Edit tour

Windows Analysis Report
ZJat0NjKFO.exe

Overview

General Information

Sample name:	ZJat0NjKFO.exe renamed because original name is a hash value
Original sample name:	4ed421dcc07555bea823811932cd1b1d.exe
Analysis ID:	1646262
MD5:	4ed421dcc07555bea823811932cd1b1d
SHA1:	f4eb41c4fda51e598ac85d11a3d1bb9120844352
SHA256:	d99e56b65c148eb34afdaf489f8cd99a683e368dbb9c0e139b46a00299062599
Tags:	DanaBotexeuser-abuse_ch
Infos:

Detection

DanaBot

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Joe Sandbox ML detected suspicious sample

May use the Tor software to hide its network traffic

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZJat0NjKFO.exe (PID: 8876 cmdline: "C:\Users\user\Desktop\ZJat0NjKFO.exe" MD5: 4ED421DCC07555BEA823811932CD1B1D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DanaBot	Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.	SCULLY SPIDER	https://asec.ahnlab.com/en/30445/ https://asert.arbornetworks.com/danabots-travels-a-global-perspective/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.lexfo.fr/danabot-malware.html https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ZJat0NjKFO.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
ZJat0NjKFO.exe	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
ZJat0NjKFO.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32ede8:$f1: FileZilla\recentservers.xml 0x32eda4:$f2: FileZilla\sitemanager.xml 0x35a382:$b1: Chrome\User Data\ 0x360fc6:$b1: Chrome\User Data\ 0x361ae2:$b1: Chrome\User Data\ 0x3415d2:$b2: Mozilla\Firefox\Profiles 0x3552ae:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x38022e:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x353c98:$b4: Opera Software\Opera Stable\Login Data 0x35a452:$b5: YandexBrowser\User Data\ 0x372e9c:$s5: account.cfn 0x353176:$s6: wand.dat 0x352c2a:$a1: username_value 0x3591f6:$a1: username_value 0x3594c6:$a1: username_value 0x35b97a:$a1: username_value 0x352c56:$a2: password_value 0x35924e:$a2: password_value 0x35951e:$a2: password_value 0x35b9d2:$a2: password_value 0x35ca76:$a3: encryptedUsername

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
Process Memory Space: ZJat0NjKFO.exe PID: 8876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZJat0NjKFO.exe PID: 8876	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ZJat0NjKFO.exe.3690000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZJat0NjKFO.exe.3690000.1.unpack	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
0.2.ZJat0NjKFO.exe.3690000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32dbf6:$f1: FileZilla\recentservers.xml 0x32dbb2:$f2: FileZilla\sitemanager.xml 0x359190:$b1: Chrome\User Data\ 0x35fdd4:$b1: Chrome\User Data\ 0x3608f0:$b1: Chrome\User Data\ 0x3403e0:$b2: Mozilla\Firefox\Profiles 0x3540bc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x37f03c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x352aa6:$b4: Opera Software\Opera Stable\Login Data 0x359260:$b5: YandexBrowser\User Data\ 0x371caa:$s5: account.cfn 0x351f84:$s6: wand.dat 0x351a38:$a1: username_value 0x358004:$a1: username_value 0x3582d4:$a1: username_value 0x35a788:$a1: username_value 0x351a64:$a2: password_value 0x35805c:$a2: password_value 0x35832c:$a2: password_value 0x35a7e0:$a2: password_value 0x35b884:$a3: encryptedUsername
0.0.ZJat0NjKFO.exe.bc0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.ZJat0NjKFO.exe.bc0000.0.unpack	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
0.0.ZJat0NjKFO.exe.bc0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32ede8:$f1: FileZilla\recentservers.xml 0x32eda4:$f2: FileZilla\sitemanager.xml 0x35a382:$b1: Chrome\User Data\ 0x360fc6:$b1: Chrome\User Data\ 0x361ae2:$b1: Chrome\User Data\ 0x3415d2:$b2: Mozilla\Firefox\Profiles 0x3552ae:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x38022e:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x353c98:$b4: Opera Software\Opera Stable\Login Data 0x35a452:$b5: YandexBrowser\User Data\ 0x372e9c:$s5: account.cfn 0x353176:$s6: wand.dat 0x352c2a:$a1: username_value 0x3591f6:$a1: username_value 0x3594c6:$a1: username_value 0x35b97a:$a1: username_value 0x352c56:$a2: password_value 0x35924e:$a2: password_value 0x35951e:$a2: password_value 0x35b9d2:$a2: password_value 0x35ca76:$a3: encryptedUsername
0.2.ZJat0NjKFO.exe.bc0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZJat0NjKFO.exe.bc0000.0.unpack	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
0.2.ZJat0NjKFO.exe.bc0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32ede8:$f1: FileZilla\recentservers.xml 0x32eda4:$f2: FileZilla\sitemanager.xml 0x35a382:$b1: Chrome\User Data\ 0x360fc6:$b1: Chrome\User Data\ 0x361ae2:$b1: Chrome\User Data\ 0x3415d2:$b2: Mozilla\Firefox\Profiles 0x3552ae:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x38022e:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x353c98:$b4: Opera Software\Opera Stable\Login Data 0x35a452:$b5: YandexBrowser\User Data\ 0x372e9c:$s5: account.cfn 0x353176:$s6: wand.dat 0x352c2a:$a1: username_value 0x3591f6:$a1: username_value 0x3594c6:$a1: username_value 0x35b97a:$a1: username_value 0x352c56:$a2: password_value 0x35924e:$a2: password_value 0x35951e:$a2: password_value 0x35b9d2:$a2: password_value 0x35ca76:$a3: encryptedUsername
Click to see the 4 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZJat0NjKFO.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: ZJat0NjKFO.exe	Virustotal: Detection: 69%			Perma Link
Source: ZJat0NjKFO.exe	ReversingLabs: Detection: 72%

