Edit tour

Windows Analysis Report
stage8.exe

Overview

General Information

Sample name:	stage8.exe
Analysis ID:	1670280
MD5:	e916d03ec05b21489f33971f53e00e58
SHA1:	7827a6286eea0d8d13d19248522b05f290a7417c
SHA256:	a94c0b0f208c5dd4fbd059513b9888c9b9aa5672e8d582a8c383c40d5584c30c
Tags:	exeuser-zhuzhu0009
Infos:

Detection

RHADAMANTHYS

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected RHADAMANTHYS Stealer

C2 URLs / IPs found in malware configuration

Switches to a custom stack to bypass stack traces

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

stage8.exe (PID: 3408 cmdline: "C:\Users\user\Desktop\stage8.exe" MD5: E916D03EC05B21489F33971F53E00E58)

svchost.exe (PID: 6168 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{
  "C2 url": "https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhs"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1308292058.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000003.1311272239.0000000003440000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.1345340958.0000000003450000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000003.1311207212.00000000032C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: stage8.exe PID: 3408	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 6168	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.stage8.exe.3c20000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.svchost.exe.5590000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.svchost.exe.5370000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.stage8.exe.3a00000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\stage8.exe", ParentImage: C:\Users\user\Desktop\stage8.exe, ParentProcessId: 3408, ParentProcessName: stage8.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6168, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\stage8.exe", ParentImage: C:\Users\user\Desktop\stage8.exe, ParentProcessId: 3408, ParentProcessName: stage8.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6168, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-21T14:12:11.777760+0200	2854802	1	Domain Observed Used for C2 Detected	176.65.141.165	8587	192.168.2.5	49692	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: stage8.exe

Avira: detected

Found malware configuration

Source: stage8.exe

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhs"}

Multi AV Scanner detection for submitted file

Source: stage8.exe	Virustotal: Detection: 61%			Perma Link
Source: stage8.exe	ReversingLabs: Detection: 75%

Source: stage8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: stage8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wkernel32.pdb source: stage8.exe, stage8.exe, 00000000.00000003.1310339270.00000000031F0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310405039.0000000003A80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313691865.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313757490.0000000005490000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: stage8.exe, 00000000.00000003.1309748629.0000000003BF0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1309568999.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312131908.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312328420.0000000005560000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: stage8.exe, 00000000.00000003.1310001103.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310153671.0000000003BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313374936.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313528414.0000000005510000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: stage8.exe, 00000000.00000003.1309748629.0000000003BF0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1309568999.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312131908.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312328420.0000000005560000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: stage8.exe, 00000000.00000003.1310001103.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310153671.0000000003BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313374936.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313528414.0000000005510000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: stage8.exe, 00000000.00000003.1310339270.00000000031F0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310405039.0000000003A80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313691865.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313757490.0000000005490000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\stage8.exe

Code function: 0_2_000B9608 FindFirstFileExW,

0_2_000B9608

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 176.65.141.165:8587 -> 192.168.2.5:49692

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 176.65.141.165 8587

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhs

Source: global traffic

TCP traffic: 192.168.2.5:49692 -> 176.65.141.165:8587

Source: Joe Sandbox View

ASN Name: WEBTRAFFICDE WEBTRAFFICDE

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.141.165

Source: svchost.exe, 00000001.00000002.1344833223.0000000002BCC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhs
Source: svchost.exe, 00000001.00000002.1344833223.0000000002BCC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhsx
Source: svchost.exe, 00000001.00000003.1330356301.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000001.00000003.1330356301.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi

Source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_20bb34a0-9

Source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_2631c4cd-a

Source: Yara match	File source: 0.3.stage8.exe.3c20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.5590000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.5370000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.stage8.exe.3a00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stage8.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6168, type: MEMORYSTR

Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000BCC25	0_2_000BCC25
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000AC09A	0_2_000AC09A
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000AF13B	0_2_000AF13B
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000B1170	0_2_000B1170
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000B264D	0_2_000B264D
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000B6F89	0_2_000B6F89
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000AC3DC	0_2_000AC3DC

Source: C:\Users\user\Desktop\stage8.exe

Code function: String function: 000A7FB0 appears 38 times

Source: stage8.exe	Binary or memory string: OriginalFilename vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310153671.0000000003CCD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310001103.0000000003B23000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs stage8.exe
Source: stage8.exe, 00000000.00000000.1297739279.00000000000C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFlashDevelop.exer) vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310339270.0000000003282000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310760331.0000000003E01000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310339270.00000000031F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs stage8.exe
Source: stage8.exe, 00000000.00000003.1309748629.0000000003D76000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310405039.0000000003AD0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310405039.0000000003A80000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs stage8.exe
Source: stage8.exe, 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFlashDevelop.exer) vs stage8.exe
Source: stage8.exe, 00000000.00000003.1309568999.0000000003B78000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs stage8.exe
Source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs stage8.exe
Source: stage8.exe	Binary or memory string: OriginalFilenameFlashDevelop.exer) vs stage8.exe

Source: stage8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@0/1

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-8e4ab051-1d9a-4a3ad6-159e9553cac9}

