Edit tour

Windows Analysis Report
SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.19730

Overview

General Information

Sample Name:	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.19730 (renamed file extension from 19730 to exe)
Analysis ID:	671761
MD5:	dc73208cea7efcb8980e4fe19695fb58
SHA1:	2c2dcb6cb0c160be8ed8a44258c75c72490dc800
SHA256:	3c9da266bec8653324cc74d991fe6707192843f196ba7a0007d1f2850501b24b
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe" MD5: DC73208CEA7EFCB8980E4FE19695FB58)

cvtres.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "facturare@rematinvest.ro", "Password": "RyN!2020-", "Host": "mail.rematinvest.ro"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.275647254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.275647254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.275934725.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.275934725.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.275297805.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.275297805.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.537735702.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.537735702.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.274776016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.274776016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.540034037.0000000007158000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe PID: 6408	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cvtres.exe PID: 6452	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cvtres.exe PID: 6452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.cvtres.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
1.2.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.cvtres.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
1.2.cvtres.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x309b0:$s10: logins 0x30417:$s11: credential 0x2c9dc:$g1: get_Clipboard 0x2c9ea:$g2: get_Keyboard 0x2c9f7:$g3: get_Password 0x2dd06:$g4: get_CtrlKeyDown 0x2dd16:$g5: get_ShiftKeyDown 0x2dd27:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
1.0.cvtres.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.cvtres.exe.400000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327b0:$s10: logins 0x32217:$s11: credential 0x2e7dc:$g1: get_Clipboard 0x2e7ea:$g2: get_Keyboard 0x2e7f7:$g3: get_Password 0x2fb06:$g4: get_CtrlKeyDown 0x2fb16:$g5: get_ShiftKeyDown 0x2fb27:$g6: get_AltKeyDown
Click to see the 19 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.3 - Destination IP: 109.99.162.14

Timestamp:	192.168.2.3109.99.162.14497415872030171 07/22/22-15:33:30.362608
SID:	2030171
Source Port:	49741
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.3 - Destination IP: 109.99.162.14

Timestamp:	192.168.2.3109.99.162.14497415872840032 07/22/22-15:33:30.362703
SID:	2840032
Source Port:	49741
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 109.99.162.14

Timestamp:	192.168.2.3109.99.162.14497415872851779 07/22/22-15:33:30.362703
SID:	2851779
Source Port:	49741
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Virustotal: Detection: 24%			Perma Link
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Joe Sandbox ML: detected

Source: 1.0.cvtres.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.cvtres.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.cvtres.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: 1.0.cvtres.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "facturare@rematinvest.ro", "Password": "RyN!2020-", "Host": "mail.rematinvest.ro"}

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: XAAWWQQRDG243.pdb source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_010DD08C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_010DD0A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_010DD0BC

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49741 -> 109.99.162.14:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49741 -> 109.99.162.14:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 109.99.162.14:587

Source: Joe Sandbox View

ASN Name: RTDBucharestRomaniaRO RTDBucharestRomaniaRO

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 109.99.162.14:587

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 109.99.162.14:587

Source: cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://CsSUlW.com
Source: cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cvtres.exe, 00000001.00000002.540696407.00000000071E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.rematinvest.ro
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: cvtres.exe, 00000001.00000002.540696407.00000000071E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rematinvest.ro
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.rematinvest.ro

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Jump to behavior

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_0AB32AA8 SetWindowsHookExW 0000000D,00000000,?,?