Yara detected DanaBot stealer dll

Source: Yara match	File source: ZJat0NjKFO.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Unpacked PE file: 0.2.ZJat0NjKFO.exe.3690000.1.unpack

Source: ZJat0NjKFO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ZJat0NjKFO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.159
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.87.252

Source: ZJat0NjKFO.exe	String found in binary or memory: http://.css
Source: ZJat0NjKFO.exe	String found in binary or memory: http://.jpg
Source: ZJat0NjKFO.exe	String found in binary or memory: http://html4/loose.dtd
Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063469000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1309297174.000000007DB60000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307735684.000000007DCC0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184487900.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308443894.000000007EC90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307925283.000000007DD40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307828736.000000007DC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033B
Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.00000000016C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

E-Banking Fraud

Yara detected DanaBot stealer dll

Source: Yara match	File source: ZJat0NjKFO.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: ZJat0NjKFO.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen

Source: ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063469000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1309297174.000000007DB60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1307735684.000000007DCC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000002.3184487900.000000006E66F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1308443894.000000007EC90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1307925283.000000007DD40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe
Source: ZJat0NjKFO.exe, 00000000.00000003.1307828736.000000007DC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs ZJat0NjKFO.exe

Source: ZJat0NjKFO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ZJat0NjKFO.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@1/10@0/3

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

File created: C:\Users\user\AppData\Local\Temp\Fshrfy

Jump to behavior

Source: ZJat0NjKFO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: ZJat0NjKFO.exe, ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ZJat0NjKFO.exe, ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: ZJat0NjKFO.exe, ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: ZJat0NjKFO.exe, 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ZJat0NjKFO.exe, 00000000.00000003.1458692961.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1455129857.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1458907011.00000000053A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZJat0NjKFO.exe	Virustotal: Detection: 69%
Source: ZJat0NjKFO.exe	ReversingLabs: Detection: 72%

Source: ZJat0NjKFO.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: ZJat0NjKFO.exe	String found in binary or memory: /Address family not supported by protocol family
Source: ZJat0NjKFO.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Section loaded: logoncli.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: ZJat0NjKFO.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ZJat0NjKFO.exe

Static file information: File size 5784064 > 1048576

Source: ZJat0NjKFO.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x583800

Source: ZJat0NjKFO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ZJat0NjKFO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Unpacked PE file: 0.2.ZJat0NjKFO.exe.3690000.1.unpack

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Code function: 0_2_00BE50C6 push ecx; mov dword ptr [esp], ecx	0_2_00BE50C9
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Code function: 0_2_00BE9A0A push 004288B1h; ret	0_2_00BE9A9B
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Code function: 0_2_00BD231E push 004111AFh; ret	0_2_00BD2399
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Code function: 0_2_00BDB346 push 0041A18Ch; ret	0_2_00BDB376
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Code function: 0_2_00BC860A push ecx; mov dword ptr [esp], eax	0_2_00BC860B

Hooking and other Techniques for Hiding and Protection

May use the Tor software to hide its network traffic

Source: ZJat0NjKFO.exe

Binary or memory string: torConnect

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Thread delayed: delay time: 360000

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe TID: 8928	Thread sleep time: -75075s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe TID: 8904	Thread sleep time: -116000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe TID: 8880	Thread sleep time: -360000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Thread delayed: delay time: 75075			Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Thread delayed: delay time: 360000			Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: ZJat0NjKFO.exe, 00000000.00000002.3182521075.000000000166E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: ZJat0NjKFO.exe, 00000000.00000003.1458003734.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Code function: 0_2_00BC1763 mov eax, dword ptr fs:[00000030h]

0_2_00BC1763

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Process token adjusted: Debug

Jump to behavior

Source: ZJat0NjKFO.exe	Binary or memory string: Shell_TrayWnd
Source: ZJat0NjKFO.exe	Binary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
Source: ZJat0NjKFO.exe	Binary or memory string: explorer.exeShell_TrayWnd

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DanaBot stealer dll

Source: Yara match	File source: ZJat0NjKFO.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ZJat0NjKFO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: ZJat0NjKFO.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

Remote Access Functionality

Yara detected DanaBot stealer dll

Source: Yara match	File source: ZJat0NjKFO.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.3690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZJat0NjKFO.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZJat0NjKFO.exe PID: 8876, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	131 Virtualization/Sandbox Evasion	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Multi-hop Proxy	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	53 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZJat0NjKFO.exe	70%	Virustotal		Browse
ZJat0NjKFO.exe	72%	ReversingLabs	Win32.Trojan.Danabot
ZJat0NjKFO.exe	100%	Avira	TR/Dropper.Gen