Source: stage8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\stage8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stage8.exe	Virustotal: Detection: 61%
Source: stage8.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\stage8.exe "C:\Users\user\Desktop\stage8.exe"
Source: C:\Users\user\Desktop\stage8.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\stage8.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\stage8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: stage8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: stage8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: stage8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: stage8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: stage8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: stage8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: stage8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: stage8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: stage8.exe, stage8.exe, 00000000.00000003.1310339270.00000000031F0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310405039.0000000003A80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313691865.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313757490.0000000005490000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: stage8.exe, 00000000.00000003.1309748629.0000000003BF0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1309568999.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312131908.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312328420.0000000005560000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: stage8.exe, 00000000.00000003.1310001103.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310153671.0000000003BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313374936.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313528414.0000000005510000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: stage8.exe, 00000000.00000003.1309748629.0000000003BF0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1309568999.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312131908.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1312328420.0000000005560000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: stage8.exe, 00000000.00000003.1310001103.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310153671.0000000003BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313374936.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313528414.0000000005510000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: stage8.exe, 00000000.00000003.1310339270.00000000031F0000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310405039.0000000003A80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313691865.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313757490.0000000005490000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: stage8.exe, 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, stage8.exe, 00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA10F9 push FFFFFF82h; iretd	0_3_02FA10FB
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA44F9 push edx; retf	0_3_02FA44FC
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA28EC push edi; ret	0_3_02FA28F8
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA525D push es; ret	0_3_02FA5264
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA2C39 push ecx; ret	0_3_02FA2C59
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA21DC push eax; ret	0_3_02FA21DD
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA3FD4 push ss; retf	0_3_02FA3FF5
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA3F89 push edi; iretd	0_3_02FA3F96
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA0F6A push eax; ret	0_3_02FA0F75
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA4D5E push esi; ret	0_3_02FA4D69
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000C19B4 push ecx; ret	0_2_000C19C7
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA10F9 push FFFFFF82h; iretd	0_2_02FA10FB
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA44F9 push edx; retf	0_2_02FA44FC
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA28EC push edi; ret	0_2_02FA28F8
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA525D push es; ret	0_2_02FA5264
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA2C39 push ecx; ret	0_2_02FA2C59
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA21DC push eax; ret	0_2_02FA21DD
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA3FD4 push ss; retf	0_2_02FA3FF5
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA3F89 push edi; iretd	0_2_02FA3F96
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA0F6A push eax; ret	0_2_02FA0F75
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA4D5E push esi; ret	0_2_02FA4D69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E052DD push es; ret	1_3_02E052E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E02CB9 push ecx; ret	1_3_02E02CD9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E04054 push ss; retf	1_3_02E04075
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E0225C push eax; ret	1_3_02E0225D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E04009 push edi; iretd	1_3_02E04016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E00FEA push eax; ret	1_3_02E00FF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E04DDE push esi; ret	1_3_02E04DE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E0296C push edi; ret	1_3_02E02978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E01179 push FFFFFF82h; iretd	1_3_02E0117B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E04579 push edx; retf	1_3_02E0457C

Source: C:\Users\user\Desktop\stage8.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\stage8.exe	API/Special instruction interceptor: Address: 7FF84F7AD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF84F7AD044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 583B83A

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\stage8.exe

Code function: 0_2_000B9608 FindFirstFileExW,

0_2_000B9608

Source: svchost.exe, 00000001.00000002.1345136171.000000000325C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMSAFD RfComm [Bluetooth]RSVP UDPv6 Service Provider
Source: svchost.exe, 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: svchost.exe, 00000001.00000002.1345073168.0000000003200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.1345099064.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\stage8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\stage8.exe

Code function: 0_2_000A7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000A7D4D

Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_3_02FA0277 mov eax, dword ptr fs:[00000030h]	0_3_02FA0277
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_02FA0277 mov eax, dword ptr fs:[00000030h]	0_2_02FA0277
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_3_02E00283 mov eax, dword ptr fs:[00000030h]	1_3_02E00283

Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000A800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000A800F
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000A7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000A7D4D
Source: C:\Users\user\Desktop\stage8.exe	Code function: 0_2_000B4B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000B4B0C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 176.65.141.165 8587

Jump to behavior

Source: C:\Users\user\Desktop\stage8.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"

Jump to behavior

Source: C:\Users\user\Desktop\stage8.exe

Code function: 0_2_000A781B cpuid

0_2_000A781B

Source: C:\Windows\SysWOW64\svchost.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\stage8.exe

Code function: 0_2_000A7C40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000A7C40

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1308292058.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1311272239.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1345340958.0000000003450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1311207212.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1308292058.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1311272239.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1345340958.0000000003450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1311207212.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Virtualization/Sandbox Evasion	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
stage8.exe	62%	Virustotal		Browse
stage8.exe	75%	ReversingLabs	Win32.Trojan.Rhadamanthys
stage8.exe	100%	Avira	TR/Kryptik.cebdl

Source	Detection	Scanner	Label	Link
https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhs	0%	Avira URL Cloud	safe
https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhsx	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhs	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cloudflare-dns.com/dns-query	svchost.exe, 00000001.00000003.1330356301.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi	svchost.exe, 00000001.00000003.1330356301.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.65.141.165:8587/0721217eab03d184996db/gv0sp5bb.llwhsx	svchost.exe, 00000001.00000002.1344833223.0000000002BCC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.141.165	unknown	Germany		8649	WEBTRAFFICDE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1670280
Start date and time:	2025-04-21 14:11:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	stage8.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/0@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 184.29.183.29
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog
Execution Graph export aborted for target svchost.exe, PID 6168 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.65.141.165	EaTo0d6YUT.exe	Get hash	malicious	RHADAMANTHYS	Browse
176.65.141.165	5IY8PW2nOl.exe	Get hash	malicious	RHADAMANTHYS	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WEBTRAFFICDE	vision.mpsl.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.spc.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.x86.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.i686.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.arm7.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.mips.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.m68k.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.mips.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.x86.elf	Get hash	malicious	Mirai	Browse	176.65.142.252
	vision.x86_64.elf	Get hash	malicious	Mirai	Browse	176.65.142.252

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.497559924011153
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	stage8.exe
File size:	506'368 bytes
MD5:	e916d03ec05b21489f33971f53e00e58
SHA1:	7827a6286eea0d8d13d19248522b05f290a7417c
SHA256:	a94c0b0f208c5dd4fbd059513b9888c9b9aa5672e8d582a8c383c40d5584c30c
SHA512:	175eb0b49b308091c629fd632abedc2e73d980b43d8806559f301099fcd2806b9d36502d484033723023dc707de905ee5eab3a439b1507a9e29f05e8bcd9eb16
SSDEEP:	12288:Q5p1UZ32H10rH5ZVZEsh8ZskmY5a4JNXuOwhDa/K:Q5pOZGHOrH5RLG64JNXQ14
TLSH:	5AB4CE0E69BA4D37C1BD1ABB05A59381410FB0905082087FF3DDC96BDE166A38BE575F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s...............j.......j..}....j.......m.......m.......m.......j..........k...........................................Rich...