1_2_0AB32AA8

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.276816184.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.0.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b604F3593u002d6407u002d4C5Du002dBD8Fu002dB15E7C110E68u007d/u003736C013Fu002dA950u002d4972u002d94EBu002d155F6DFC9245.cs	Large array initialization: .cctor: array initializer size 11639
Source: 1.0.cvtres.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b604F3593u002d6407u002d4C5Du002dBD8Fu002dB15E7C110E68u007d/u003736C013Fu002dA950u002d4972u002d94EBu002d155F6DFC9245.cs	Large array initialization: .cctor: array initializer size 11639
Source: 1.2.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b604F3593u002d6407u002d4C5Du002dBD8Fu002dB15E7C110E68u007d/u003736C013Fu002dA950u002d4972u002d94EBu002d155F6DFC9245.cs	Large array initialization: .cctor: array initializer size 11639
Source: 1.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b604F3593u002d6407u002d4C5Du002dBD8Fu002dB15E7C110E68u007d/u003736C013Fu002dA950u002d4972u002d94EBu002d155F6DFC9245.cs	Large array initialization: .cctor: array initializer size 11639
Source: 1.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b604F3593u002d6407u002d4C5Du002dBD8Fu002dB15E7C110E68u007d/u003736C013Fu002dA950u002d4972u002d94EBu002d155F6DFC9245.cs	Large array initialization: .cctor: array initializer size 11639
Source: 1.0.cvtres.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b604F3593u002d6407u002d4C5Du002dBD8Fu002dB15E7C110E68u007d/u003736C013Fu002dA950u002d4972u002d94EBu002d155F6DFC9245.cs	Large array initialization: .cctor: array initializer size 11639

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DF510	0_2_010DF510
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D71D8	0_2_010D71D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D0448	0_2_010D0448
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D30B8	0_2_010D30B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D3F78	0_2_010D3F78
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D2BA4	0_2_010D2BA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DD3E8	0_2_010DD3E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D7BE0	0_2_010D7BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DAE80	0_2_010DAE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D1E80	0_2_010D1E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D26D0	0_2_010D26D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D12F0	0_2_010D12F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D717C	0_2_010D717C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D6180	0_2_010D6180
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D6190	0_2_010D6190
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D65A9	0_2_010D65A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D65B8	0_2_010D65B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D1DE0	0_2_010D1DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D11F3	0_2_010D11F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D6408	0_2_010D6408
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D8408	0_2_010D8408
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D0438	0_2_010D0438
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D30A8	0_2_010D30A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DB325	0_2_010DB325
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D6B59	0_2_010D6B59
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D5F79	0_2_010D5F79
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D5F88	0_2_010D5F88
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D6BA8	0_2_010D6BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D5BB9	0_2_010D5BB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D83B3	0_2_010D83B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D5BC8	0_2_010D5BC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D7BD0	0_2_010D7BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D83F8	0_2_010D83F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D63FB	0_2_010D63FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D1231	0_2_010D1231
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D9A30	0_2_010D9A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D9A40	0_2_010D9A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DAE73	0_2_010DAE73
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D3E90	0_2_010D3E90
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DB2C5	0_2_010DB2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010D26C0	0_2_010D26C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_010DB2DB	0_2_010DB2DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_06F6F3C8	1_2_06F6F3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_06F6F080	1_2_06F6F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_06F6ADD0	1_2_06F6ADD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_06F66120	1_2_06F66120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_06F6ADC9	1_2_06F6ADC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A808E58	1_2_0A808E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A80AC58	1_2_0A80AC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A801D28	1_2_0A801D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9ED354	1_2_0A9ED354
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9E6F68	1_2_0A9E6F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9E19A8	1_2_0A9E19A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9EF211	1_2_0A9EF211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9EBE40	1_2_0A9EBE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9E87D0	1_2_0A9E87D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9ED348	1_2_0A9ED348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9E2CD8	1_2_0A9E2CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9EE42F	1_2_0A9EE42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9E2D88	1_2_0A9E2D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9EE520	1_2_0A9EE520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0A9E9548	1_2_0A9E9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB3B314	1_2_0AB3B314

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.277186233.0000000002A25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoKRqvBDdHrCFXRMUeMYMrqRNhh.exe4 vs SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoKRqvBDdHrCFXRMUeMYMrqRNhh.exe4 vs SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.276585207.0000000000572000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXAAWWQQRDG243.exe< vs SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.276816184.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Binary or memory string: OriginalFilenameXAAWWQQRDG243.exe< vs SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Virustotal: Detection: 24%
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	ReversingLabs: Detection: 29%

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'TransformBlock'
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u206c????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.cvtres.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: XAAWWQQRDG243.pdb source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_005A1D52 push eax; iretd	0_2_005A1D57
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Code function: 0_2_005A0B62 push edx; ret	0_2_005A0B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB3A6D2 push ds; ret	1_2_0AB3A6DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB3A730 push ds; ret	1_2_0AB3A732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB3A738 push ds; ret	1_2_0AB3A73A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB39B28 push ss; ret	1_2_0AB39B2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB39B59 push ss; ret	1_2_0AB39B5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0AB37DE0 push es; ret	1_2_0AB37DEA

