID: 342796dd33eb581173550f35f46a8e3907d0fddd2d2378d013c67498c530e1a7
Opcode Fuzzy Hash: f7e815c1fa9fce01e1cb39ed85243b990dc9db12ad363c75fdd707903b5262eb
Instruction Fuzzy Hash: 7511BE71504204AFEB21CF15DD84F66FBECEF58718F08845AEA458B692D760F808CBB5

Function 00B3A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3A4F8

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: edf14ccfadb96179e53da56a585cc04856a01309c416d324a6abb81acc0a7a3b
Instruction ID: 4698ac3f35243a253dc78838da7777050c9caa98a1b0753170b0345d7eb10664
Opcode Fuzzy Hash: edf14ccfadb96179e53da56a585cc04856a01309c416d324a6abb81acc0a7a3b
Instruction Fuzzy Hash: E911B171504200AFEB208E15DC84F66FBECEF08710F28849AEE458A692D370E8048AB2

Function 04D20A1E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D20A7D

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 26bb4ee989c271bc3798372a274cdfdb9734dcb174be74edc10bcd1bc557c3e0
Instruction ID: 050195f3c4461f4a23776c67472dcc6563ee5194c59f94934d8fdc3a417c0f20
Opcode Fuzzy Hash: 26bb4ee989c271bc3798372a274cdfdb9734dcb174be74edc10bcd1bc557c3e0
Instruction Fuzzy Hash: 9411C471604200AFEB21CF55DD45F6AFBF8EF48724F08846AEA458B651D774E804CBB5

Function 04D2126E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D212C7

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 2436317c5bbd699d2aa53d0a6873eddd5bfed5f562a6993ae89b199b8e6d0979
Instruction ID: 5e4f395aa62d4e0d614215a4bfc4fce0237bccf9ae3a2bc226c1662ab03c26ce
Opcode Fuzzy Hash: 2436317c5bbd699d2aa53d0a6873eddd5bfed5f562a6993ae89b199b8e6d0979
Instruction Fuzzy Hash: 1B11BF71504200AFEB218F55DD85B6AF7E8EF48224F08C4AAEA49CB691D774A8048AB5

Function 04D2118A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D211E3

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 2436317c5bbd699d2aa53d0a6873eddd5bfed5f562a6993ae89b199b8e6d0979
Instruction ID: b87d9d283d3edec8dd91070c63735cc6e16968e07cdd1808539d9e9abfef1be1
Opcode Fuzzy Hash: 2436317c5bbd699d2aa53d0a6873eddd5bfed5f562a6993ae89b199b8e6d0979
Instruction Fuzzy Hash: A311BF71504200AFEB21CF55DC85F6AF7E8EF48224F08C46AEA49DB291D774E8048BA5

Function 04D210AE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 04D21104

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: ddea99974a02ffbbe7f88c681680126a5bc74019ae78f2e6a4cc63a02d061411
Instruction ID: 0fd824f63d65e8c76edec652bc2b7821b894e24737782e0c2e9f8ca7b96bc8ef
Opcode Fuzzy Hash: ddea99974a02ffbbe7f88c681680126a5bc74019ae78f2e6a4cc63a02d061411
Instruction Fuzzy Hash: 2C11E371604210AFEB118F15DD85F6AF7E8EF44624F18C4AAEE09DB286D774E8048AA5

Function 00B3AD07 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B3AD72

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e5d1b2f07bb4ebd451c5811fe966f43985abd522ebea78e872669d2b39fb0b4f
Instruction ID: 0b749b8ed192cc6c6ce3889a1eb04a1bfb2fb1eb0336ed9475be1fd02ceaf963
Opcode Fuzzy Hash: e5d1b2f07bb4ebd451c5811fe966f43985abd522ebea78e872669d2b39fb0b4f
Instruction Fuzzy Hash: AD117F71409380AFDB228F51DC44A62FFF4EF4A310F0884DAE9858B563C275A819DB62

Function 00B3BAFA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3BB59

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 62355b6565c411c0d02d803b098e3b3c872e58e9510c636dbef4c0810f6f9804
Instruction ID: 5148789090a35ceda51fb2d3971e27fbb6645a3689e0779e2c92af9d3af73948
Opcode Fuzzy Hash: 62355b6565c411c0d02d803b098e3b3c872e58e9510c636dbef4c0810f6f9804
Instruction Fuzzy Hash: A111C171404200AFEB21CF55DC84F6AFBF8EF48724F18849AEA498B255D774A8048BB6