File Icon


Icon Hash:	112f33534d71334d

Static PE Info

General

Entrypoint:	0x457811
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x645F7B5F [Sat May 13 11:58:23 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	81dd082c3ea735ad5ba4cf627001ae92

Entrypoint Preview

Instruction
call 00007F1CF0AF152Ch
jmp 00007F1CF0AF0F2Fh
push ebp
mov ebp, esp
and dword ptr [00477C60h], 00000000h
sub esp, 24h
or dword ptr [00477360h], 01h
push 0000000Ah
call dword ptr [004790C8h]
test eax, eax
je 00007F1CF0AF1262h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007F1CF0AF10F5h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F1CF0AF10D5h
cmp eax, 00020660h
je 00007F1CF0AF10CEh
cmp eax, 00020670h
je 00007F1CF0AF10C7h
cmp eax, 00030650h
je 00007F1CF0AF10C0h
cmp eax, 00030660h
je 00007F1CF0AF10B9h
cmp eax, 00030670h

Rich Headers

Programming Language:

[ C ] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7920c	0xa0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7b000	0x3824	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x51eb0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x51df0	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x79000	0x204	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7175c	0x71800	8890cc7746c65ef10111b88b1f3b0b6c	False	0.655402498623348	Matlab v4 mat-file (little endian) {vE, numeric, rows 4552323, columns 0	6.441911477658899	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x73000	0x56b4	0x4e00	881a41b8bec7b179e8e8c0d9b4835323	False	0.38301282051282054	data	5.3952669676368945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x79000	0xd1e	0xe00	ebd0d8a39984b7b23266d7f02a4b3ee3	False	0.431640625	data	5.320456506175072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x630	0x800	e14d547d6d2c5b8955aeef1a6257bb29	False	0.30712890625	data	2.7678955058793546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7b000	0x3824	0x3a00	c4e7231fe84b68433ce64f8154a96090	False	0.39015355603448276	data	6.2601243910905335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7a0f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.4222972972972973
RT_GROUP_ICON	0x7a218	0x14	data	English	United States	1.15
RT_VERSION	0x7a230	0x3fc	data	English	United States	0.403921568627451

Imports

DLL	Import
KERNEL32.dll	SetEndOfFile, HeapSize, CreateFileW, DecodePointer, SetFilePointerEx, GetFileSizeEx, GetConsoleOutputCP, FlushFileBuffers, GetProcessHeap, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, MapViewOfFile, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, GetConsoleMode, ReadFile, HeapReAlloc, GetFileType, LCMapStringW, HeapAlloc, HeapFree, GetModuleHandleExW, ExitProcess, GetModuleFileNameW, CreateFileMappingW, CreateEventW, WaitForSingleObject, IsValidCodePage, CloseHandle, WriteFile, GetStdHandle, RaiseException, EncodePointer, LoadLibraryExW, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW
USER32.dll	GetWindowLongA, GetWindowTextLengthW, GetWindowTextW, EnableWindow, InvalidateRect, DialogBoxParamW, GetWindowTextLengthA, CheckDlgButton, KillTimer, GetDlgItem, MapDialogRect, CharUpperA, LoadIconA, SetCursor, CharUpperW, SetDlgItemTextA, IsDlgButtonChecked, MoveWindow, IsWindowEnabled, SetWindowTextA, SendMessageA, GetWindowTextA, SetWindowLongA, SetTimer, ShowWindow, LoadStringW, DialogBoxParamA, SetWindowTextW, EndDialog, SendMessageW, ScreenToClient, PostMessageA, CharPrevA, LoadStringA, MessageBoxW, LoadCursorA, GetWindowRect
ole32.dll	CoUninitialize, CoInitialize
OLEAUT32.dll	SysStringByteLen, SysAllocString, VariantCopy, VariantClear
COMCTL32.dll
COMDLG32.dll	GetOpenFileNameW, GetOpenFileNameA
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHGetMalloc

Version Infos

Description	Data
Comments	FlashDevelop is an open source script editor.
CompanyName	FlashDevelop.org
FileDescription	FlashDevelop
FileVersion	5.0.0.0
InternalName	FlashDevelop.exe
LegalCopyright	FlashDevelop.org 2005-2018
LegalTrademarks
OriginalFilename	FlashDevelop.exe
ProductName	FlashDevelop 5.6.3.2 (master#4366fc7add)
ProductVersion	5.0.0.0
Assembly Version	5.0.0.0
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-21T14:12:11.777760+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	176.65.141.165	8587	192.168.2.5	49692	TCP

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2025 14:12:10.815973043 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:11.130130053 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:11.130234957 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:11.130448103 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:11.444190025 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:11.444560051 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:11.458224058 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:11.777760029 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:11.796502113 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:12.110904932 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:12.110930920 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:12.111028910 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:12.113136053 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:12.113207102 CEST	49692	8587	192.168.2.5	176.65.141.165
Apr 21, 2025 14:12:12.426755905 CEST	8587	49692	176.65.141.165	192.168.2.5
Apr 21, 2025 14:12:12.426776886 CEST	8587	49692	176.65.141.165	192.168.2.5

Statistics

Click to jump to process

Memory Usage

• stage8.exe
• svchost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• stage8.exe
• svchost.exe

Click to jump to process

Target ID:	0
Start time:	08:12:06
Start date:	21/04/2025
Path:	C:\Users\user\Desktop\stage8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\stage8.exe"
Imagebase:	0x50000
File size:	506'368 bytes
MD5 hash:	E916D03EC05B21489F33971F53E00E58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.1308292058.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1310760331.0000000003C20000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1310600950.0000000003A00000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.1311207212.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:12:08
Start date:	21/04/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:	0x500000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000001.00000003.1311272239.0000000003440000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.1313900133.0000000005370000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.1314053472.0000000005590000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000001.00000002.1345340958.0000000003450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.7%
Total number of Nodes:	1172
Total number of Limit Nodes:	21