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Static PE information: real checksum: 0x57c2e should be: 0x5f1d0

Source: initial sample

Static PE information: section name: .text entropy: 7.592349804617437

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6524	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6528	Thread sleep count: 9507 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Window / User API: threadDelayed 9507

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.277296080.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %GiEQgaEQeMUQ
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %kWjFEAAAGiEQgaEQeMUQAAAaIRC
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %/gEsBhYqHwoTCwARCxj+ASwGAxRRGRMLABELHP4BLAkgACAAAAwdEwsAEQsfCv4BLCMRBA0CB3QMAAAbEQQIFm+5AQAKEwYRBhZAfAAAABYqHwsTCwARCxr+ASwOIAAgAACNLwAAAQsbEwsAEQsZ/gEsBgQUURoTCwARCx7+ASwVAiAAAACAKPQCAAYo6gAABiYfCRMLABELHf4BLAcIFjOQHhMLABELF/4BLAMYEwsAEQsW/gEsAxcTCwARCx8L/gEsAisFOCL///8RBBEG1hMECBEG2gwHdAwAABsWCRnaKLoBAAoRBBIAKM8AAAYsrQMoowAACgd0DAAAGxYGb9oAAApREQQGOxQBAAARBAbaEwcEEQcX2hfWjS8AAAFRFNCCAAABKBQAAAooVQIABhuNBwAAARMIEQgWBygRAAAKohEIFwaMUQAAAaIRCBgEUKIRCBkWjFEAAAGiEQgaEQeMUQAAAaIRCBM
Source: cvtres.exe, 00000001.00000002.542165976.000000000A4B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Code function: 0_2_010DF028 CheckRemoteDebuggerPresent,

0_2_010DF028

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_0A805860 LdrInitializeThunk,

1_2_0A805860

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 513D008	Jump to behavior

.NET source code references suspicious native API functions

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: 0.0.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('????????????????????????????????????????', 'GetProcAddress@kernel32'), ('?????????????????????????????????????????', 'LoadLibraryA@kernel32')
Source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.570000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.cvtres.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.3.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.2.cvtres.exe.400000.0.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.4.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.2.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 1.0.cvtres.exe.400000.1.unpack, A/E1.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Jump to behavior

Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.277134175.00000000029DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe, 00000000.00000002.277134175.00000000029DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.275647254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275934725.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275297805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.537735702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.274776016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.540034037.0000000007158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6452, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6452, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.42b6760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.275647254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275934725.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.275297805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.537735702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.274776016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.540034037.0000000007158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6452, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	312 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	211 Input Capture	2 Process Discovery	Remote Desktop Protocol	211 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	25%	Virustotal		Browse
SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	29%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.cvtres.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.2.cvtres.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.cvtres.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
rematinvest.ro	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://mail.rematinvest.ro	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://rematinvest.ro	0%	Avira URL Cloud	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
http://CsSUlW.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rematinvest.ro	109.99.162.14	true	true	0%, Virustotal, Browse	unknown
mail.rematinvest.ro	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.rematinvest.ro	cvtres.exe, 00000001.00000002.540696407.00000000071E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://rematinvest.ro	cvtres.exe, 00000001.00000002.540696407.00000000071E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%%startupfolder%	cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://api.ipify.org%	cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://CsSUlW.com	cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	cvtres.exe, 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.99.162.14	rematinvest.ro	Romania		9050	RTDBucharestRomaniaRO	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	671761
Start date and time: 22/07/202215:32:06	2022-07-22 15:32:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.19730 (renamed file extension from 19730 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.6%) Quality average: 58.4% Quality standard deviation: 29.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 68 Number of non-executed functions: 20
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:33:21	API Interceptor	1x Sleep call for process: SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe modified
15:33:24	API Interceptor	860x Sleep call for process: cvtres.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RTDBucharestRomaniaRO	bMwvKA6Owe.exe	Get hash	malicious	Browse	109.102.255.230
	kfHWoySTel	Get hash	malicious	Browse	109.99.173.28
	home.mips	Get hash	malicious	Browse	80.97.224.199
	#Ud83d#Udd0a VM 9193408792.wav.html	Get hash	malicious	Browse	92.87.6.53
	jTpjSXxHjt.dll	Get hash	malicious	Browse	92.81.66.155
	oWmdf3W67o.dll	Get hash	malicious	Browse	109.103.48.81
	djA1JX3UZv.dll	Get hash	malicious	Browse	92.83.238.161
	342hs5UFG1.dll	Get hash	malicious	Browse	109.102.113.172
	196608.htm	Get hash	malicious	Browse	92.87.6.53
	fxyKXb2hV5.dll	Get hash	malicious	Browse	109.103.83.54
	v8Rhp4teOl.dll	Get hash	malicious	Browse	92.85.58.229
	7T2Y8w1zOi.dll	Get hash	malicious	Browse	92.83.239.195
	E3mbtPKpoj.dll	Get hash	malicious	Browse	92.80.107.22
	agsS7yP4eP.dll	Get hash	malicious	Browse	89.121.130.106
	Vi3ioqKqPS.dll	Get hash	malicious	Browse	86.35.226.0
	eYB6B0ahQe.dll	Get hash	malicious	Browse	92.81.231.56
	196488.htm	Get hash	malicious	Browse	92.87.6.53
	cutie.spc	Get hash	malicious	Browse	92.84.221.174
	xd.arm7	Get hash	malicious	Browse	109.97.15.12
	Sh4DuCY4DY.exe	Get hash	malicious	Browse	109.98.58.98

