Edit tour

Windows Analysis Report
CxDfBJ42lP.exe

Overview

General Information

Sample name:	CxDfBJ42lP.exe renamed because original name is a hash value
Original sample name:	06d886a5b9ed95722bb25fc607a593f6.exe
Analysis ID:	1646796
MD5:	06d886a5b9ed95722bb25fc607a593f6
SHA1:	3c0ad2d2824c2ce40219db3411c627ca10aec7ed
SHA256:	439ff70913feaa72026b23e5d68b72ead08cc0e09ebb4e4793cc8a5ec9f3cfb6
Tags:	Arechclient2exeuser-abuse_ch
Infos:

Detection

RedLine

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Joe Sandbox ML detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CxDfBJ42lP.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\CxDfBJ42lP.exe" MD5: 06D886A5B9ED95722BB25FC607A593F6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
CxDfBJ42lP.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
CxDfBJ42lP.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
CxDfBJ42lP.exe	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xc5837:$s14: keybd_event 0xccae0:$v1_1: grabber@ 0xc639e:$v1_2: <BrowserProfile>k__ 0xc6e1d:$v1_3: <SystemHardwares>k__ 0xc6edc:$v1_5: <ScannedWallets>k__ 0xc6f6c:$v1_6: <DicrFiles>k__ 0xc6f48:$v1_7: <MessageClientFiles>k__ 0xc7312:$v1_8: <ScanBrowsers>k__BackingField 0xc7364:$v1_8: <ScanWallets>k__BackingField 0xc7381:$v1_8: <ScanScreen>k__BackingField 0xc73bb:$v1_8: <ScanVPN>k__BackingField 0xb832a:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb7c36:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: CxDfBJ42lP.exe PID: 7752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CxDfBJ42lP.exe PID: 7752	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.CxDfBJ42lP.exe.ab0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.CxDfBJ42lP.exe.ab0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.CxDfBJ42lP.exe.ab0000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xc5837:$s14: keybd_event 0xccae0:$v1_1: grabber@ 0xc639e:$v1_2: <BrowserProfile>k__ 0xc6e1d:$v1_3: <SystemHardwares>k__ 0xc6edc:$v1_5: <ScannedWallets>k__ 0xc6f6c:$v1_6: <DicrFiles>k__ 0xc6f48:$v1_7: <MessageClientFiles>k__ 0xc7312:$v1_8: <ScanBrowsers>k__BackingField 0xc7364:$v1_8: <ScanWallets>k__BackingField 0xc7381:$v1_8: <ScanScreen>k__BackingField 0xc73bb:$v1_8: <ScanVPN>k__BackingField 0xb832a:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb7c36:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CxDfBJ42lP.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: CxDfBJ42lP.exe	ReversingLabs: Detection: 77%
Source: CxDfBJ42lP.exe	Virustotal: Detection: 75%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: CxDfBJ42lP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 4x nop then jmp 013C77B9h		1_2_013C768B
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 4x nop then jmp 013C77B9h		1_2_013C7751

Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.115.43
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.115.43

Source: CxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yraPuhAK
Source: CxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yraPuhAKPO

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695

System Summary

Malicious sample detected (through community Yara rule)

Source: CxDfBJ42lP.exe, type: SAMPLE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C1050	1_2_013C1050
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013CA080	1_2_013CA080
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C7598	1_2_013C7598
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C8900	1_2_013C8900
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C1940	1_2_013C1940
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013CA070	1_2_013CA070
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C4560	1_2_013C4560
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C7588	1_2_013C7588
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C45F8	1_2_013C45F8
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C7438	1_2_013C7438
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013CE4D8	1_2_013CE4D8
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C1738	1_2_013C1738
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C1734	1_2_013C1734
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013CE760	1_2_013CE760
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C4608	1_2_013C4608
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013CD93F	1_2_013CD93F
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C1931	1_2_013C1931
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013CD950	1_2_013CD950
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C59AB	1_2_013C59AB
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C88F3	1_2_013C88F3
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C7D08	1_2_013C7D08
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C7C24	1_2_013C7C24
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Code function: 1_2_013C59C8	1_2_013C59C8

Source: CxDfBJ42lP.exe, 00000001.00000000.1265542581.0000000000B80000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedfgfghfghfghfghfgh.exe" vs CxDfBJ42lP.exe
Source: CxDfBJ42lP.exe, 00000001.00000002.3136077147.000000000111E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CxDfBJ42lP.exe
Source: CxDfBJ42lP.exe	Binary or memory string: OriginalFilenamedfgfghfghfghfghfgh.exe" vs CxDfBJ42lP.exe