Executed Functions

Function 000BF8C9 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000BF582: CreateFileW.KERNELBASE(?,00000000,?,000BF972,?,?,00000000,?,000BF972,?,0000000C), ref: 000BF59F

GetLastError.KERNEL32 ref: 000BF9DD
__dosmaperr.LIBCMT ref: 000BF9E4
GetFileType.KERNEL32(00000000), ref: 000BF9F0
GetLastError.KERNEL32 ref: 000BF9FA
__dosmaperr.LIBCMT ref: 000BFA03
CloseHandle.KERNEL32(00000000), ref: 000BFA23
CloseHandle.KERNEL32(000B80CC), ref: 000BFB70
GetLastError.KERNEL32 ref: 000BFBA2
__dosmaperr.LIBCMT ref: 000BFBA9

Strings

H, xrefs: 000BFB2E

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 50c2d93fc82efb40f53ba40dad97311f3c6494624faa970f2233c09c5c53aaaa
Instruction ID: 412134b07ef56aae0dd899add83ec99e76cd178a6e507377f1a10d5d062b9bb5
Opcode Fuzzy Hash: 50c2d93fc82efb40f53ba40dad97311f3c6494624faa970f2233c09c5c53aaaa
Instruction Fuzzy Hash: D4A13532A141169FDF19AF68DC56BFD3BE1EB06320F180169F815DB392CB359912CB51

Function 000B4D9A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,000B4EA9,00040000,000A4F32,00000000,?,00000000,?,000B5022,00000022,FlsSetValue,0009A930,0009A938,?), ref: 000B4E5B

Strings

ext-ms-, xrefs: 000B4E05
api-ms-, xrefs: 000B4DF1

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5cd93fddb4c605315bb63a2387b360861bb9b3b4eea01d6ea57b1af5326c244d
Instruction ID: e8f8ae4b8235102dc67ee9c53720120737601075dd03c24d09b66f88b4f6ff3f
Opcode Fuzzy Hash: 5cd93fddb4c605315bb63a2387b360861bb9b3b4eea01d6ea57b1af5326c244d
Instruction Fuzzy Hash: 9D21D532A00211ABDB329B64DC45ADF77A8FB45760F250220EE25AB2D2DB74EF01C6D1

Function 02FA02CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 02FA0314

Part of subcall function 02FA0098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 02FA00C1
Part of subcall function 02FA0098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02FA026D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 02FA0366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 02FA03C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02FA03F3

Strings

,, xrefs: 02FA0344

Memory Dump Source

Source File: 00000000.00000002.1311806465.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_stage8.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: 4ffd68eae643f0d3a6d932864840a9ceba469956f79ce6c9e4948170690b9773
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: 0551F8B5900709AFCB10DFA9DC91B9EBBF8FF08744F10851AEA59A7240D770E950CBA4

Function 000B3395 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(000B349F,?,000B338F,00000000,?,?,000B349F,E9EEB6EE,?,000B349F), ref: 000B33A6
TerminateProcess.KERNEL32(00000000,?,000B338F,00000000,?,?,000B349F,E9EEB6EE,?,000B349F), ref: 000B33AD
ExitProcess.KERNEL32 ref: 000B33BF

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5c4da154ade43e2967347fabc6b8b44d7d42da297e88237a4ed07456d8587de2
Instruction ID: facf11a7708db94f00d97e61f1a0b3c89e1b91f37ef21d65e5340944bac8c1ae
Opcode Fuzzy Hash: 5c4da154ade43e2967347fabc6b8b44d7d42da297e88237a4ed07456d8587de2
Instruction Fuzzy Hash: 77D09231400208BFDF112FA0ED4DCCA3FAAEF40751B655060BD0A5A132EF7A9B969A90

Function 000B49FE Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,000BAE52,?,00000000,?,?,000BAE77,?,00000007,?,?,000BB257,?,?), ref: 000B4A14
GetLastError.KERNEL32(?,?,000BAE52,?,00000000,?,?,000BAE77,?,00000007,?,?,000BB257,?,?), ref: 000B4A1F

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1a48e3fecdd0ba49e59798e583107bcab612d224c44da4985bc02265fe50c1ca
Instruction ID: 64a75617e795570b24ef27c22411ba4076e48d11a52748922f8af7e9c6547f88
Opcode Fuzzy Hash: 1a48e3fecdd0ba49e59798e583107bcab612d224c44da4985bc02265fe50c1ca
Instruction Fuzzy Hash: 1AE01232550614AFDB317FA4EC0DFD93BA8AB54791F154024F6089B063EA798E90C799

Function 02FA0098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 02FA00C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02FA026D

Memory Dump Source

Source File: 00000000.00000002.1311806465.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fa0000_stage8.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 662973e84ebe0100e3cc2fb6deaa8142213ecb0d0d26dbd772c026f462043b0e
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: 4A719AB2E04249DFDB41CF98D991BEEBBF0AB09354F144099E565FB241C734AA81CF64

Function 000B4E65 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c954b73ec080e42d685f36f1e0da305e2e0819c6e9ccf76290e11f90621ab63
Instruction ID: 3ed1915a350cc7de4e3c92f204d9ee1eedba6d2a13bf250bca8e1ad654fdb3c1
Opcode Fuzzy Hash: 6c954b73ec080e42d685f36f1e0da305e2e0819c6e9ccf76290e11f90621ab63
Instruction Fuzzy Hash: D801F5336046219BAB56CFB8ED44D9B33A6FB803207244224F924CB196DB31DA009B40

Function 000B808D Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 000B80C7

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 37d1d2ba8505d4aea03b006c0901bf3468b497c5d365bdf640bc5a5a5d564283
Instruction ID: 5cce09b8865c5a27dba9d23222600ab8cfe7eb2418ea7ed35f3ce0b97e8bab69
Opcode Fuzzy Hash: 37d1d2ba8505d4aea03b006c0901bf3468b497c5d365bdf640bc5a5a5d564283
Instruction Fuzzy Hash: F2111871A0410AAFCB05DF58E9419DB7BF9EF48304F154469F809AB252DA70D915CBA4