Function 04D20152 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04D201CE

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 962abbe82cd96b483d3a24879b64bad63cb62d61c150f8601713dec44c6a4216
Instruction ID: ae1fcc396ad3c613aa4ccd8463b8bb9773268e95f10b79ac6c51d6bffa391cbe
Opcode Fuzzy Hash: 962abbe82cd96b483d3a24879b64bad63cb62d61c150f8601713dec44c6a4216
Instruction Fuzzy Hash: 8E1104715093806FD311CB55CC45F26FFB8EF8A620F09808FE9489B683D325B804CBA2

Function 00B3A2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00B3A330

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 480b45ec4d4ed272d603401fc19c271312c31dbcc4e7a5baabb7c118e9f380e8
Instruction ID: 01fe0edcec186a1ea5af53afab0a10cc88042a57aed04d06d95f663fbb2d28b7
Opcode Fuzzy Hash: 480b45ec4d4ed272d603401fc19c271312c31dbcc4e7a5baabb7c118e9f380e8
Instruction Fuzzy Hash: 231170754093C0AFDB128B15DC58B62BFB4EF47724F1D80DAED858B263D265A808DB72

Function 04D20DB2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04D20DFA

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4c26955ad0fdd6ddb4b106ac47691d035e53b9e0c62bd7586bb3af3ac9a2f85f
Instruction ID: 3b7ededa18b7a5f6535b2d9df365fbef1b6dde487731e583753bc4b918cf2e1f
Opcode Fuzzy Hash: 4c26955ad0fdd6ddb4b106ac47691d035e53b9e0c62bd7586bb3af3ac9a2f85f
Instruction Fuzzy Hash: 0811A1B16052008FDB61CF25D985B66FBE8EF14224F08C4AADE49CB742E775F844CBA1

Function 00B3B83A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,655B8F1F,00000000,00000000,00000000,00000000), ref: 00B3B88D

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f4dbba49079f4b2540bee1509da5eda8997e95e6030d3e003fcab5ba5278059f
Instruction ID: bcf3293c7a811ff6aa8f2af7a95fddc2b25a9a9e0db460d79bc4f4e76bd66fb9
Opcode Fuzzy Hash: f4dbba49079f4b2540bee1509da5eda8997e95e6030d3e003fcab5ba5278059f
Instruction Fuzzy Hash: 29018475508204AEE710DB15DC85F66F7ECDF48724F188096EE058B295D774A9048AA5

Function 00B3AEA3 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00B3AF04

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 0f7e3229b1908d52c0ffd22f09707028d807ec40be0a09285521a00dcbbba8e4
Instruction ID: 8856dbc35caaeb6401ea20135c868cb9c44ff2b2051c4e557eb4bba0db4d1d30
Opcode Fuzzy Hash: 0f7e3229b1908d52c0ffd22f09707028d807ec40be0a09285521a00dcbbba8e4
Instruction Fuzzy Hash: BA1191714493809FDB11CF15DC49B52BFB4EF06324F1884DAED458B293D375A808CB62

Function 04D20CEA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04D20D36

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5d3b3e0d6840c5784e4a41c0e08ca7ec022760f3dde63e3288f5504e6811bfc0
Instruction ID: 8747f42b6b9ab9b572d4409c822ba60cceea36fd668f35529cc7406d908f6db7
Opcode Fuzzy Hash: 5d3b3e0d6840c5784e4a41c0e08ca7ec022760f3dde63e3288f5504e6811bfc0
Instruction Fuzzy Hash: 2511CE715042009FDB21CF51D944B66FBE4FF08314F0888AAEE858BA62D371F418DFA1

Function 04D218D2 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 04D21922

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: c70e0aefb0fa16a1fb8683014528db2d7e48d8a2c32b37673be8181eba71545e
Instruction ID: 9317886d43c37bf634a8b2b9392c9e6019222a7be6631c89b6973e63a615df59
Opcode Fuzzy Hash: c70e0aefb0fa16a1fb8683014528db2d7e48d8a2c32b37673be8181eba71545e
Instruction Fuzzy Hash: CB017171500200ABD310DF5ADC46B26FBE8EB88A20F14855AED089B642D771F915CBE5

