Edit tour

Windows Analysis Report
ZJat0NjKFO.exe

Overview

General Information

Sample name:ZJat0NjKFO.exe
renamed because original name is a hash value
Original sample name:4ed421dcc07555bea823811932cd1b1d.exe
Analysis ID:1646262
MD5:4ed421dcc07555bea823811932cd1b1d
SHA1:f4eb41c4fda51e598ac85d11a3d1bb9120844352
SHA256:d99e56b65c148eb34afdaf489f8cd99a683e368dbb9c0e139b46a00299062599
Tags:DanaBotexeuser-abuse_ch
Infos:

Detection

DanaBot
Score:96
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Joe Sandbox ML detected suspicious sample
May use the Tor software to hide its network traffic
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • ZJat0NjKFO.exe (PID: 8876 cmdline: "C:\Users\user\Desktop\ZJat0NjKFO.exe" MD5: 4ED421DCC07555BEA823811932CD1B1D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot
No configs have been found
SourceRuleDescriptionAuthorStrings
ZJat0NjKFO.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    ZJat0NjKFO.exeJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      ZJat0NjKFO.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x32ede8:$f1: FileZilla\recentservers.xml
      • 0x32eda4:$f2: FileZilla\sitemanager.xml
      • 0x35a382:$b1: Chrome\User Data\
      • 0x360fc6:$b1: Chrome\User Data\
      • 0x361ae2:$b1: Chrome\User Data\
      • 0x3415d2:$b2: Mozilla\Firefox\Profiles
      • 0x3552ae:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x38022e:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x353c98:$b4: Opera Software\Opera Stable\Login Data
      • 0x35a452:$b5: YandexBrowser\User Data\
      • 0x372e9c:$s5: account.cfn
      • 0x353176:$s6: wand.dat
      • 0x352c2a:$a1: username_value
      • 0x3591f6:$a1: username_value
      • 0x3594c6:$a1: username_value
      • 0x35b97a:$a1: username_value
      • 0x352c56:$a2: password_value
      • 0x35924e:$a2: password_value
      • 0x35951e:$a2: password_value
      • 0x35b9d2:$a2: password_value
      • 0x35ca76:$a3: encryptedUsername
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
              00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                0.2.ZJat0NjKFO.exe.3690000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.ZJat0NjKFO.exe.3690000.1.unpackJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
                    0.2.ZJat0NjKFO.exe.3690000.1.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                    • 0x32dbf6:$f1: FileZilla\recentservers.xml
                    • 0x32dbb2:$f2: FileZilla\sitemanager.xml
                    • 0x359190:$b1: Chrome\User Data\
                    • 0x35fdd4:$b1: Chrome\User Data\
                    • 0x3608f0:$b1: Chrome\User Data\
                    • 0x3403e0:$b2: Mozilla\Firefox\Profiles
                    • 0x3540bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                    • 0x37f03c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                    • 0x352aa6:$b4: Opera Software\Opera Stable\Login Data
                    • 0x359260:$b5: YandexBrowser\User Data\
                    • 0x371caa:$s5: account.cfn
                    • 0x351f84:$s6: wand.dat
                    • 0x351a38:$a1: username_value
                    • 0x358004:$a1: username_value
                    • 0x3582d4:$a1: username_value
                    • 0x35a788:$a1: username_value
                    • 0x351a64:$a2: password_value
                    • 0x35805c:$a2: password_value
                    • 0x35832c:$a2: password_value
                    • 0x35a7e0:$a2: password_value
                    • 0x35b884:$a3: encryptedUsername
                    0.0.ZJat0NjKFO.exe.bc0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      0.0.ZJat0NjKFO.exe.bc0000.0.unpackJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
                        Click to see the 4 entries
                        No Sigma rule has matched
                        No Suricata rule has matched

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: ZJat0NjKFO.exeAvira: detected
                        Source: ZJat0NjKFO.exeVirustotal: Detection: 69%Perma Link
                        Source: ZJat0NjKFO.exeReversingLabs: Detection: 72%
                        Source: Yara matchFile source: ZJat0NjKFO.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                        Compliance