Source: CxDfBJ42lP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CxDfBJ42lP.exe, type: SAMPLE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: classification engine

Classification label: mal76.troj.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Mutant created: \Sessions\1\BaseNamedObjects\f4780255474e4c05adeb08282ec4a3c2

Source: CxDfBJ42lP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CxDfBJ42lP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CxDfBJ42lP.exe	ReversingLabs: Detection: 77%
Source: CxDfBJ42lP.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Section loaded: mswsock.dll	Jump to behavior

Source: CxDfBJ42lP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Code function: 1_2_013C41AB pushfd ; ret

1_2_013C41E6

Source: CxDfBJ42lP.exe

Static PE information: section name: .text entropy: 6.8362139254773435

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Memory allocated: 4E30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Window / User API: threadDelayed 600

Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7776	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7776	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756	Thread sleep time: -30277s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756	Thread sleep time: -58324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 3276	Thread sleep count: 600 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756	Thread sleep time: -45391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7756	Thread sleep time: -57582s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe TID: 7776	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 30277	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 58324	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 45391	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 57582	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: CxDfBJ42lP.exe, 00000001.00000002.3136077147.00000000011B0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Queries volume information: C:\Users\user\Desktop\CxDfBJ42lP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CxDfBJ42lP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CxDfBJ42lP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: CxDfBJ42lP.exe, type: SAMPLE
Source: Yara match	File source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CxDfBJ42lP.exe PID: 7752, type: MEMORYSTR

Source: Yara match	File source: CxDfBJ42lP.exe, type: SAMPLE
Source: Yara match	File source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CxDfBJ42lP.exe PID: 7752, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: CxDfBJ42lP.exe, type: SAMPLE
Source: Yara match	File source: 1.0.CxDfBJ42lP.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CxDfBJ42lP.exe PID: 7752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CxDfBJ42lP.exe	78%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
CxDfBJ42lP.exe	75%	Virustotal		Browse
CxDfBJ42lP.exe	100%	Avira	HEUR/AGEN.1307453

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/yraPuhAK	CxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/yraPuhAKPO	CxDfBJ42lP.exe, 00000001.00000002.3137305912.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.86.115.43	unknown	United States		53667	PONYNETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646796
Start date and time:	2025-03-24 09:39:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CxDfBJ42lP.exe renamed because original name is a hash value
Original Sample Name:	06d886a5b9ed95722bb25fc607a593f6.exe
Detection:	MAL
Classification:	mal76.troj.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CxDfBJ42lP.exe, PID 7752 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PONYNETUS	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	209.141.36.93
	spc.elf	Get hash	malicious	Mirai	Browse	198.98.51.68
	sh4.elf	Get hash	malicious	Mirai	Browse	198.98.51.68
	m68k.elf	Get hash	malicious	Mirai	Browse	198.98.51.68
	i686.elf	Get hash	malicious	Mirai	Browse	198.98.51.68
	ppc.elf	Get hash	malicious	Unknown	Browse	198.98.51.68
	arm.elf	Get hash	malicious	Mirai	Browse	198.98.51.68
	x86.elf	Get hash	malicious	Mirai	Browse	198.98.51.68
	mpsl.elf	Get hash	malicious	Mirai	Browse	198.98.51.68

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.829786255094696
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CxDfBJ42lP.exe
File size:	842'240 bytes
MD5:	06d886a5b9ed95722bb25fc607a593f6
SHA1:	3c0ad2d2824c2ce40219db3411c627ca10aec7ed
SHA256:	439ff70913feaa72026b23e5d68b72ead08cc0e09ebb4e4793cc8a5ec9f3cfb6
SHA512:	243216ed3aa463c25f231602e2659b90904408c4426716ca4c8c21e78372711952a876a65a5600cadcaab7a112f68298936771066d6de117fa71b91e68fdcf65
SSDEEP:	12288:+cZyCM9wN+BEcaVXE35M9pH4j7rql+9s0od6VZsd5X2OtXbkH:UCIza9954w0hkdzt
TLSH:	B5056CED3A039E32CAE8737984FF6C0891A15BA7AD4171A9D98CD8C45F8535D8B4DBC0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................>.... ........@.. .......................@.............................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4cee3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x67D994CC [Tue Mar 18 15:44:12 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcedec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcce44	0xcd000	d3a78099cd31d56932ff227c0ca31e89	False	0.5540205792682927	data	6.8362139254773435	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x600	0x600	33ca0a274734eab7811dc63e34874938	False	0.3984375	data	4.0005741438892635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	15cb7b1ff8576ca844dc3ddfd6d3dd5a	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd00a0	0x304	data			0.405440414507772
RT_MANIFEST	0xd03a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription
FileVersion	1.0.0.0
InternalName	dfgfghfghfghfghfgh.exe
LegalCopyright
LegalTrademarks
OriginalFilename	dfgfghfghfghfghfgh.exe
ProductName
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 09:40:21.503973007 CET	49695	443	192.168.2.6	172.86.115.43
Mar 24, 2025 09:40:21.504003048 CET	443	49695	172.86.115.43	192.168.2.6
Mar 24, 2025 09:40:21.504095078 CET	49695	443	192.168.2.6	172.86.115.43