Function 00B3AD2E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B3AD72

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1aa94f07c73dd9b209d9a6e2f50180de85e555517c8c95f4d6b825f3de2f905e
Instruction ID: 60aa5a9bfd71564847ce50415b3cb23767f74860a104df8fafd1c0d61988a965
Opcode Fuzzy Hash: 1aa94f07c73dd9b209d9a6e2f50180de85e555517c8c95f4d6b825f3de2f905e
Instruction Fuzzy Hash: 9301A1314042409FDB218F55D844B16FBE0EF48710F1884AADE854AA62C375E414DF62

Function 04D2017E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04D201CE

Memory Dump Source

Source File: 00000000.00000002.3363536566.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_Payload.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: bf6ab0a43376be08f78ae56e01f26de2a69ee5197db81dc334b52f6a0edf5633
Instruction ID: 6a2216bae995bdc012b83d96cbdc0bb11af68ea55d8a2e4fd4e45841ad9fe442
Opcode Fuzzy Hash: bf6ab0a43376be08f78ae56e01f26de2a69ee5197db81dc334b52f6a0edf5633
Instruction Fuzzy Hash: 44018175600200ABD310DF1ADC86B26FBF8FB88A20F14815AED085B782D775F915CBE6

Function 00B3BCC6 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00B3BD16

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 27f39da9655558d5d04016d51582657212e482582769fdf267cc6fb0700fd732
Instruction ID: b9ff7d6e67e9ca7a713777dca81039552f4c256768ec077869590de2cc122e85
Opcode Fuzzy Hash: 27f39da9655558d5d04016d51582657212e482582769fdf267cc6fb0700fd732
Instruction Fuzzy Hash: 42016D75600200ABD210DF1ADC86B26FBE8FB88A20F14815AED485B782D771F915CBE6

Function 00B3AED2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00B3AF04

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: e6f94569c5f39ea67857b9172925cd81b005e2ecbbc4e43dd27d68f2e5ad66cd
Instruction ID: 3fd64a3810500789281acc315e756d567d0e3df1c0bfc91e09ae0ccb87071a63
Opcode Fuzzy Hash: e6f94569c5f39ea67857b9172925cd81b005e2ecbbc4e43dd27d68f2e5ad66cd
Instruction Fuzzy Hash: F201D1B08042409FDB10DF15D888B65FBE4EF44320F28C4EADD498F686D379A844CFA2

Function 00B3A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00B3A330

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3875ac43276b6ec26cb544109359879b24802a9bd179ad0f3da136b6cfafec4f
Instruction ID: de1c8bb9976b29dbf00f4638f957f73bdf41b30255c0a303eb881ef934dd6881
Opcode Fuzzy Hash: 3875ac43276b6ec26cb544109359879b24802a9bd179ad0f3da136b6cfafec4f
Instruction Fuzzy Hash: DEF08C348082408FDB108F09D888B25FBE0EF44720F2CC0DADE894B696D3B5A804CAA2

Function 00B3A710 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00B3A780

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2d17ecab94a14c637319770ecb6ffb1e23c56e980cfd4e38528265f52ccb20c5
Instruction ID: 23e77a29ad8bb66f3649f4fcc0f4c3bf1e5bb4aee855539646ba0e98f189fa25
Opcode Fuzzy Hash: 2d17ecab94a14c637319770ecb6ffb1e23c56e980cfd4e38528265f52ccb20c5
Instruction Fuzzy Hash: 8421E4B55043809FD711CF15DD85B52BFB4EF02324F1984EAED858B293D335A909DBA2

Function 00B3A74E Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00B3A780

Memory Dump Source

Source File: 00000000.00000002.3361782204.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3a000_Payload.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ffd28c6808886c0e65c3f18697278598d7b902e3c49bdeb83b164b007452482d
Instruction ID: 8bd226653e84481a80135a1b6bec839cc2d815b038fd8f7f6cc4dd7a5e378ca4
Opcode Fuzzy Hash: ffd28c6808886c0e65c3f18697278598d7b902e3c49bdeb83b164b007452482d
Instruction Fuzzy Hash: EC01DF74504240CFDB108F15D8C9B66FBE4EF04320F28C4EBDD498B682D775A804CEA2