                        barindex
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeUnpacked PE file: 0.2.ZJat0NjKFO.exe.3690000.1.unpack
                        Source: ZJat0NjKFO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ZJat0NjKFO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.158
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.159
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.252
                        Source: ZJat0NjKFO.exeString found in binary or memory: http://.css
                        Source: ZJat0NjKFO.exeString found in binary or memory: http://.jpg
                        Source: ZJat0NjKFO.exeString found in binary or memory: http://html4/loose.dtd
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063469000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1309297174.000000007DB60000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307735684.000000007DCC0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184487900.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308443894.000000007EC90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307925283.000000007DD40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307828736.000000007DC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033B
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                        E-Banking Fraud

                        barindex
                        Source: Yara matchFile source: ZJat0NjKFO.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

                        System Summary

                        barindex
                        Source: ZJat0NjKFO.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063469000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1309297174.000000007DB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1307735684.000000007DCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3184487900.000000006E66F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1308443894.000000007EC90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1307925283.000000007DD40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1307828736.000000007DC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
                        Source: ZJat0NjKFO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ZJat0NjKFO.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/10@0/3
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile created: C:\Users\user\AppData\Local\Temp\FshrfyJump to behavior
                        Source: ZJat0NjKFO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                        Source: ZJat0NjKFO.exe, ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: ZJat0NjKFO.exe, ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: ZJat0NjKFO.exe, ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458692961.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1455129857.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1458907011.00000000053A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: ZJat0NjKFO.exeVirustotal: Detection: 69%
                        Source: ZJat0NjKFO.exeReversingLabs: Detection: 72%
                        Source: ZJat0NjKFO.exeString found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
                        Source: ZJat0NjKFO.exeString found in binary or memory: /Address family not supported by protocol family
                        Source: ZJat0NjKFO.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wsock32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: avifil32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: msacm32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: winmmbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: winmmbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: cryptui.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: ieframe.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: wlanapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: netprofm.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: npmproxy.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: mmdevapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: audioses.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                        Source: ZJat0NjKFO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: ZJat0NjKFO.exeStatic file information: File size 5784064 > 1048576
                        Source: ZJat0NjKFO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x583800
                        Source: ZJat0NjKFO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: ZJat0NjKFO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation

                        barindex
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeUnpacked PE file: 0.2.ZJat0NjKFO.exe.3690000.1.unpack
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeCode function: 0_2_00BE50C6 push ecx; mov dword ptr [esp], ecx0_2_00BE50C9
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeCode function: 0_2_00BE9A0A push 004288B1h; ret 0_2_00BE9A9B
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeCode function: 0_2_00BD231E push 004111AFh; ret 0_2_00BD2399
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeCode function: 0_2_00BDB346 push 0041A18Ch; ret 0_2_00BDB376
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeCode function: 0_2_00BC860A push ecx; mov dword ptr [esp], eax0_2_00BC860B