Function 000BF582 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,000BF972,?,?,00000000,?,000BF972,?,0000000C), ref: 000BF59F

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2aa3510b86faac04c2745576593c9d93ab90fa37a0d7debab322ef22179ee73c
Instruction ID: 986580297133755898abd42661179b1031cf9f05ab987e4f35c8e10e933136ee
Opcode Fuzzy Hash: 2aa3510b86faac04c2745576593c9d93ab90fa37a0d7debab322ef22179ee73c
Instruction Fuzzy Hash: C6D06C3200010DFFDF128F84DC06EDA3BAAFB48714F118000BA1866020C736E822AB90

Function 000A4ED5 Relevance: 1.3, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000002,00000000,00008000), ref: 000A4FA6

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b580517a25ac16be83bd52de1e205cc3d0df6ed0619cc5c447f0ea151f19649d
Instruction ID: 74e4488fc9cdb3b0aa37d64dc1b58cb6cd1eeeae8877d767a2aed5e6e47abcde
Opcode Fuzzy Hash: b580517a25ac16be83bd52de1e205cc3d0df6ed0619cc5c447f0ea151f19649d
Instruction Fuzzy Hash: B93167B5D04209AFCB10DFE9D88099EBBF8AF4A344B14843EE418E7250D7B5A901CFA4

Non-executed Functions

Function 000BCC25 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000BCE3C

Strings

1#SNAN, xrefs: 000BCD31
1#QNAN, xrefs: 000BCD38
1#IND, xrefs: 000BCD2A
1#INF, xrefs: 000BCD5B

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c0fe5b183ac4c128f48a46e816b2e539b99df219adab435ed351d18971210feb
Instruction ID: 5e74296134ebabd1f4ca11502b447fc3bc0dd63ac77cb64e2ff663f842591be7
Opcode Fuzzy Hash: c0fe5b183ac4c128f48a46e816b2e539b99df219adab435ed351d18971210feb
Instruction Fuzzy Hash: 7ED22672E082298FDB65CE28CD44BEAB7F5EB54305F1441EAD40DE7241EB78AE858F41

Function 000B1170 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71068fb57ff62de24f65cf011edb0aee634d88bba4eb73c5e40f2db94b8828f
Instruction ID: 7c2872611732572ee12d6c4d1b9516e281467aaa02f0db2235d5d661ee907dc8
Opcode Fuzzy Hash: e71068fb57ff62de24f65cf011edb0aee634d88bba4eb73c5e40f2db94b8828f
Instruction Fuzzy Hash: 92023B71E012199BDF14CFA9D890AEEFBF1FF48314F648269E519E7381D731AA418B90

Function 000A7D4D Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000A7D59
IsDebuggerPresent.KERNEL32 ref: 000A7E25
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000A7E45
UnhandledExceptionFilter.KERNEL32(?), ref: 000A7E4F

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a834af5cf0f641e2a27a8b46e254972afc45c26f34c942ba6752c930ac11463c
Instruction ID: 10fff45a4a948f0c50c8aa58f56ab92eed7456b957b24d14e5110a22437e16d6
Opcode Fuzzy Hash: a834af5cf0f641e2a27a8b46e254972afc45c26f34c942ba6752c930ac11463c
Instruction Fuzzy Hash: 1431E575D0521C9FDB21DFA4DD89BCDBBB8AF08300F1081EAE44DAB250EB759A858F45

Function 000B4B0C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000B4C04
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000B4C0E
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 000B4C1B

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b239fd084f9367c3ce9b0d34d4c54334ab1172bee28eaa0e9922093195d5f873
Instruction ID: 145c98849377500d005f28edc22c30c8ba0c1b05cc97d2c6a34c3c6e508ccc9f
Opcode Fuzzy Hash: b239fd084f9367c3ce9b0d34d4c54334ab1172bee28eaa0e9922093195d5f873
Instruction Fuzzy Hash: E031C47490121C9BCB61DF68DD89BCDBBF8BF18310F5081EAE41CA6251EB749B858F44

Function 000B264D Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000B2648,?,?,00000008,?,?,000C10CB,00000000), ref: 000B287A

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3dcf3795ca70314472520d4d1f5fc44dca4be7a2181c4393dd760ac093dc504e
Instruction ID: 1ef429864d03f2014632e40372a498c90761b90504fafd56b2fff99f86c80e72
Opcode Fuzzy Hash: 3dcf3795ca70314472520d4d1f5fc44dca4be7a2181c4393dd760ac093dc504e
Instruction Fuzzy Hash: 44B18E35610609DFD759CF28C48ABA47BE0FF49364F258698E8D9CF2A1C735E992CB40

Function 000A781B Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000A7831

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 993241cef31a32872bd9caa03c1d68c295462510942a79dba9d670c2287b5d87
Instruction ID: 3f6f998874907019f463c1d737d46116a851692cdec0bc0cfcd298bbc0cd1255
Opcode Fuzzy Hash: 993241cef31a32872bd9caa03c1d68c295462510942a79dba9d670c2287b5d87
Instruction Fuzzy Hash: CC514FB1A192099BEB14CF94DCC6BAABBF0FB45310F24856AE419EB351D7789A40CF50

Function 000B9608 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6be594a905a5ec9edd7447673f933f2dda10e697f6f241257ab347e21ef96d3
Instruction ID: 5c96715272cf3ab56fa4e55ace13cb31e57c9b1d24f108c2cd878ff29ff88b7d
Opcode Fuzzy Hash: f6be594a905a5ec9edd7447673f933f2dda10e697f6f241257ab347e21ef96d3
Instruction Fuzzy Hash: 0341A2B5804218AFDF60DF69CC89AEABBF8AF45300F1442DDE549E3202DA359E848F10

Function 000AC3DC Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 000AC54C

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3edb5b302c535570f98e58ff857b98cdbeba0745673225281c49212f4a675c3e
Instruction ID: 39fe472eb32bab90f5d196894d139ee05db30c5deba4eca9659d49dce3136249
Opcode Fuzzy Hash: 3edb5b302c535570f98e58ff857b98cdbeba0745673225281c49212f4a675c3e
Instruction Fuzzy Hash: FAC1DF70904B0A8FEB64CFE8C5A4EBABBF1AF0B310F164619E45697692C730ED45CB51

Function 000AC09A Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 000AC21E

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4a33fa152aaf55aa256d123a6dd72f9a0946a7cf75207751b909bfc6417970d3
Instruction ID: 8edaed4f64f8a4ede9fd483b6bd9b9238fbe446bc21fe8c717d38aad33b66b5f
Opcode Fuzzy Hash: 4a33fa152aaf55aa256d123a6dd72f9a0946a7cf75207751b909bfc6417970d3
Instruction Fuzzy Hash: 31B1B071A0460A9BEF74CFE88955EBEBBE1AF07300F16461DD452E7692C7349E01CB51

Function 000B6F89 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854863146dcb0c3d9690f7761e19453e0a08401a3051100f4c09778207f98b98
Instruction ID: c6da11f75b82dc41e41edd3e27fc04cadf3175bfdee02efa891f585132c6a3a2
Opcode Fuzzy Hash: 854863146dcb0c3d9690f7761e19453e0a08401a3051100f4c09778207f98b98
Instruction Fuzzy Hash: DB323421E69F014DE7239638C922335A289BFB73D4F15D737E81AB5EA6EF29C4834141

Function 000AF13B Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de3f9a93f0a9b0a867eadb0d609005163c706683660e329a3a7ab77fa336e82
Instruction ID: 3b85f0a45aa4f237efb5b918dc94667f975e9da2528b8754f6a25522fb3a8350
Opcode Fuzzy Hash: 0de3f9a93f0a9b0a867eadb0d609005163c706683660e329a3a7ab77fa336e82
Instruction Fuzzy Hash: 50516C72D0021AEFDF14CFD8C840BEEBBB6EF89344F198469E915AB201D7349A40CB90

Function 02FA0277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1308401028.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_2fa0000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: c567a2ce348f2041f01ac85fb522ade16092f5172ee9f60223d1b5afae3a05dc
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 0DF0CDB9E01300DF8B24CF09E558EA6B7F6EB817A472545A9E104DB220D7B0ED44CBA0

Function 000A98B1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 000A99D0
___TypeMatch.LIBVCRUNTIME ref: 000A9ADE
CatchIt.LIBVCRUNTIME ref: 000A9B2F
_UnwindNestedFrames.LIBCMT ref: 000A9C30
CallUnexpected.LIBVCRUNTIME ref: 000A9C4B

Strings

csm, xrefs: 000A9A07
csm, xrefs: 000A995B
csm, xrefs: 000A98EE

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 1227aeea0ab3f533310f51b4adfa7bf64b92f0b42ccebd32547b3209d50dcdba
Instruction ID: c21aa341faa45db2881a276747b6689fe9913b5a6102bd2ce9dcdaf98580a29a
Opcode Fuzzy Hash: 1227aeea0ab3f533310f51b4adfa7bf64b92f0b42ccebd32547b3209d50dcdba
Instruction Fuzzy Hash: 72B17B71A00209EFCF19DFE8D9819EEB7B5FF16310F14815AE8056B212D731DA51CBA1

Function 000BED43 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,000C174F), ref: 000BED5C

Strings

exp, xrefs: 000BEDDB, 000BEE40
pow, xrefs: 000BEDFA, 000BEEA4, 000BEEF1
acos, xrefs: 000BEE92
sqrt, xrefs: 000BEE9B
log10, xrefs: 000BED9E, 000BEDAD
log, xrefs: 000BEDB9, 000BEDC8
asin, xrefs: 000BEE89

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: d1db9b8a3e2c62fd5a52ef39908d047442049611fa3782b8825df7465648ae4a
Instruction ID: 2836425a17ea7bf25e66934059798abf84a9b6115734144f0c6c68e2ed23ba01
Opcode Fuzzy Hash: d1db9b8a3e2c62fd5a52ef39908d047442049611fa3782b8825df7465648ae4a
Instruction Fuzzy Hash: 72518D70900A8ACBDF209F69E94C1FDBFB4FF49304F114059E4A1A7258CBB9CA25DB55

Function 000B8824 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 000B8A9E, 000B8AA3

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 6a2174794a911a15f3b4b75f339feb5727dddc613f2cc31fd2099d72a439a609
Instruction ID: d4cab1a3afb4d5496acdcb7124fdca0359ed5aa72bc205cf4e502b21af6f2a3f
Opcode Fuzzy Hash: 6a2174794a911a15f3b4b75f339feb5727dddc613f2cc31fd2099d72a439a609
Instruction Fuzzy Hash: 37B1E370A04205AFEB11DFA8C885BFE7BF9FF45310F188159E505AB2A3CB719A41CB61

Function 000A89B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000A89E7
___except_validate_context_record.LIBVCRUNTIME ref: 000A89EF
_ValidateLocalCookies.LIBCMT ref: 000A8A78
__IsNonwritableInCurrentImage.LIBCMT ref: 000A8AA3
_ValidateLocalCookies.LIBCMT ref: 000A8AF8

Strings

csm, xrefs: 000A8A8D

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4b44ba2fd38326fad22b61d1de16dd06f4c6c640b5d83953950642d3e873fe3a
Instruction ID: f028d7c8b25c960120135eb50618632c9d760ba512dd16c80a536156481afb12
Opcode Fuzzy Hash: 4b44ba2fd38326fad22b61d1de16dd06f4c6c640b5d83953950642d3e873fe3a
Instruction Fuzzy Hash: 4C418334E00208EBDF10DFA8C885A9EBBE5BF46314F14C196E8159B352DB71AA55CB92

Function 000A8F01 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000A8EF8,000A8D2C,000A7F30), ref: 000A8F0F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000A8F1D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000A8F36
SetLastError.KERNEL32(00000000,000A8EF8,000A8D2C,000A7F30), ref: 000A8F88

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c63bb683b33e4f522977b5728a01bc84b9a708222a8df8a21a8962d274f1d7fc
Instruction ID: e75ff9d1027b7cb9d0a53e6c631904922d8decee006c90ffa2531cb4ee5a3cc7
Opcode Fuzzy Hash: c63bb683b33e4f522977b5728a01bc84b9a708222a8df8a21a8962d274f1d7fc
Instruction Fuzzy Hash: 2B01883230D2136EB76427F46C899A63695DB13774724433AF924450E1EF294C50A751

Function 000B9B0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\stage8.exe, xrefs: 000B9B28

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\stage8.exe
API String ID: 0-619928260
Opcode ID: b7a58d3d29a8f80b65070f8a37bbd54e094d088601dc10f56378a5e7652cd3d4
Instruction ID: f2246ff220c676893259d89fcd6ed4e7af974459d54a1c184fa96e45c896966b
Opcode Fuzzy Hash: b7a58d3d29a8f80b65070f8a37bbd54e094d088601dc10f56378a5e7652cd3d4
Instruction Fuzzy Hash: 5621AE31200215AFAB60AF60EE81DEA77A8EF51364B144528FB1997152D731EC40C7A0

Function 000B33DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E9EEB6EE,?,?,00000000,000C2036,000000FF,?,000B33BB,000B349F,?,000B338F,00000000), ref: 000B3414
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000B3426
FreeLibrary.KERNEL32(00000000,?,?,00000000,000C2036,000000FF,?,000B33BB,000B349F,?,000B338F,00000000), ref: 000B3448

Strings

CorExitProcess, xrefs: 000B341E
mscoree.dll, xrefs: 000B340D

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d9018ecc2453e34e82848b1fbef02905c20117dfd1dea32c64b645fe0be4061
Instruction ID: bdad4d12304b9159656cea4b53978d41794d4d951a726a26da42fb2816d8a0fa
Opcode Fuzzy Hash: 6d9018ecc2453e34e82848b1fbef02905c20117dfd1dea32c64b645fe0be4061
Instruction Fuzzy Hash: EA01D671900659AFEB129F54CD09FEEBBF8FB04B10F004129FD11A26D0DB789900CA80

Function 000A9C56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 000A9C7B
CatchIt.LIBVCRUNTIME ref: 000A9D61

Strings

RCC, xrefs: 000A9C95
MOC, xrefs: 000A9C8D

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 5c44e7787554372572854d10670b4695ff3a334b6dec6947a65dc3a1f268810b
Instruction ID: ccedb0b663974687ddc1bfe7936c60fcd5ed254530061098530a4748cb553f3b
Opcode Fuzzy Hash: 5c44e7787554372572854d10670b4695ff3a334b6dec6947a65dc3a1f268810b
Instruction Fuzzy Hash: 53415972A00209AFCF15DFD8CD81AEEBBB5FF49310F148159FA0867252D3359A90DB50

Function 000A9123 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,000A90D4,00000000,?,000C7FE8,?,?,?,000A9277,00000004,InitializeCriticalSectionEx,00098D28,InitializeCriticalSectionEx), ref: 000A9130
GetLastError.KERNEL32(?,000A90D4,00000000,?,000C7FE8,?,?,?,000A9277,00000004,InitializeCriticalSectionEx,00098D28,InitializeCriticalSectionEx,00000000,?,000A8FF7), ref: 000A913A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 000A9162

Strings

api-ms-, xrefs: 000A9147

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: bea388b0f480f69d5fb27941915eda8a68d02e6b35f27a3e32d4964bf671d0e6
Instruction ID: 1729d664f211b3ed783436abdae11f7dc0af30496280e5957e7c4b2504f61509
Opcode Fuzzy Hash: bea388b0f480f69d5fb27941915eda8a68d02e6b35f27a3e32d4964bf671d0e6
Instruction Fuzzy Hash: 9AE04F30B80206BBFF201FA0EC0EF5A3E98BB12B51F204030FB0DE80E1DB6699519645

Function 000BBF74 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E9EEB6EE,00000000,00000000,00000000), ref: 000BBFD7

Part of subcall function 000BA659: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,000B426C,?,00000000,-00000008), ref: 000BA6BA

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000BC229
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 000BC26F
GetLastError.KERNEL32 ref: 000BC312

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 7e9386e7b4a20314bc0d9311a3ba6ab13223d6aa868bc41d631d8a8ec28d2a73
Instruction ID: 24163c6c4f26ce0f720eb4224e4fcd13e67ccc5dd06cdd0aeaaf6c3e4b82beff
Opcode Fuzzy Hash: 7e9386e7b4a20314bc0d9311a3ba6ab13223d6aa868bc41d631d8a8ec28d2a73
Instruction Fuzzy Hash: A0D159B5E002589FDB15CFE8C8849EDBBF5FF09310F28856AE556EB352D630A942CB50

Function 000B5ACF Relevance: 6.3, APIs: 4, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000B5B55

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 738b44061afdb150af66a530238a0a3dc50ea95f054dbe29677c90fb0cab2b77
Instruction ID: 4d6b41a01a915f60a8945a03e6a1a91083956ba9fba032a84971ff7c6990ed73
Opcode Fuzzy Hash: 738b44061afdb150af66a530238a0a3dc50ea95f054dbe29677c90fb0cab2b77
Instruction Fuzzy Hash: 06B13772A00B569FDB218F64CC86BEE7FE5EF55351F1442A5E904AF282D374E901CBA0

Function 000A965A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 000A9721
___AdjustPointer.LIBCMT ref: 000A9744
___AdjustPointer.LIBCMT ref: 000A97E0

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d1c589983ff96f1105da20c12d9571babaa57904a142260a1470b05ce56bcc59
Instruction ID: 8127a79df27f8c74c9436937c2e0ed456317ad6ebfca949e76255af98dad0845
Opcode Fuzzy Hash: d1c589983ff96f1105da20c12d9571babaa57904a142260a1470b05ce56bcc59
Instruction Fuzzy Hash: 1D51D376B096069FDB699FD4C941BBEB7E4EF52310F14842DE90547292EB31ED80CBA0