Statistics

CPU Usage

• CxDfBJ42lP.exe

Click to jump to process

Memory Usage

• CxDfBJ42lP.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: CxDfBJ42lP.exePID: 7752, Parent PID: 496

Function Logs

General

Target ID:	1
Start time:	04:40:20
Start date:	24/03/2025
Path:	C:\Users\user\Desktop\CxDfBJ42lP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CxDfBJ42lP.exe"
Imagebase:	0xab0000
File size:	842'240 bytes
MD5 hash:	06D886A5B9ED95722BB25FC607A593F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.1265458225.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread APC Queued

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: CxDfBJ42lP.exePID: 7752, Parent PID: 496COMMON

Executed Functions

Function 013C1940 Relevance: 8.8, Strings: 5, Instructions: 2583COMMON

Download Yara Rule

Strings

6UwH, xrefs: 013C207F
[tDY, xrefs: 013C27AF
%ZbK, xrefs: 013C1A3B
(?, xrefs: 013C2A51
"vw, xrefs: 013C200E

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: "vw$%ZbK$(?$6UwH$[tDY
API String ID: 0-1104128927
Opcode ID: fff339ac01696ee60ac1623a594e4cc4fd7c30722898ad9cd1a0db46e713a2d1
Instruction ID: 10f3b57429e28df7b4b147349a88b027edca48ace73d8bdb942af6d5c1c6bc14
Opcode Fuzzy Hash: fff339ac01696ee60ac1623a594e4cc4fd7c30722898ad9cd1a0db46e713a2d1
Instruction Fuzzy Hash: A653D774E0422ACFDB64DF69C984A9AB7F5FB49304F1485AAD819E7315E730AE81CF40

Function 013C1931 Relevance: 6.8, Strings: 4, Instructions: 1814COMMON

Download Yara Rule

Strings

[tDY, xrefs: 013C27AF
%ZbK, xrefs: 013C1A3B
(?, xrefs: 013C2A51
"vw, xrefs: 013C200E

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: "vw$%ZbK$(?$[tDY
API String ID: 0-1613493663
Opcode ID: ebcbd6ab934d22a1c9919a33ddf13112b36b4b97a2a021f3a55649137ea032ed
Instruction ID: 69df71e76bf00879f98449a442a4a93a4dd43fea9c4e26ba0b2ae5fc46bb042e
Opcode Fuzzy Hash: ebcbd6ab934d22a1c9919a33ddf13112b36b4b97a2a021f3a55649137ea032ed
Instruction Fuzzy Hash: 0E13C678E0422A8FDB54DF69C884A9EB7F5FB49304F1486AAD418E7315E770AE85CF40

Function 013CA080 Relevance: 2.6, Strings: 1, Instructions: 1333COMMON

Download Yara Rule

Strings

@^#, xrefs: 013CB4E6

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: @^#
API String ID: 0-159667578
Opcode ID: 5fd735653843bb32f45f58428e8b702d2693117c1ce278b3c042e0d98dc9eaaa
Instruction ID: fff9fbc89d256c672009db5fa6dfd2332f5702dbec97fe1f28cd4fcbdc6851c9
Opcode Fuzzy Hash: 5fd735653843bb32f45f58428e8b702d2693117c1ce278b3c042e0d98dc9eaaa
Instruction Fuzzy Hash: 25E29F78E012298FDB64DF69C884A9DBBF5BB49304F1481EAD819E7315E730AE85CF50

Function 013C8900 Relevance: 2.5, Strings: 1, Instructions: 1246COMMON

Download Yara Rule

Strings

mJPC, xrefs: 013C9BF8

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: mJPC
API String ID: 0-3228284330
Opcode ID: 9b88c815277f4220a2df752010405b37923f9ce537750e0ecd5d31b467947c58
Instruction ID: 4372b5e48b93dac6e0cdc0485067b3623450a4292baca9f0d3aa9d46e798f276
Opcode Fuzzy Hash: 9b88c815277f4220a2df752010405b37923f9ce537750e0ecd5d31b467947c58
Instruction Fuzzy Hash: F8D2C074E052298FDB60CF69C984BD9BBF5BB49308F1581AAD809E7355E730AE81CF50

Function 013CA070 Relevance: 2.3, Strings: 1, Instructions: 1050COMMON

Download Yara Rule

Strings

@^#, xrefs: 013CB4E6

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: @^#
API String ID: 0-159667578
Opcode ID: 773bc2a4e3a64ac4d32ebc84e1bb527dc12ef4ec82de23df5c8d55cfac241dcc
Instruction ID: f1b07af63330e951552dbfff2915802da1d945518bb17747f70bbbd1ccd20e29
Opcode Fuzzy Hash: 773bc2a4e3a64ac4d32ebc84e1bb527dc12ef4ec82de23df5c8d55cfac241dcc
Instruction Fuzzy Hash: 49C29078E002298FDB64DF69C884A99BBF5BF49304F1481EAD419EB315E734AE85CF50

Function 013C1050 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

, xrefs: 013C11A1

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 09d7c998448ab502257d29b0f8a234662ae059469dad638a4af308f34309ddb7
Instruction ID: 16b3338fbe0bef80522135a6d7c03c662569fb68f879bc3911b7de0d5dc75a3d
Opcode Fuzzy Hash: 09d7c998448ab502257d29b0f8a234662ae059469dad638a4af308f34309ddb7
Instruction Fuzzy Hash: 8D02E678E04219CFEB14DFADD884B9DBBB6FB88304F14816AD809E739AD73499418F51

Function 013C59C8 Relevance: 1.2, Instructions: 1209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c90c39c18e0400249c676d88b9b8baa25ee47355397db1ff3de658e5ea638e
Instruction ID: c357df869c83dbea287b21d072da9640cfca1565dc7f75de71e015f130baa1e5
Opcode Fuzzy Hash: 96c90c39c18e0400249c676d88b9b8baa25ee47355397db1ff3de658e5ea638e
Instruction Fuzzy Hash: 5BE26DB4E052298FDB60DF69C984AD9BBF5BB49304F1481EAD809E7315E730AE85CF50

Function 013C88F3 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5632b9ac6d12ae4f3aa574ecf2da97748cbc0947e12b927b530b3528cec120a
Instruction ID: cb14fa8e0ea1eeb3f68ad25ace975a558b585c0c3ec98077087342fc7c0ebab2
Opcode Fuzzy Hash: b5632b9ac6d12ae4f3aa574ecf2da97748cbc0947e12b927b530b3528cec120a
Instruction Fuzzy Hash: F092B274E042198FDB64CFA9C984ADDBBF5BB89304F1581AAD418EB355E730AE85CF40

Function 013C59AB Relevance: .8, Instructions: 759COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078597b2354df0e1c63b4e3dc3c188dad7ab823bc00410209948b39f9758cd3b
Instruction ID: ab93ee7aee60983fd6ce4757701af38d28b1859f9f677e5601787d215d1d6477
Opcode Fuzzy Hash: 078597b2354df0e1c63b4e3dc3c188dad7ab823bc00410209948b39f9758cd3b
Instruction Fuzzy Hash: EA927D74E012298FDB64DF69C984ADDBBF5BB49304F1481EAD809A7355EB30AE85CF40

Function 013C7438 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794aee78fd22b8f92fb5bf134ce09fd7c8dda3ceb063b1b98acc901e4e32fa62
Instruction ID: 68399c65b9fa98758a995106b93f451bf1a98651958a2b39d9d471ce4f0b4f25
Opcode Fuzzy Hash: 794aee78fd22b8f92fb5bf134ce09fd7c8dda3ceb063b1b98acc901e4e32fa62
Instruction Fuzzy Hash: 30619F71C093D48FD712DB7D98601DDBFB1EF96714F09809AD480EB2A6E6284849CB69

Function 013C768B Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ffbeb766990966b82a2401b84cc13cc630942fbeea2dc4a643d85a683be463
Instruction ID: 6c119f159eecff8adcdcceb6533c6b15af60e3885778a8d671ea35e139ddcfd8
Opcode Fuzzy Hash: 21ffbeb766990966b82a2401b84cc13cc630942fbeea2dc4a643d85a683be463
Instruction Fuzzy Hash: FF416974E012098FDB14CFA8D888AADBBB6FF8A315F14A529D40AE7249D734DC91CF14

Function 013C7588 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830ce89b92752b59afd2781ee64ef284889c6cc838ab84b192daf79dcc548fdf
Instruction ID: ebe3c6d5cac134e6cf2995547804cf78939ce2c22560120a378fb0163da808fa
Opcode Fuzzy Hash: 830ce89b92752b59afd2781ee64ef284889c6cc838ab84b192daf79dcc548fdf
Instruction Fuzzy Hash: 35310571E006498BDB18DFAAD8446EEFBF2BF89310F14C129D815AB299DB349846CF54

Function 013C7598 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10389572f54e3dc78d86ccae5a8ef82e5b9daca50ae72e3bad7328a9fcf395b5
Instruction ID: 2b9163caaf39a4f721d293730100967b03da9fdce18b565a044e60f474f76dd0
Opcode Fuzzy Hash: 10389572f54e3dc78d86ccae5a8ef82e5b9daca50ae72e3bad7328a9fcf395b5
Instruction Fuzzy Hash: 7231E775E006498BDB18DFAAD8446AEFBF2BF89310F14C129D815AB298DB349846CF54

Function 013C7751 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eae2455139b6cd705cd1072c54f3b6424e28c52a00beb7a61ca90d6a2ccbb25
Instruction ID: 1ed382d6e86bb3446b3cdba7d9a283de02dc5169afdfc807eb35aa7607394375
Opcode Fuzzy Hash: 7eae2455139b6cd705cd1072c54f3b6424e28c52a00beb7a61ca90d6a2ccbb25
Instruction Fuzzy Hash: D1212774E012098FDB10DFA8D8849ADBBB6FF8A314F14A528D41AE7255D774EC82CF54

Function 013CEEA0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

*, xrefs: 013CEEF0

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: aab2d6701612b33de78d6c5994b9cfa8b21c0f4278ccbda9ab49ea4fe6fcb84c
Instruction ID: 21598adcb42709de5d6e57174d78e6bb476231345defe61c21dd5f4f5004bc6e
Opcode Fuzzy Hash: aab2d6701612b33de78d6c5994b9cfa8b21c0f4278ccbda9ab49ea4fe6fcb84c
Instruction Fuzzy Hash: A641B074E002199FDB04DFA9D885AEEBBF2FF88310F15816AE415A7354D734A941CF50

Function 013CEEB0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

*, xrefs: 013CEEF0

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 498a23fbf4e4ab587289ebdc28a646242aadcec6d8de18bbbbab73ae6dde2e74
Instruction ID: c6c851763bb7ba80672db7edd07ab83ef13ffe4c1e205cf0699fbca497e7871d
Opcode Fuzzy Hash: 498a23fbf4e4ab587289ebdc28a646242aadcec6d8de18bbbbab73ae6dde2e74
Instruction Fuzzy Hash: 5241BE74E002199FCB04DFA9D888AEEBBF2FF88310F158169E915A7354DB34A941CF90

Function 013C9DE0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

u, xrefs: 013C9E15

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: d03947906f942881bba260a2b86130a34fc5fecdcf99195b37ffd90c34676957
Instruction ID: a0c276329932e52b2eaf7dc589f6fd4bc93cf040be186316450ac8745fe13a4a
Opcode Fuzzy Hash: d03947906f942881bba260a2b86130a34fc5fecdcf99195b37ffd90c34676957
Instruction Fuzzy Hash: 9431E074D0020EDFCB00DFA9C484AEEBBF5BF48314F15956AE414A7254EB34AA85CFA5

Function 013C9F47 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

$, xrefs: 013C9F6F

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: a96ae82960a9cd0afc362ddf474604de5da8bd2cba569d26527f44bdb06e16f5
Instruction ID: 2c449123a9935ce2714babc4afa89fc3fc9e20d0d7ebbc3d275d49831df62e94
Opcode Fuzzy Hash: a96ae82960a9cd0afc362ddf474604de5da8bd2cba569d26527f44bdb06e16f5
Instruction Fuzzy Hash: D501AD30D4534ADFDB65DF69A8087FDBBB9AF86319F0281AAC404A2155CB78092ACB41

Function 013C9DD1 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

u, xrefs: 013C9E15

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 0562aa1c25d6e49b32b0d47307ecd4de8e4d34ed28d2337ae31eb782fa1f56ce
Instruction ID: 54c97b6e7b9e6acc8a19d7760c266a87820381843c47a8a9ab39fbf72ead2ab4
Opcode Fuzzy Hash: 0562aa1c25d6e49b32b0d47307ecd4de8e4d34ed28d2337ae31eb782fa1f56ce
Instruction Fuzzy Hash: A1012474D0024CAFDB10CFAAD8487DDBFB5AB88318F04D069D414B2214DB344585CF55

Function 013CE1CB Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b58a84beee0c11bfc8cd90c4a20695efc09eddc82402aaba46d6dad3caa55a6
Instruction ID: ee7d1427f523f9bde6d1451265013281b963a952c6a448546b255a50c0488987
Opcode Fuzzy Hash: 4b58a84beee0c11bfc8cd90c4a20695efc09eddc82402aaba46d6dad3caa55a6
Instruction Fuzzy Hash: 0C413974D002198FDB14EFA9D844ADEFBB2FF89314F14822AE414A7354DB34A956CB51

Function 013CEFE0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12cc46e9a7f0629046da8e630475007a2a6819e4dffd61550df8701ea224e5d3
Instruction ID: c2df535d9f26033cf12fde82d40507743ff101abf7299225d1c0d21d7178a747
Opcode Fuzzy Hash: 12cc46e9a7f0629046da8e630475007a2a6819e4dffd61550df8701ea224e5d3
Instruction Fuzzy Hash: 8D11C131B042059BC718EFBDE85465E7FE6EF85202F20857DD50AA7754DE30AD0ACBA1

Function 013CD850 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9888e25b70c11ce5b95f4e95faa59f64ba3cbf0c114634b18f5bf37b8b347b
Instruction ID: f64f6d3e85053ac463670427ca9e8517ca0b3e6784951a54aed09868e3a855d8
Opcode Fuzzy Hash: af9888e25b70c11ce5b95f4e95faa59f64ba3cbf0c114634b18f5bf37b8b347b
Instruction Fuzzy Hash: 8811E031D04348CFEB25CBA8E8483EEBFB0AB8A314F0581BED408A3255C7340915CF91

Function 013C9FE1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9351fe957a71a5390d1d3abfef1cac3486379b0c1d76ab1317f9415cf8718d81
Instruction ID: 1003cccff8effc21790a44b8649e68260bad93cb2bcc4ce7fd11f3353aa8c3ce
Opcode Fuzzy Hash: 9351fe957a71a5390d1d3abfef1cac3486379b0c1d76ab1317f9415cf8718d81
Instruction Fuzzy Hash: 641100B0C05348EFDB25DB78A80A6AD7FF0AB43311F1085AFC80097291E7700E18CB02

Function 013C77AD Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954db2d36351f7a61b4708f5fe5bd9d9d4264be9ba2c1c489e080671ab482b42
Instruction ID: 980386cbf172500cbf1d1aed965e84701c063f287572c29c3ba6e3224b8ffc2e
Opcode Fuzzy Hash: 954db2d36351f7a61b4708f5fe5bd9d9d4264be9ba2c1c489e080671ab482b42
Instruction Fuzzy Hash: B001C874E002098FC700DFA8C8889ADBBB2BF4A314F149519D41AAB391D774AC42CF54

Function 013C9F80 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fb18ac8df1dbc0c1c18e11c0c6db6e16cfee2087c7173f47f6056f13e997bf
Instruction ID: 6fc5264706ff79e03727bde28f9211b6aacd78cd47cbe7795ad509c001898f07
Opcode Fuzzy Hash: d7fb18ac8df1dbc0c1c18e11c0c6db6e16cfee2087c7173f47f6056f13e997bf
Instruction Fuzzy Hash: 35E0E531D043499BDB119E6AD4093FEBBB9AB86319F415469C10462146DB78451A8B85

Function 013CD4D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d495e153f57778f3d387d328067809792cbdaee89c25deee50b1808c4eb7a76
Instruction ID: 5b09d718af45b1974cc6a0da64c863c1e931f28eead8b5ce21618a06217d4ba3
Opcode Fuzzy Hash: 5d495e153f57778f3d387d328067809792cbdaee89c25deee50b1808c4eb7a76
Instruction Fuzzy Hash: B6F0ECB490034A8FCB00CBA8D8446CC7FF2EF42318F1082AAC409EB2A1EA351D028B42

Function 013CD8A8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd875bec597bf837f45e6bed8ec4ecd3a47030335f35a70f440dacbdcbae0d5
Instruction ID: 574a37d83e246af984c7b8149e96c4ac280012665a7a213f8968c70c803d5f63
Opcode Fuzzy Hash: 6bd875bec597bf837f45e6bed8ec4ecd3a47030335f35a70f440dacbdcbae0d5
Instruction Fuzzy Hash: 43E03930D00309CBEB64ABA9D8086EEBBB8EB8E315F005439D119A2654DB381A158F91

Function 013C9F90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e24cb0061a13d08d8ab31deb78e155e1d2e875dd39ad35b1f041b032f0f30c5
Instruction ID: 36b4140e31232f27883deb144eab90fd056e771ed4ad82db750c35cb42c97723
Opcode Fuzzy Hash: 0e24cb0061a13d08d8ab31deb78e155e1d2e875dd39ad35b1f041b032f0f30c5
Instruction Fuzzy Hash: 33E04F31D0020ADBEB109EAAE4087FEB7B9AB8A315F015429C51462154DB795A298F91