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Source: ZJat0NjKFO.exeBinary or memory string: torConnect
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeThread delayed: delay time: 360000Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exe TID: 8928Thread sleep time: -75075s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exe TID: 8904Thread sleep time: -116000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exe TID: 8880Thread sleep time: -360000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeThread delayed: delay time: 75075Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeThread delayed: delay time: 360000Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.000000000166E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeCode function: 0_2_00BC1763 mov eax, dword ptr fs:[00000030h]0_2_00BC1763
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeProcess token adjusted: DebugJump to behavior
                        Source: ZJat0NjKFO.exeBinary or memory string: Shell_TrayWnd
                        Source: ZJat0NjKFO.exeBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
                        Source: ZJat0NjKFO.exeBinary or memory string: explorer.exeShell_TrayWnd
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Source: Yara matchFile source: ZJat0NjKFO.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\ZJat0NjKFO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: Yara matchFile source: ZJat0NjKFO.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Source: Yara matchFile source: ZJat0NjKFO.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR
                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                        Windows Management Instrumentation
                        1
                        DLL Side-Loading
                        1
                        Process Injection
                        131
                        Virtualization/Sandbox Evasion
                        1
                        OS Credential Dumping
                        111
                        Security Software Discovery
                        Remote Services1
                        Data from Local System
                        2
                        Encrypted Channel
                        Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter
                        Boot or Logon Initialization Scripts1
                        DLL Side-Loading
                        1
                        Process Injection
                        LSASS Memory1
                        Process Discovery
                        Remote Desktop ProtocolData from Removable Media1
                        Multi-hop Proxy
                        Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                        Obfuscated Files or Information
                        Security Account Manager131
                        Virtualization/Sandbox Evasion
                        SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol
                        Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Software Packing
                        NTDS2
                        System Owner/User Discovery
                        Distributed Component Object ModelInput Capture1
                        Proxy
                        Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading
                        LSA Secrets2
                        File and Directory Discovery
                        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials53
                        System Information Discovery
                        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        SourceDetectionScannerLabelLink
                        ZJat0NjKFO.exe70%VirustotalBrowse
                        ZJat0NjKFO.exe72%ReversingLabsWin32.Trojan.Danabot
                        ZJat0NjKFO.exe100%AviraTR/Dropper.Gen
                        No Antivirus matches
                        No Antivirus matches
                        No Antivirus matches
                        No Antivirus matches

                        Download Network PCAP: filteredfull

                        No contacted domains info
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://html4/loose.dtdZJat0NjKFO.exefalse
                          high
                          http://www.openssl.org/support/faq.htmlRANDZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            http://.cssZJat0NjKFO.exefalse
                              high
                              http://www.openssl.org/VZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063469000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1309297174.000000007DB60000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307735684.000000007DCC0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184487900.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308443894.000000007EC90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307925283.000000007DD40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307828736.000000007DC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                high
                                http://.jpgZJat0NjKFO.exefalse
                                  high
                                  http://www.openssl.org/support/faq.htmlZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    high
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    62.60.226.159
                                    unknownIran (ISLAMIC Republic Of)
                                    18013ASLINE-AS-APASLINELIMITEDHKfalse
                                    62.60.226.158
                                    unknownIran (ISLAMIC Republic Of)
                                    18013ASLINE-AS-APASLINELIMITEDHKfalse
                                    196.251.87.252
                                    unknownSeychelles
                                    37417SONIC-WirelessZAfalse
                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1646262
                                    Start date and time:2025-03-23 19:28:42 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 17s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Run name:Run with higher sleep bypass
                                    Number of analysed new started processes analysed:8
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:ZJat0NjKFO.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:4ed421dcc07555bea823811932cd1b1d.exe
                                    Detection:MAL
                                    Classification:mal96.troj.spyw.evad.winEXE@1/10@0/3
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 1
                                    • Number of non-executed functions: 1
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 184.31.69.3, 4.175.87.197, 20.223.35.26, 150.171.27.10
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                    • Report size getting too big, too many NtEnumerateValueKey calls found.
                                    • Report size getting too big, too many NtOpenFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    No simulations
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    62.60.226.159CLAIM3456709.lnk.bin.lnkGet hashmaliciousDanaBotBrowse
                                      62.60.226.158CLAIM3456709.lnk.bin.lnkGet hashmaliciousDanaBotBrowse
                                        196.251.87.252CLAIM3456709.lnk.bin.lnkGet hashmaliciousDanaBotBrowse
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ASLINE-AS-APASLINELIMITEDHKCLAIM3456709.lnk.bin.lnkGet hashmaliciousDanaBotBrowse
                                          • 62.60.226.158
                                          Nyx4r.m68k.elfGet hashmaliciousOkiruBrowse
                                          • 62.60.239.92
                                          Talksy (1).exeGet hashmaliciousMeduza Stealer, RHADAMANTHYSBrowse
                                          • 62.60.226.21
                                          nklm68k.elfGet hashmaliciousUnknownBrowse
                                          • 180.223.224.224
                                          aisolution_a.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • 62.60.226.101
                                          Talksy.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.226.101
                                          Talksy.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.226.101
                                          AgnotSecurity.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.234.80
                                          AgnotSecurity.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.234.80
                                          ASLINE-AS-APASLINELIMITEDHKCLAIM3456709.lnk.bin.lnkGet hashmaliciousDanaBotBrowse
                                          • 62.60.226.158
                                          Nyx4r.m68k.elfGet hashmaliciousOkiruBrowse
                                          • 62.60.239.92
                                          Talksy (1).exeGet hashmaliciousMeduza Stealer, RHADAMANTHYSBrowse
                                          • 62.60.226.21
                                          nklm68k.elfGet hashmaliciousUnknownBrowse
                                          • 180.223.224.224
                                          aisolution_a.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • 62.60.226.101
                                          Talksy.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.226.101
                                          Talksy.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.226.101
                                          AgnotSecurity.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.234.80
                                          AgnotSecurity.exeGet hashmaliciousUnknownBrowse
                                          • 62.60.234.80
                                          SONIC-WirelessZApp.pd.exeGet hashmaliciousUnknownBrowse
                                          • 196.251.83.195
                                          CLAIM3456709.lnk.bin.lnkGet hashmaliciousDanaBotBrowse
                                          • 196.251.87.252
                                          zx4PJh6.exe1.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • 196.251.87.150
                                          http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                          • 196.251.87.168
                                          mybestgirlformybestkissesever.vbsGet hashmaliciousRemcosBrowse
                                          • 196.251.85.180
                                          0.vbsGet hashmaliciousRemcosBrowse
                                          • 196.251.85.180
                                          1742466358c1821b2389018bb005e46d5392fc14878c05dcba9aa64e847fb563301b0b036b531.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • 196.251.85.180
                                          jkse.arm5.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          No context
                                          No context
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):139264
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:79BFD1D69B2829B17AE13B80A6B48489
                                          SHA1:A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A
                                          SHA-256:CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15
                                          SHA-512:075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):139264
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:79BFD1D69B2829B17AE13B80A6B48489
                                          SHA1:A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A
                                          SHA-256:CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15
                                          SHA-512:075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):40960
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:AB893875D697A3145AF5EED5309BEE26
                                          SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                          SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                          SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):196608
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                          SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                          SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                          SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:DAA100DF6E6711906B61C9AB5AA16032
                                          SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                          SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                          SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):98304
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:0A9156C4E3C48EF827980639C4D1E263
                                          SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                          SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                          SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.017262956703125623
                                          Encrypted:false
                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                          Malicious:false
                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):139264
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:79BFD1D69B2829B17AE13B80A6B48489
                                          SHA1:A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A
                                          SHA-256:CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15
                                          SHA-512:075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):51200
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF235F22DF3E004EDE21041978C24F2E
                                          SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                          SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                          SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):24576
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:91FF0DAC5DF86E798BFEF5E573536B08
                                          SHA1:EBDD38B69CD5B9F2D00D273C981E16960FBBB4F7
                                          SHA-256:DE676BAE28A480011D3D012DB14BEF539324E62A841A9627863C689BEA168AF3
                                          SHA-512:F9C2CBDA26D1C3E32F54625B5488F7D51DBE59F6CB742CE98B5F9E9CED089E65327FC381284F7F287B513C1B860B6898A53CA46DF3CC4926BA0EB339F3C29BD3
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.17677538525722
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.55%
                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:ZJat0NjKFO.exe
                                          File size:5'784'064 bytes
                                          MD5:4ed421dcc07555bea823811932cd1b1d
                                          SHA1:f4eb41c4fda51e598ac85d11a3d1bb9120844352
                                          SHA256:d99e56b65c148eb34afdaf489f8cd99a683e368dbb9c0e139b46a00299062599
                                          SHA512:3c256998c9afc6ee40289509eaa392f3561fdf1f26e26083d01c590cb9129735a5072edbb2a9e82596525fe685ec00fc10de5bc890e9153f6585e3edaf665d55
                                          SSDEEP:98304:qmDVhyY8fQ81aEb2v5vHCdkq7DpTWrJyERLV9L+Kg2jjm8:TqYsFvw5vak4p6r9V9SK/m
                                          TLSH:2A469F21F2C0A23FD0771A36C93A96A4697F77703A159C1F26E41D4C8F79A807A3635B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...A...9...9...9...F...9...F...9..Rich.9..........................PE..L......g...............$.8X..........FX....
                                          Icon Hash:90cececece8e8eb0
                                          Entrypoint:0x984600
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x67DC18B1 [Thu Mar 20 13:31:29 2025 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:0
                                          File Version Major:6
                                          File Version Minor:0
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:0
                                          Import Hash:f797b427b11cf4700dcf1255251beadb
                                          Instruction
                                          push ebp
                                          mov ebp, esp
                                          sub esp, 2Ch
                                          mov dword ptr [ebp-10h], 00401000h
                                          push 00000040h
                                          push 00001000h
                                          mov eax, dword ptr [00986000h]
                                          push eax
                                          push 00000000h
                                          call dword ptr [00985000h]
                                          mov dword ptr [ebp-08h], eax
                                          mov dword ptr [ebp-04h], 00000000h
                                          jmp 00007F40EC82A90Bh
                                          mov ecx, dword ptr [ebp-04h]
                                          add ecx, 01h
                                          mov dword ptr [ebp-04h], ecx
                                          mov edx, dword ptr [ebp-04h]
                                          cmp edx, dword ptr [00986000h]
                                          jnl 00007F40EC82A914h
                                          mov eax, dword ptr [ebp-08h]
                                          add eax, dword ptr [ebp-04h]
                                          mov ecx, dword ptr [ebp-10h]
                                          add ecx, dword ptr [ebp-04h]
                                          mov dl, byte ptr [ecx]
                                          mov byte ptr [eax], dl
                                          jmp 00007F40EC82A8DCh
                                          call dword ptr [ebp-08h]
                                          push 00000000h
                                          push 00000000h
                                          push 00000000h
                                          lea eax, dword ptr [ebp-2Ch]
                                          push eax
                                          call dword ptr [00985010h]
                                          mov dword ptr [ebp-0Ch], eax
                                          cmp dword ptr [ebp-0Ch], 00000000h
                                          je 00007F40EC82A920h
                                          cmp dword ptr [ebp-0Ch], FFFFFFFFh
                                          jne 00007F40EC82A904h
                                          jmp 00007F40EC82A916h
                                          lea ecx, dword ptr [ebp-2Ch]
                                          push ecx
                                          call dword ptr [00985008h]
                                          lea edx, dword ptr [ebp-2Ch]
                                          push edx
                                          call dword ptr [0098500Ch]
                                          jmp 00007F40EC82A8CBh
                                          xor eax, eax
                                          mov esp, ebp
                                          pop ebp
                                          ret
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5851200x3c.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5870000x18.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x5850180x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x5850000x18.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5836940x583800c2d9f0be08509633fcce1a4b010b4f82unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x5850000x1d40x20055afb148d4a7c105cdef639dc04524a2False0.525390625data3.8381525004666255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x5860000x40x200eb70eb902d33687ea54b86d60a93a695False0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .reloc0x5870000x180x20084e41215f5f986fed9ece38cdf7ed37aFalse0.068359375data0.30754410475965943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          DLLImport
                                          KERNEL32.dllVirtualAlloc
                                          USER32.dllTranslateMessage, DispatchMessageA, GetMessageA

                                          Download Network PCAP: filteredfull

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 23, 2025 19:30:52.507710934 CET49728443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:52.507738113 CET44349728196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:30:52.507955074 CET49728443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:52.573579073 CET49728443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:52.573606968 CET44349728196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:30:52.573659897 CET44349728196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:30:53.593333960 CET49730443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:30:53.593365908 CET4434973062.60.226.158192.168.2.5
                                          Mar 23, 2025 19:30:53.593431950 CET49730443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:30:53.659715891 CET49730443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:30:53.659739017 CET4434973062.60.226.158192.168.2.5
                                          Mar 23, 2025 19:30:53.659811974 CET4434973062.60.226.158192.168.2.5
                                          Mar 23, 2025 19:30:54.687438011 CET49731443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:30:54.687547922 CET4434973162.60.226.159192.168.2.5
                                          Mar 23, 2025 19:30:54.687637091 CET49731443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:30:55.114198923 CET49731443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:30:55.114276886 CET4434973162.60.226.159192.168.2.5
                                          Mar 23, 2025 19:30:55.114336967 CET4434973162.60.226.159192.168.2.5
                                          Mar 23, 2025 19:30:55.114439964 CET49731443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:30:55.114485979 CET4434973162.60.226.159192.168.2.5
                                          Mar 23, 2025 19:30:56.172137022 CET49732443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:56.172180891 CET44349732196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:30:56.172240019 CET49732443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:56.379261971 CET49732443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:56.379297972 CET44349732196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:30:56.379352093 CET44349732196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:30:56.379389048 CET49732443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:30:56.379410982 CET44349732196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:31:57.780994892 CET49733443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:31:57.781094074 CET44349733196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:31:57.781244993 CET49733443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:31:57.837171078 CET49733443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:31:57.837236881 CET44349733196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:31:57.837337017 CET44349733196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:31:57.837342024 CET49733443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:31:57.837378025 CET44349733196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:31:59.162463903 CET49734443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:31:59.162496090 CET4434973462.60.226.158192.168.2.5
                                          Mar 23, 2025 19:31:59.162750959 CET49734443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:00.248761892 CET49734443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:00.248797894 CET4434973462.60.226.158192.168.2.5
                                          Mar 23, 2025 19:32:00.248879910 CET49734443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:00.248923063 CET4434973462.60.226.158192.168.2.5
                                          Mar 23, 2025 19:32:01.265261889 CET49735443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:01.265357971 CET4434973562.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:01.265448093 CET49735443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:01.318782091 CET49735443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:01.318809032 CET4434973562.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:01.318897963 CET4434973562.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:01.318902016 CET49735443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:01.318931103 CET4434973562.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:02.350670099 CET49736443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:02.350769043 CET44349736196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:02.350929022 CET49736443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:02.929245949 CET49736443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:02.929318905 CET44349736196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:02.929419041 CET44349736196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:02.929446936 CET49736443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:02.929491043 CET44349736196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.111742973 CET49737443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.111789942 CET44349737196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.111923933 CET49737443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.215607882 CET49737443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.215631962 CET44349737196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.215717077 CET49737443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.215718031 CET44349737196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.215739965 CET44349737196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.257010937 CET49738443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:03.257101059 CET4434973862.60.226.158192.168.2.5
                                          Mar 23, 2025 19:32:03.257179022 CET49738443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:03.469305038 CET49738443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:03.469386101 CET4434973862.60.226.158192.168.2.5
                                          Mar 23, 2025 19:32:03.469454050 CET4434973862.60.226.158192.168.2.5
                                          Mar 23, 2025 19:32:03.469496965 CET49738443192.168.2.562.60.226.158
                                          Mar 23, 2025 19:32:03.469542980 CET4434973862.60.226.158192.168.2.5
                                          Mar 23, 2025 19:32:03.590898037 CET49739443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:03.590990067 CET4434973962.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:03.591079950 CET49739443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:03.662050009 CET49739443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:03.662147999 CET4434973962.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:03.662236929 CET4434973962.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:03.662259102 CET49739443192.168.2.562.60.226.159
                                          Mar 23, 2025 19:32:03.662309885 CET4434973962.60.226.159192.168.2.5
                                          Mar 23, 2025 19:32:03.673981905 CET49740443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.674086094 CET44349740196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.674161911 CET49740443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.736532927 CET49740443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.736618042 CET44349740196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.736677885 CET44349740196.251.87.252192.168.2.5
                                          Mar 23, 2025 19:32:03.736685991 CET49740443192.168.2.5196.251.87.252
                                          Mar 23, 2025 19:32:03.736721039 CET44349740196.251.87.252192.168.2.5
                                          050100150s020406080100

                                          Click to jump to process

                                          050100150s0.00204060MB

                                          Click to jump to process

                                          • File
                                          • Registry
                                          • Network

                                          Click to dive into process behavior distribution

                                          Target ID:0
                                          Start time:14:29:35
                                          Start date:23/03/2025
                                          Path:C:\Users\user\Desktop\ZJat0NjKFO.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\ZJat0NjKFO.exe"
                                          Imagebase:0xbc0000
                                          File size:5'784'064 bytes
                                          MD5 hash:4ED421DCC07555BEA823811932CD1B1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Execution Graph

                                          Execution Coverage

                                          Dynamic/Packed Code Coverage

                                          Signature Coverage

                                          Execution Coverage:0.1%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:21.4%
                                          Total number of Nodes:14
                                          Total number of Limit Nodes:1
                                          Show Legend
                                          Hide Nodes/Edges
                                          execution_graph 8989 1144600 VirtualAlloc 8990 114462e 8989->8990 8991 1144657 GetMessageA 8990->8991 8993 1144678 TranslateMessage DispatchMessageA 8990->8993 8991->8990 8992 114468e 8991->8992 8993->8990 8994 bc1000 8997 bc1064 8994->8997 8998 bc1072 8997->8998 9000 bc1077 8998->9000 9001 bc1067 9000->9001 9004 bc1763 9001->9004 9003 bc106c 9003->8998 9005 bc1788 GetPEB 9004->9005 9006 bc1765 9005->9006 9006->9003

                                          Executed Functions

                                          Control-flow Graph

                                          APIs
                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0114461C
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 01144661
                                          • TranslateMessage.USER32(?), ref: 0114467C
                                          • DispatchMessageA.USER32(?), ref: 01144686
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                                          • Associated: 00000000.00000002.3181993491.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3182370745.0000000001145000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bc0000_ZJat0NjKFO.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$AllocDispatchTranslateVirtual
                                          • String ID:
                                          • API String ID: 3769999780-0
                                          • Opcode ID: 324e48e0d168f804709204bfbfe7f93ec4831ad1ccd0e51ce5cb5052a5acb77c
                                          • Instruction ID: ea422bcf33c9124a2add471de265f9ed06a956ad2d40e6c26adba5d6e1993ab8
                                          • Opcode Fuzzy Hash: 324e48e0d168f804709204bfbfe7f93ec4831ad1ccd0e51ce5cb5052a5acb77c
                                          • Instruction Fuzzy Hash: 131173B8D00208EFDB18CFE4D845BECB775BF08B09F108194E525A7284C7706A84CF55

                                          Non-executed Functions

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
                                          • Associated: 00000000.00000002.3181993491.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.3182370745.0000000001145000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_bc0000_ZJat0NjKFO.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7ed2e96bf3236041d15fde74f8508bcbe0546e6fedc7878144159f0d8a520d0
                                          • Instruction ID: 49c6990ee43887b7dc9cbe75c2a71e81c36ac22a187aa22a9e1e7c2aecc3f483
                                          • Opcode Fuzzy Hash: c7ed2e96bf3236041d15fde74f8508bcbe0546e6fedc7878144159f0d8a520d0
                                          • Instruction Fuzzy Hash: 29F019F8619110CBD65A8B5C85D4F3473F8AB43760B658CDFA0167B613DA28AC0AAA51