Function 000B93A8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 000BA659: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,000B426C,?,00000000,-00000008), ref: 000BA6BA

GetLastError.KERNEL32 ref: 000B940C
__dosmaperr.LIBCMT ref: 000B9413
GetLastError.KERNEL32(?,?,?,?), ref: 000B944D
__dosmaperr.LIBCMT ref: 000B9454

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: ef30d9025404d41ba13a023696adc769c36ba05578958bffd5be0c37d754b92d
Instruction ID: ea2aa82c4926b00ed292c4d7838de17728bb51ea35c31783ed02fb98d0cf2bee
Opcode Fuzzy Hash: ef30d9025404d41ba13a023696adc769c36ba05578958bffd5be0c37d754b92d
Instruction Fuzzy Hash: 5E21CD71604615AFAB60AF65C881DEBB7ECFF123607048428FB1997282D731ED01CBA0

Function 000BA6FC Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000BA704

Part of subcall function 000BA659: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,000B426C,?,00000000,-00000008), ref: 000BA6BA

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000BA73C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000BA75C

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 88ed1a1eaf8994fe52bcdec661154e03cf2badfdd8feadabd159b0a19332f5a2
Instruction ID: 2390c86565f873c220e2d1b84e32070033754a82141c871080291697739a9bc1
Opcode Fuzzy Hash: 88ed1a1eaf8994fe52bcdec661154e03cf2badfdd8feadabd159b0a19332f5a2
Instruction Fuzzy Hash: 871180E2A49615BE6B2127765CCEDEF7ABCDF863A47240125F505E1102FE689E0081B2

Function 000C14A1 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,000C0B24,00000000,00000001,?,00000000,?,000BC366,00000000,00000000,00000000), ref: 000C14B8
GetLastError.KERNEL32(?,000C0B24,00000000,00000001,?,00000000,?,000BC366,00000000,00000000,00000000,00000000,00000000,?,000BC940,?), ref: 000C14C4

Part of subcall function 000C148A: CloseHandle.KERNEL32(FFFFFFFE,000C14D4,?,000C0B24,00000000,00000001,?,00000000,?,000BC366,00000000,00000000,00000000,00000000,00000000), ref: 000C149A

___initconout.LIBCMT ref: 000C14D4

Part of subcall function 000C144C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,000C147B,000C0B11,00000000,?,000BC366,00000000,00000000,00000000,00000000), ref: 000C145F

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,000C0B24,00000000,00000001,?,00000000,?,000BC366,00000000,00000000,00000000,00000000), ref: 000C14E9

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 18552a6b1a1cf10f0fca0f19e66920c59f21f855df5966d3fb1ac898e329b795
Instruction ID: 58123b85432d60b0eab646c3e3e8040b9b14c9517f2465b3781b8c7462c9bb03
Opcode Fuzzy Hash: 18552a6b1a1cf10f0fca0f19e66920c59f21f855df5966d3fb1ac898e329b795
Instruction Fuzzy Hash: 84F0983A501125FBDF262FD5DC09EDE3EA6FB0A7A1F044014FA1995232C6368860DB91

Function 000AE2C4 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000AE453

Strings

-, xrefs: 000AE3A4
+, xrefs: 000AE3B1

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: 4b6cc491633f5dc771e1459a51ad1ce400689586a53d92eb58fc08a805a82f80
Instruction ID: dbf0285079ec03ec3e8796ce0cfb03ba6980f1b20e40662e31857a591e69dbf0
Opcode Fuzzy Hash: 4b6cc491633f5dc771e1459a51ad1ce400689586a53d92eb58fc08a805a82f80
Instruction Fuzzy Hash: 95A12530E011889FDF64DEB8C891AFE7BF5AF57324F184655E861AB282D334DE028750

Function 000B3D0F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000B3E86

Strings

-, xrefs: 000B3DD7
+, xrefs: 000B3DE4

Memory Dump Source

Source File: 00000000.00000002.1311532389.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000000.00000002.1311520301.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311567069.00000000000C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311580321.00000000000C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311592351.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50000_stage8.jbxd

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: 6e4102b8f53494b76ef696055208d3fb4b082ed7b7deaa5cabf4157225729e7b
Instruction ID: f2716d638d9fa4cccc8ed5ab0bb393d3219744ff852c904fb1348a8b5fb7f1f8
Opcode Fuzzy Hash: 6e4102b8f53494b76ef696055208d3fb4b082ed7b7deaa5cabf4157225729e7b
Instruction Fuzzy Hash: 85A1C330E41259AFDF64CE7888517FE7BF1EF56320F24856AE8B59B281D234DB068B50

Analysis Process: svchost.exePID: 6168, Parent PID: 3408COMMON

Executed Functions

Function 02E002D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 02E00326

Part of subcall function 02E000A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 02E000CD
Part of subcall function 02E000A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02E00279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 02E00378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 02E003E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02E00407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 02E0042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E00456
CloseHandle.KERNELBASE(?), ref: 02E00471

Strings

,, xrefs: 02E00356

Memory Dump Source

Source File: 00000001.00000003.1311449043.0000000002E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_2e00000_svchost.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID: ,
API String ID: 3867569247-3772416878
Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction ID: d55c90b7d355190e4a93912e38d0d4dede1c661c79b424eb93866295be835e3c
Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction Fuzzy Hash: 74611AB1940209EFDB20DFA5C884B9EBBB9FF08354F10C41AF959A7280D730A981CB64

Function 02E000A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 02E000CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02E00279

Memory Dump Source

Source File: 00000001.00000003.1311449043.0000000002E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_2e00000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 9ba5a324167d720ced1c353e4d161bcd7fbcdb8a512798607330f3eb70d28622
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: FD717C71A4424ADFDB41CF98C981BEDBBF0AB09319F249095E465F7281C334AA92CF65

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report stage8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
stage8.exe