Name	Source	Malicious	Reputation
http://html4/loose.dtd	ZJat0NjKFO.exe	false	high
http://www.openssl.org/support/faq.htmlRAND	ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp	false	high
http://.css	ZJat0NjKFO.exe	false	high
http://www.openssl.org/V	ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063469000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1309297174.000000007DB60000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307735684.000000007DCC0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184487900.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308443894.000000007EC90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307925283.000000007DD40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307828736.000000007DC20000.00000004.00001000.00020000.00000000.sdmp	false	high
http://.jpg	ZJat0NjKFO.exe	false	high
http://www.openssl.org/support/faq.html	ZJat0NjKFO.exe, 00000000.00000003.1306438052.000000007DB40000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306592537.000000007DF10000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000002.3184306742.0000000063281000.00000040.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1308515179.000000007ED50000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1306113226.000000007DE90000.00000004.00001000.00020000.00000000.sdmp, ZJat0NjKFO.exe, 00000000.00000003.1307336823.000000007D8A0000.00000004.00001000.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
62.60.226.159	unknown	Iran (ISLAMIC Republic Of)	18013	ASLINE-AS-APASLINELIMITEDHK	false
62.60.226.158	unknown	Iran (ISLAMIC Republic Of)	18013	ASLINE-AS-APASLINELIMITEDHK	false
196.251.87.252	unknown	Seychelles	37417	SONIC-WirelessZA	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646262
Start date and time:	2025-03-23 19:28:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZJat0NjKFO.exe renamed because original name is a hash value
Original Sample Name:	4ed421dcc07555bea823811932cd1b1d.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@1/10@0/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 4.175.87.197, 20.223.35.26, 150.171.27.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
62.60.226.159	CLAIM3456709.lnk.bin.lnk	Get hash	malicious	DanaBot	Browse
62.60.226.158	CLAIM3456709.lnk.bin.lnk	Get hash	malicious	DanaBot	Browse
196.251.87.252	CLAIM3456709.lnk.bin.lnk	Get hash	malicious	DanaBot	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLINE-AS-APASLINELIMITEDHK	CLAIM3456709.lnk.bin.lnk	Get hash	malicious	DanaBot	Browse	62.60.226.158
	Nyx4r.m68k.elf	Get hash	malicious	Okiru	Browse	62.60.239.92
	Talksy (1).exe	Get hash	malicious	Meduza Stealer, RHADAMANTHYS	Browse	62.60.226.21
	nklm68k.elf	Get hash	malicious	Unknown	Browse	180.223.224.224
	aisolution_a.exe	Get hash	malicious	RHADAMANTHYS	Browse	62.60.226.101
	Talksy.exe	Get hash	malicious	Unknown	Browse	62.60.226.101
	Talksy.exe	Get hash	malicious	Unknown	Browse	62.60.226.101
	AgnotSecurity.exe	Get hash	malicious	Unknown	Browse	62.60.234.80
	AgnotSecurity.exe	Get hash	malicious	Unknown	Browse	62.60.234.80
ASLINE-AS-APASLINELIMITEDHK	CLAIM3456709.lnk.bin.lnk	Get hash	malicious	DanaBot	Browse	62.60.226.158
	Nyx4r.m68k.elf	Get hash	malicious	Okiru	Browse	62.60.239.92
	Talksy (1).exe	Get hash	malicious	Meduza Stealer, RHADAMANTHYS	Browse	62.60.226.21
	nklm68k.elf	Get hash	malicious	Unknown	Browse	180.223.224.224
	aisolution_a.exe	Get hash	malicious	RHADAMANTHYS	Browse	62.60.226.101
	Talksy.exe	Get hash	malicious	Unknown	Browse	62.60.226.101
	Talksy.exe	Get hash	malicious	Unknown	Browse	62.60.226.101
	AgnotSecurity.exe	Get hash	malicious	Unknown	Browse	62.60.234.80
	AgnotSecurity.exe	Get hash	malicious	Unknown	Browse	62.60.234.80
SONIC-WirelessZA	pp.pd.exe	Get hash	malicious	Unknown	Browse	196.251.83.195
	CLAIM3456709.lnk.bin.lnk	Get hash	malicious	DanaBot	Browse	196.251.87.252
	zx4PJh6.exe1.exe	Get hash	malicious	RHADAMANTHYS	Browse	196.251.87.150
	http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	196.251.87.168
	mybestgirlformybestkissesever.vbs	Get hash	malicious	Remcos	Browse	196.251.85.180
	0.vbs	Get hash	malicious	Remcos	Browse	196.251.85.180
	1742466358c1821b2389018bb005e46d5392fc14878c05dcba9aa64e847fb563301b0b036b531.dat-decoded.exe	Get hash	malicious	Remcos	Browse	196.251.85.180
	jkse.arm5.elf	Get hash	malicious	Unknown	Browse	196.251.81.246
	jkse.mpsl.elf	Get hash	malicious	Unknown	Browse	196.251.81.246

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	79BFD1D69B2829B17AE13B80A6B48489
SHA1:	A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A
SHA-256:	CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15
SHA-512:	075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fshrfy

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	79BFD1D69B2829B17AE13B80A6B48489
SHA1:	A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A
SHA-256:	CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15
SHA-512:	075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Hwsdyuf

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	AB893875D697A3145AF5EED5309BEE26
SHA1:	C90116149196CBF74FFB453ECB3B12945372EBFA
SHA-256:	02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
SHA-512:	6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ieffqehawwd

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EF2E0D18474B2151EF5876B1E89C2F1D
SHA1:	AEF9802FCF76C67D695BC77322BAE5400D3BBE82
SHA-256:	3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
SHA-512:	E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Iufhhqhdrwe

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	DAA100DF6E6711906B61C9AB5AA16032
SHA1:	963FF6C2D517D188014D2EF3682C4797888E6D26
SHA-256:	CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
SHA-512:	548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Iuswwfpepew

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0A9156C4E3C48EF827980639C4D1E263
SHA1:	9F13A523321C66208E90D45F87FA0CD9B370E111
SHA-256:	3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
SHA-512:	8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Iuswwfpepew-shm

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Teyteido

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	79BFD1D69B2829B17AE13B80A6B48489
SHA1:	A1E5F2C1B77DD5BDA638AFBE33DB098F8E5C053A
SHA-256:	CD248E1CC2C0A9B30154D49CA21C8CBE35098927E06F6411B863BAFDB5CE0C15
SHA-512:	075F2CB4C86AA95338E9A8316867A8AE9BED3ED611ED175C540CDD609FA6E255D9C8A1DE79590B6EC04A7A1716BF7CD3AFCFDF5DE5D3F6EEC924040BB065E650
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Titwprypirh

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF235F22DF3E004EDE21041978C24F2E
SHA1:	7188972F71AEE4C62669330FF7776E48094B4D9D
SHA-256:	16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
SHA-512:	E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Wtqoddeorodydr

Download File

Process:	C:\Users\user\Desktop\ZJat0NjKFO.exe
File Type:	data
Category:	modified
Size (bytes):	24576
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	91FF0DAC5DF86E798BFEF5E573536B08
SHA1:	EBDD38B69CD5B9F2D00D273C981E16960FBBB4F7
SHA-256:	DE676BAE28A480011D3D012DB14BEF539324E62A841A9627863C689BEA168AF3
SHA-512:	F9C2CBDA26D1C3E32F54625B5488F7D51DBE59F6CB742CE98B5F9E9CED089E65327FC381284F7F287B513C1B860B6898A53CA46DF3CC4926BA0EB339F3C29BD3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.17677538525722
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZJat0NjKFO.exe
File size:	5'784'064 bytes
MD5:	4ed421dcc07555bea823811932cd1b1d
SHA1:	f4eb41c4fda51e598ac85d11a3d1bb9120844352
SHA256:	d99e56b65c148eb34afdaf489f8cd99a683e368dbb9c0e139b46a00299062599
SHA512:	3c256998c9afc6ee40289509eaa392f3561fdf1f26e26083d01c590cb9129735a5072edbb2a9e82596525fe685ec00fc10de5bc890e9153f6585e3edaf665d55
SSDEEP:	98304:qmDVhyY8fQ81aEb2v5vHCdkq7DpTWrJyERLV9L+Kg2jjm8:TqYsFvw5vak4p6r9V9SK/m
TLSH:	2A469F21F2C0A23FD0771A36C93A96A4697F77703A159C1F26E41D4C8F79A807A3635B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...A...9...9...9...F...9...F...9..Rich.9..........................PE..L......g...............$.8X..........FX....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x984600
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67DC18B1 [Thu Mar 20 13:31:29 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f797b427b11cf4700dcf1255251beadb

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 2Ch
mov dword ptr [ebp-10h], 00401000h
push 00000040h
push 00001000h
mov eax, dword ptr [00986000h]
push eax
push 00000000h
call dword ptr [00985000h]
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-04h], 00000000h
jmp 00007F40EC82A90Bh
mov ecx, dword ptr [ebp-04h]
add ecx, 01h
mov dword ptr [ebp-04h], ecx
mov edx, dword ptr [ebp-04h]
cmp edx, dword ptr [00986000h]
jnl 00007F40EC82A914h
mov eax, dword ptr [ebp-08h]
add eax, dword ptr [ebp-04h]
mov ecx, dword ptr [ebp-10h]
add ecx, dword ptr [ebp-04h]
mov dl, byte ptr [ecx]
mov byte ptr [eax], dl
jmp 00007F40EC82A8DCh
call dword ptr [ebp-08h]
push 00000000h
push 00000000h
push 00000000h
lea eax, dword ptr [ebp-2Ch]
push eax
call dword ptr [00985010h]
mov dword ptr [ebp-0Ch], eax
cmp dword ptr [ebp-0Ch], 00000000h
je 00007F40EC82A920h
cmp dword ptr [ebp-0Ch], FFFFFFFFh
jne 00007F40EC82A904h
jmp 00007F40EC82A916h
lea ecx, dword ptr [ebp-2Ch]
push ecx
call dword ptr [00985008h]
lea edx, dword ptr [ebp-2Ch]
push edx
call dword ptr [0098500Ch]
jmp 00007F40EC82A8CBh
xor eax, eax
mov esp, ebp
pop ebp
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x585120	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x587000	0x18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x585018	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x585000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x583694	0x583800	c2d9f0be08509633fcce1a4b010b4f82	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x585000	0x1d4	0x200	55afb148d4a7c105cdef639dc04524a2	False	0.525390625	data	3.8381525004666255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x586000	0x4	0x200	eb70eb902d33687ea54b86d60a93a695	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x587000	0x18	0x200	84e41215f5f986fed9ece38cdf7ed37a	False	0.068359375	data	0.30754410475965943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	VirtualAlloc
USER32.dll	TranslateMessage, DispatchMessageA, GetMessageA

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 19:30:52.507710934 CET	49728	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:52.507738113 CET	443	49728	196.251.87.252	192.168.2.5
Mar 23, 2025 19:30:52.507955074 CET	49728	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:52.573579073 CET	49728	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:52.573606968 CET	443	49728	196.251.87.252	192.168.2.5
Mar 23, 2025 19:30:52.573659897 CET	443	49728	196.251.87.252	192.168.2.5
Mar 23, 2025 19:30:53.593333960 CET	49730	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:30:53.593365908 CET	443	49730	62.60.226.158	192.168.2.5
Mar 23, 2025 19:30:53.593431950 CET	49730	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:30:53.659715891 CET	49730	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:30:53.659739017 CET	443	49730	62.60.226.158	192.168.2.5
Mar 23, 2025 19:30:53.659811974 CET	443	49730	62.60.226.158	192.168.2.5
Mar 23, 2025 19:30:54.687438011 CET	49731	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:30:54.687547922 CET	443	49731	62.60.226.159	192.168.2.5
Mar 23, 2025 19:30:54.687637091 CET	49731	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:30:55.114198923 CET	49731	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:30:55.114276886 CET	443	49731	62.60.226.159	192.168.2.5
Mar 23, 2025 19:30:55.114336967 CET	443	49731	62.60.226.159	192.168.2.5
Mar 23, 2025 19:30:55.114439964 CET	49731	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:30:55.114485979 CET	443	49731	62.60.226.159	192.168.2.5
Mar 23, 2025 19:30:56.172137022 CET	49732	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:56.172180891 CET	443	49732	196.251.87.252	192.168.2.5
Mar 23, 2025 19:30:56.172240019 CET	49732	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:56.379261971 CET	49732	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:56.379297972 CET	443	49732	196.251.87.252	192.168.2.5
Mar 23, 2025 19:30:56.379352093 CET	443	49732	196.251.87.252	192.168.2.5
Mar 23, 2025 19:30:56.379389048 CET	49732	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:30:56.379410982 CET	443	49732	196.251.87.252	192.168.2.5
Mar 23, 2025 19:31:57.780994892 CET	49733	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:31:57.781094074 CET	443	49733	196.251.87.252	192.168.2.5
Mar 23, 2025 19:31:57.781244993 CET	49733	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:31:57.837171078 CET	49733	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:31:57.837236881 CET	443	49733	196.251.87.252	192.168.2.5
Mar 23, 2025 19:31:57.837337017 CET	443	49733	196.251.87.252	192.168.2.5
Mar 23, 2025 19:31:57.837342024 CET	49733	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:31:57.837378025 CET	443	49733	196.251.87.252	192.168.2.5
Mar 23, 2025 19:31:59.162463903 CET	49734	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:31:59.162496090 CET	443	49734	62.60.226.158	192.168.2.5
Mar 23, 2025 19:31:59.162750959 CET	49734	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:00.248761892 CET	49734	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:00.248797894 CET	443	49734	62.60.226.158	192.168.2.5
Mar 23, 2025 19:32:00.248879910 CET	49734	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:00.248923063 CET	443	49734	62.60.226.158	192.168.2.5
Mar 23, 2025 19:32:01.265261889 CET	49735	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:01.265357971 CET	443	49735	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:01.265448093 CET	49735	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:01.318782091 CET	49735	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:01.318809032 CET	443	49735	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:01.318897963 CET	443	49735	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:01.318902016 CET	49735	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:01.318931103 CET	443	49735	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:02.350670099 CET	49736	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:02.350769043 CET	443	49736	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:02.350929022 CET	49736	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:02.929245949 CET	49736	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:02.929318905 CET	443	49736	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:02.929419041 CET	443	49736	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:02.929446936 CET	49736	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:02.929491043 CET	443	49736	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.111742973 CET	49737	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.111789942 CET	443	49737	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.111923933 CET	49737	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.215607882 CET	49737	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.215631962 CET	443	49737	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.215717077 CET	49737	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.215718031 CET	443	49737	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.215739965 CET	443	49737	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.257010937 CET	49738	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:03.257101059 CET	443	49738	62.60.226.158	192.168.2.5
Mar 23, 2025 19:32:03.257179022 CET	49738	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:03.469305038 CET	49738	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:03.469386101 CET	443	49738	62.60.226.158	192.168.2.5
Mar 23, 2025 19:32:03.469454050 CET	443	49738	62.60.226.158	192.168.2.5
Mar 23, 2025 19:32:03.469496965 CET	49738	443	192.168.2.5	62.60.226.158
Mar 23, 2025 19:32:03.469542980 CET	443	49738	62.60.226.158	192.168.2.5
Mar 23, 2025 19:32:03.590898037 CET	49739	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:03.590990067 CET	443	49739	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:03.591079950 CET	49739	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:03.662050009 CET	49739	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:03.662147999 CET	443	49739	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:03.662236929 CET	443	49739	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:03.662259102 CET	49739	443	192.168.2.5	62.60.226.159
Mar 23, 2025 19:32:03.662309885 CET	443	49739	62.60.226.159	192.168.2.5
Mar 23, 2025 19:32:03.673981905 CET	49740	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.674086094 CET	443	49740	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.674161911 CET	49740	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.736532927 CET	49740	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.736618042 CET	443	49740	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.736677885 CET	443	49740	196.251.87.252	192.168.2.5
Mar 23, 2025 19:32:03.736685991 CET	49740	443	192.168.2.5	196.251.87.252
Mar 23, 2025 19:32:03.736721039 CET	443	49740	196.251.87.252	192.168.2.5

Statistics

CPU Usage

• ZJat0NjKFO.exe

Click to jump to process

Memory Usage

• ZJat0NjKFO.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	14:29:35
Start date:	23/03/2025
Path:	C:\Users\user\Desktop\ZJat0NjKFO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZJat0NjKFO.exe"
Imagebase:	0xbc0000
File size:	5'784'064 bytes
MD5 hash:	4ED421DCC07555BEA823811932CD1B1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3182740357.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.1304168551.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3183069219.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	14
Total number of Limit Nodes:	1

Show Legend

Hide Nodes/Edges

Executed Functions

Function 01144600 Relevance: 6.0, APIs: 4, Instructions: 50
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0114461C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 01144661
TranslateMessage.USER32(?), ref: 0114467C
DispatchMessageA.USER32(?), ref: 01144686

Memory Dump Source

Source File: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.3181993491.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3182370745.0000000001145000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZJat0NjKFO.jbxd

Yara matches

Similarity

API ID: Message$AllocDispatchTranslateVirtual
String ID:
API String ID: 3769999780-0
Opcode ID: 324e48e0d168f804709204bfbfe7f93ec4831ad1ccd0e51ce5cb5052a5acb77c
Instruction ID: ea422bcf33c9124a2add471de265f9ed06a956ad2d40e6c26adba5d6e1993ab8
Opcode Fuzzy Hash: 324e48e0d168f804709204bfbfe7f93ec4831ad1ccd0e51ce5cb5052a5acb77c
Instruction Fuzzy Hash: 131173B8D00208EFDB18CFE4D845BECB775BF08B09F108194E525A7284C7706A84CF55

Non-executed Functions

Function 00BC1763 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3182013031.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.3181993491.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3182370745.0000000001145000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZJat0NjKFO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ed2e96bf3236041d15fde74f8508bcbe0546e6fedc7878144159f0d8a520d0
Instruction ID: 49c6990ee43887b7dc9cbe75c2a71e81c36ac22a187aa22a9e1e7c2aecc3f483
Opcode Fuzzy Hash: c7ed2e96bf3236041d15fde74f8508bcbe0546e6fedc7878144159f0d8a520d0
Instruction Fuzzy Hash: 29F019F8619110CBD65A8B5C85D4F3473F8AB43760B658CDFA0167B613DA28AC0AAA51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZJat0NjKFO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Eoyoortiyyfrdrq

C:\Users\user\AppData\Local\Temp\Fshrfy

C:\Users\user\AppData\Local\Temp\Hwsdyuf

C:\Users\user\AppData\Local\Temp\Ieffqehawwd

C:\Users\user\AppData\Local\Temp\Iufhhqhdrwe

C:\Users\user\AppData\Local\Temp\Iuswwfpepew

C:\Users\user\AppData\Local\Temp\Iuswwfpepew-shm

C:\Users\user\AppData\Local\Temp\Teyteido

C:\Users\user\AppData\Local\Temp\Titwprypirh

C:\Users\user\AppData\Local\Temp\Wtqoddeorodydr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
ZJat0NjKFO.exe