Function 00B40814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361820080.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e525c587823432e22309097f6421c3dd1a5c3e30e33970991fc8e916fd529d23
Instruction ID: 2d3bb5a23524324c3f4123d3a55965f415fcea92066ef434d573a374319da56a
Opcode Fuzzy Hash: e525c587823432e22309097f6421c3dd1a5c3e30e33970991fc8e916fd529d23
Instruction Fuzzy Hash: F311B4306182409FC715DB10DA80F25B7E5EB89708F28C9EDEA491B693C777D903EA91

Function 00B40804 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361820080.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cf6a9a503ef45251987dd48d5ab541054a704950ae31d5e527d90e84a48864
Instruction ID: 440862997a6622fe95743f9fa2982340fb03df6663ce91e1e1aee1adefc4b5ae
Opcode Fuzzy Hash: 32cf6a9a503ef45251987dd48d5ab541054a704950ae31d5e527d90e84a48864
Instruction Fuzzy Hash: 57118235108780CFC712DB10D640B21BBF1EB8A718F28C6EED9494BA93C33A9D16DB81

Function 00B405E4 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361820080.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b168486605a82492699f14017ab3e60470d93b275555af1dcefb6f28fd4d48
Instruction ID: 8785fd58d60aa3cf90183df3e1127249adc5b5272f8262f5255ee7279bd45baf
Opcode Fuzzy Hash: c2b168486605a82492699f14017ab3e60470d93b275555af1dcefb6f28fd4d48
Instruction Fuzzy Hash: D0F0A4B65097806FC7118B06AC54853FFE8DF8623070984ABED498B612D175B909CBB2

Function 00B408D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361820080.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205cfd5bc394be039cc93c627c2b00c269e0bb332f6101cb71b993992a6c944d
Instruction ID: 1d2276b4c6efd5988f616928699962998ee73dffb674f332c3d195b50962a0b5
Opcode Fuzzy Hash: 205cfd5bc394be039cc93c627c2b00c269e0bb332f6101cb71b993992a6c944d
Instruction Fuzzy Hash: F9F0FB35108644DFC705DF00D680B25FBE2EB89718F24CAADE94917A52C7379912EA81

Function 00B40606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361820080.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9f31ee0eb8ebcd6c310bdb10559763868137da0f294651723122765e7adb58
Instruction ID: 4b25f90159f806ef3630c865c3113678463e6d184c5ecff2c3645989161f85d3
Opcode Fuzzy Hash: bf9f31ee0eb8ebcd6c310bdb10559763868137da0f294651723122765e7adb58
Instruction Fuzzy Hash: 62E092B66046004B9650DF0BEC45452F7D8EB88630718C47FDD0D8B701D275B904CEA6

Function 00B323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361746304.0000000000B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b32000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a5ff026445c51edbfe47cbff2f23737191d95dcfc8eb8471c1fed189b73e63
Instruction ID: b2a378b246d56497956cb7bbf196d99ea038a88330612036518e47cf8bebbe2e
Opcode Fuzzy Hash: 22a5ff026445c51edbfe47cbff2f23737191d95dcfc8eb8471c1fed189b73e63
Instruction Fuzzy Hash: B5D05E792056814FD3169B1CC1A5B9537D4AB91714F5A44FAE8008B763C768E981D610

Function 00B323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3361746304.0000000000B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b32000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58b6308074706a9e535632ab776da71f58d18b14fcf51139df6d25e8080927b
Instruction ID: 50a74e28359c7df5bcc63d6567228859cda08be78a70c69d29feafc2c6c14c2b
Opcode Fuzzy Hash: e58b6308074706a9e535632ab776da71f58d18b14fcf51139df6d25e8080927b
Instruction Fuzzy Hash: 14D05E352402814FC719DB0CC2D4F5973D4AB80B14F1644E9AC108B762C7A8ECC0CA04

Non-executed Functions

Function 04B20D70 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3363349465.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b20000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5a5cbd6440aca3a43462d99cbbef747c44651d00303e536e6066f7676074c6
Instruction ID: 0e2e73f77828854f4dbc4ae30aa773157ffae7354895cf3faea6cdfd65c6c205
Opcode Fuzzy Hash: ce5a5cbd6440aca3a43462d99cbbef747c44651d00303e536e6066f7676074c6
Instruction Fuzzy Hash: CCF12834A042188FDB18EB74C990BAD77B2FB88308F5084A9D549ABB95DF71AD85CF50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payload.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Payload.exe

Function 04B21550 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON