Edit tour

Windows Analysis Report
StreamViewerBot.exe

Overview

General Information

Sample name:	StreamViewerBot.exe
Analysis ID:	1653652
MD5:	b8a2f2a0459a724be181b415dd447929
SHA1:	58ed4b55c74fc08c08a19a393a15d581d92c6c70
SHA256:	4c54f3ecae5da1ea51d8d43547d443ba725a1b88c62ae62bd9d766134158710e
Tags:	exejmutanensoftwareOyuser-SquiblydooBlog
Infos:

Detection

Score:	3
Range:	0 - 100
Confidence:	80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

StreamViewerBot.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\StreamViewerBot.exe" MD5: B8A2F2A0459A724BE181B415DD447929)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: StreamViewerBot.exe

Static PE information: certificate valid

Source: StreamViewerBot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\source\repos\NewTorp\NewTorp\obj\x64\Release\StreamViewerBot.pdb source: StreamViewerBot.exe

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Code function: 4x nop then dec eax

Source: StreamViewerBot.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: StreamViewerBot.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: StreamViewerBot.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: StreamViewerBot.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: StreamViewerBot.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: StreamViewerBot.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: StreamViewerBot.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: StreamViewerBot.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: StreamViewerBot.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: StreamViewerBot.exe, 00000000.00000002.849165525.000001AC29BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: StreamViewerBot.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: StreamViewerBot.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: StreamViewerBot.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: StreamViewerBot.exe

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: clean3.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\StreamViewerBot.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StreamViewerBot.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Mutant created: NULL

Source: StreamViewerBot.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: StreamViewerBot.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Section loaded: ucrtbase_clr0400.dll

Source: StreamViewerBot.exe

Static PE information: certificate valid

Source: StreamViewerBot.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: StreamViewerBot.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: StreamViewerBot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: StreamViewerBot.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\source\repos\NewTorp\NewTorp\obj\x64\Release\StreamViewerBot.pdb source: StreamViewerBot.exe

Source: StreamViewerBot.exe

Static PE information: 0xB7091D78 [Sat Apr 23 23:44:56 2067 UTC]

Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\StreamViewerBot.exe	Memory allocated: 1AC27FF0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\StreamViewerBot.exe	Memory allocated: 1AC41BD0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\StreamViewerBot.exe TID: 6464

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\StreamViewerBot.exe

Queries volume information: C:\Users\user\Desktop\StreamViewerBot.exe VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	31 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
StreamViewerBot.exe	3%	ReversingLabs
StreamViewerBot.exe	6%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	StreamViewerBot.exe	false	high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	StreamViewerBot.exe	false	high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	StreamViewerBot.exe	false	high
https://www.ssl.com/repository0	StreamViewerBot.exe	false	high
http://ocsps.ssl.com0?	StreamViewerBot.exe	false	high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	StreamViewerBot.exe	false	high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	StreamViewerBot.exe	false	high
http://ocsps.ssl.com0	StreamViewerBot.exe	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	StreamViewerBot.exe	false	high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	StreamViewerBot.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	StreamViewerBot.exe, 00000000.00000002.849165525.000001AC29BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	StreamViewerBot.exe	false	high
http://ocsps.ssl.com0P	StreamViewerBot.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1653652
Start date and time:	2025-04-01 14:07:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	StreamViewerBot.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 60% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target StreamViewerBot.exe, PID 6404 because it is empty

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StreamViewerBot.exe.log

Download File

Process:	C:\Users\user\Desktop\StreamViewerBot.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.355760272568367
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
MD5:	FC3575D5BE1A5405683DC33B66D36243
SHA1:	1C816D34B7D5B96E077DC3EF640BA8C7BA370502
SHA-256:	1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
SHA-512:	68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.654645673199643
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	StreamViewerBot.exe
File size:	16'952 bytes
MD5:	b8a2f2a0459a724be181b415dd447929
SHA1:	58ed4b55c74fc08c08a19a393a15d581d92c6c70
SHA256:	4c54f3ecae5da1ea51d8d43547d443ba725a1b88c62ae62bd9d766134158710e
SHA512:	c2efeaa6b71f3e07034925280ad5a71feb61071c22a81d149fbeac74f3576856bda48e1090b1da11f7d0c272dfb424e10866d87a8433a4f263b23414fb86630b
SSDEEP:	384:sSblHQ4dy7v6PptYcFwVc03KEFCpmwVJCMhCm/HQ:/pM6htYcFwVc6KEFW9qpKw
TLSH:	65724C864A984271DF724B31F8F29B43DF33A9DB69499EDF704CC4053F91781AA2316A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...x............."...0.................. .....@..... .......................`.......C....`...@......@............... .....

File Icon


Icon Hash:	2535952dd2d2dad2

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB7091D78 [Sat Apr 23 23:44:56 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	03/03/2025 18:10:55 03/03/2026 18:10:55
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=FI, OID.2.5.4.15=Private Organization, CN=jmutanen software Oy, SERIALNUMBER=2728936-9, O=jmutanen software Oy, L=Jyv\xe4skyl\xe4, S=Central Finland, C=FI
Version:	3
Thumbprint MD5:	33B8345A353510998036729A4C78BF94
Thumbprint SHA-1:	7B4DC3ABE54BD12C68D053F7CA414006B6AAADE5
Thumbprint SHA-256:	822EF8B22669C1721F29C194B8EFF2DE3BEB2598A567E38F4E57C35CA2475089
Serial:	5D0F3064FC92CC703EF200CA9C344F56

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x130c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2200	0x2038
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b08	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbb0	0xc00	42a980e134f75420868dedf0b3c384b4	False	0.5543619791666666	data	5.206489257009738	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x130c	0x1400	a8888ff1b25a6c12374c5bbc7380dabf	False	0.3640625	data	4.877452559887312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4100	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.3108108108108108
RT_GROUP_ICON	0x4238	0x14	data	1.15
RT_VERSION	0x425c	0x348	data	0.42857142857142855
RT_MANIFEST	0x45b4	0xd53	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38463793608912344

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	Stream Viewer Bot
CompanyName
FileDescription	StreamViewerBot
FileVersion	24.06.20.0
InternalName	StreamViewerBot.exe
LegalCopyright
LegalTrademarks
OriginalFilename	StreamViewerBot.exe
ProductName	SVB
ProductVersion	24.06.20.0
Assembly Version	24.6.20.0

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: StreamViewerBot.exePID: 6404, Parent PID: 4056

General

Target ID:	0
Start time:	08:08:05
Start date:	01/04/2025
Path:	C:\Users\user\Desktop\StreamViewerBot.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\StreamViewerBot.exe"
Imagebase:	0x1ac27cc0000
File size:	16'952 bytes
MD5 hash:	B8A2F2A0459A724BE181B415DD447929
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report StreamViewerBot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StreamViewerBot.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Network Behavior

Statistics

System Behavior

Analysis Process: StreamViewerBot.exePID: 6404, Parent PID: 4056

General

File Activities

File Created

File Written

File Read

Disassembly

Windows Analysis Report
StreamViewerBot.exe