Function 013CD4E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827a71396b985dc8a1d4cb32c91cfda6dadab9e2a668ade8afb0c81f13bfba29
Instruction ID: 88edeb581a24222eee651a82d2455ac562794db1a1896e9351d17b4f99a16be8
Opcode Fuzzy Hash: 827a71396b985dc8a1d4cb32c91cfda6dadab9e2a668ade8afb0c81f13bfba29
Instruction Fuzzy Hash: 13E06D74D0020DEBD700EBA8E448A9CBFF6EB45308F0081A99409E3254EB342E54CB81

Function 013CEFD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cf646970b1d12c6ae65fc3eb2d94b607ccd9aa20927b10ae85e25c9901149b
Instruction ID: 958bd750918ac579c2d77fae78b4d1b4b52c96ce5838e1915dae8c29a8011a74
Opcode Fuzzy Hash: 32cf646970b1d12c6ae65fc3eb2d94b607ccd9aa20927b10ae85e25c9901149b
Instruction Fuzzy Hash: 96C012F984E58A13D711C4A48AC22893BD0C621196B164AEE885CC6653D00BC0474745

Non-executed Functions

Function 013C7D08 Relevance: 4.5, Strings: 3, Instructions: 765COMMON

Download Yara Rule

Strings

2vl, xrefs: 013C8538
?#Wq, xrefs: 013C861A
'Cz, xrefs: 013C7DB7

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: 'Cz$2vl$?#Wq
API String ID: 0-2846151515
Opcode ID: 7daede38f259d1992988c2d28ff4092c156b4af3685e348d3c27c5236074b605
Instruction ID: 344d2116e49051532a4ae25656adfed4a3c16c016987e4412d14ea01f6be0d12
Opcode Fuzzy Hash: 7daede38f259d1992988c2d28ff4092c156b4af3685e348d3c27c5236074b605
Instruction Fuzzy Hash: E3829174E04219DFDB54CFA9C984ADDBBF5BB89304F1481AAD809AB315E730AE85CF50

Function 013C7C24 Relevance: 3.2, Strings: 2, Instructions: 736COMMON

Download Yara Rule

Strings

?#Wq, xrefs: 013C861A
'Cz, xrefs: 013C7DB7

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: 'Cz$?#Wq
API String ID: 0-1026680534
Opcode ID: fe6656af2f8c96775995bb5b34edf9d1da21c2fef33ced1e4962a17de1136d22
Instruction ID: 36b0366f03f95ac3b3c2e5cff164de82f3c19444bc3b122e3b8fc9ee16610433
Opcode Fuzzy Hash: fe6656af2f8c96775995bb5b34edf9d1da21c2fef33ced1e4962a17de1136d22
Instruction Fuzzy Hash: 1A629174E042199FDB54DFA9C984ADDBBF5BB89304F1481EAD808AB315D730AE85CF50

Function 013CE4D8 Relevance: 3.2, Strings: 2, Instructions: 672COMMON

Download Yara Rule

Strings

dp, xrefs: 013CE4E0
N*'U, xrefs: 013CEA6A

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: N*'U$dp
API String ID: 0-1200039200
Opcode ID: 547749803ed0807654a3ed5582d717727d5257805d2d9fe3947f3d0639825037
Instruction ID: 379eaae45a525527f7a749067ba3adb7f5455f168432e515b97efec887da356e
Opcode Fuzzy Hash: 547749803ed0807654a3ed5582d717727d5257805d2d9fe3947f3d0639825037
Instruction Fuzzy Hash: CF120374E00219CFDB14DFA9C884A9DBBB6FF89304F1481AAD409EB355E734AA45CF50

Function 013C4608 Relevance: 2.5, Strings: 1, Instructions: 1294COMMON

Download Yara Rule

Strings

KU, xrefs: 013C4ACF

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: KU
API String ID: 0-1863757666
Opcode ID: b85719d826f034d94240a5bc7dc981d434dc0962089091c556558150a097c4c6
Instruction ID: 1ae7268bf0aa761af96494ea71d71cd03ab9e8bc56c54afc0adfacb92b423daa
Opcode Fuzzy Hash: b85719d826f034d94240a5bc7dc981d434dc0962089091c556558150a097c4c6
Instruction Fuzzy Hash: ACD2D278E052298FDB64CF69C884ADDBBF5BB49304F1481AAD819E7355E730AE81CF50

Function 013C4560 Relevance: 2.1, Strings: 1, Instructions: 850COMMON

Download Yara Rule

Strings

KU, xrefs: 013C4ACF

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: KU
API String ID: 0-1863757666
Opcode ID: d3455ddc0c69ce371891c320a457352324c126abc884ff7fd71add21559e136a
Instruction ID: 5c16d2385334e30b1c9161103bea1f15db14d36f817a8122c25d949a489d1efe
Opcode Fuzzy Hash: d3455ddc0c69ce371891c320a457352324c126abc884ff7fd71add21559e136a
Instruction Fuzzy Hash: E292C178E042199FDB54CFA9C884AD9BBF5BB89304F14C1AAD818EB355E734AE45CF40

Function 013C45F8 Relevance: 2.1, Strings: 1, Instructions: 807COMMON

Download Yara Rule

Strings

KU, xrefs: 013C4ACF

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: KU
API String ID: 0-1863757666
Opcode ID: df470b512de99c027a80de4f1a636c49f3480434ac6d94311ae962eb3c237f7d
Instruction ID: ae1ba7232eec032bc35500315a9302b16837a5f46c05d80c2ad9f4b806d687b3
Opcode Fuzzy Hash: df470b512de99c027a80de4f1a636c49f3480434ac6d94311ae962eb3c237f7d
Instruction Fuzzy Hash: 6882CF78E042199FDB54CFA9C884A9DBBF6BB89304F14C1AAD818E7355E734AE45CF40

Function 013CE760 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

N*'U, xrefs: 013CEA6A

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: N*'U
API String ID: 0-2928747578
Opcode ID: 865c2bab8db3ef02e4b64dfb7f298e94d1a90289c56934badc8097b40afd133c
Instruction ID: 7a40b360561bdda1be6ff2afdb1afb97e7bfbf779b62df31e7a07332c8cc044f
Opcode Fuzzy Hash: 865c2bab8db3ef02e4b64dfb7f298e94d1a90289c56934badc8097b40afd133c
Instruction Fuzzy Hash: 04320478E002198FDB14DFA9C884A9DBBB6FF89304F14C1AAD419EB355E734AA41CF50

Function 013CD950 Relevance: 1.8, Strings: 1, Instructions: 513COMMON

Download Yara Rule

Strings

mF%$, xrefs: 013CDFB0

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID: mF%$
API String ID: 0-1223636358
Opcode ID: 978161fd9bf5d9d494daf69fb16b5472e4312b5cb248bb28b6ae0367065c15ad
Instruction ID: a8158ca9b19242b3c39f17f1a97ea4e4c4bec13706c00e621c9426d23f419d5f
Opcode Fuzzy Hash: 978161fd9bf5d9d494daf69fb16b5472e4312b5cb248bb28b6ae0367065c15ad
Instruction Fuzzy Hash: 6A525F74E002299FDB64DFA9C984ADDBBF5BB49304F1481AAD809E7315E730AE85CF50

Function 013CD93F Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedc6eeeec2d68d3bb7207193bb3d5a284f96eb71989d8301c37debea7cf4275
Instruction ID: 8b63064921f18a76a7f21dd95b69cb0973eca41f2296a5c857bf664d8fc6bee7
Opcode Fuzzy Hash: bedc6eeeec2d68d3bb7207193bb3d5a284f96eb71989d8301c37debea7cf4275
Instruction Fuzzy Hash: 80325E78E002199FDB64CFA9C984ADDBBF5BB49304F1581AAD809E7315E730AE85CF50

Function 013C1734 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417207abc441216ab5caa47e9edddd3e3b3ddbbb879d9312039147ec75baf0be
Instruction ID: 1615ee9e59f9b8108b2ace65ef60a7090912b16995b63b3500f2d67f4a3e4fd2
Opcode Fuzzy Hash: 417207abc441216ab5caa47e9edddd3e3b3ddbbb879d9312039147ec75baf0be
Instruction Fuzzy Hash: 7571A2B4E00219CFDB44CFA9C984A9EBBF2BF88304F248169E515AB365D734A905CF50

Function 013C1738 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3136990136.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_CxDfBJ42lP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5026dd9609f589be1eeda2185016ccc4281a03b212990f0a28c048db53eb05cb
Instruction ID: 90bba28d583bc35d9cea099726fa6ad75313b708a0a11da5f83dca897cf60ae8
Opcode Fuzzy Hash: 5026dd9609f589be1eeda2185016ccc4281a03b212990f0a28c048db53eb05cb
Instruction Fuzzy Hash: 8C6192B4E00619CFDB44CFAAC984A9EBBF6BF88304F209169E515AB364D734A905CF54

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CxDfBJ42lP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
CxDfBJ42lP.exe