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.3467126928258955
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
MD5:	DD8B7A943A5D834CEEAB90A6BBBF4781
SHA1:	2BED8D47DF1C0FF76B40811E5F11298BD2D06389
SHA-256:	E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
SHA-512:	24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.4204493171592665
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
File size:	368792
MD5:	dc73208cea7efcb8980e4fe19695fb58
SHA1:	2c2dcb6cb0c160be8ed8a44258c75c72490dc800
SHA256:	3c9da266bec8653324cc74d991fe6707192843f196ba7a0007d1f2850501b24b
SHA512:	6ccfe1d86e0ae4de76899a73515500428029ebfb476588c2d0939855aa51181e952fcaa86d530008b8ecfd9aa6aaf4aa5e73ebcb6b5f467ec4a11a03691b407c
SSDEEP:	6144:ltKUcUfA/X0uQSF5iEAjhOiLp7/U13pLKqr2PtueCg/+rA:lYUE/zDF5iaiN7iKqr2PtueCo
TLSH:	7E748CCD765031CFC897C976CAA84C75B6607867831B8223D09725EDAD4CAABDF181F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._e.b..............0.................. ........@.. ...............................\|....`................................

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x43dbfe
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62DA655F [Fri Jul 22 08:52:47 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	8/25/2020 6:42:07 AM 8/26/2023 6:42:07 AM
Subject Chain	CN=win.rar GmbH, O=win.rar GmbH, L=Berlin, S=Berlin, C=DE
Version:	3
Thumbprint MD5:	185DBD4A2E2671589EEB3E7E1920EA9F
Thumbprint SHA-1:	B3DF816A17A25557316D181DDB9F46254D6D8CA0
Thumbprint SHA-256:	66DB1C86D38273627C837F4638122FA88BBFFFF31C4052115B98CAF6CE0C631E
Serial:	731D40AE3F3A1FB2BC3D8395

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3dbb0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x19eea	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x56200	0x3e98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3db68	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3bc04	0x3be00	False	0.812638635177453	data	7.592349804617437	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x19eea	0x1a000	False	0.14594914362980768	data	1.780344215325864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x3e254	0x120b	PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced
RT_ICON	0x3f460	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x4fc88	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x53eb0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x56458	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x57500	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x57968	0x5a	data
RT_VERSION	0x579c4	0x33c	data
RT_MANIFEST	0x57d00	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3109.99.162.14497415872030171 07/22/22-15:33:30.362608	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49741	587	192.168.2.3	109.99.162.14
192.168.2.3109.99.162.14497415872840032 07/22/22-15:33:30.362703	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49741	587	192.168.2.3	109.99.162.14
192.168.2.3109.99.162.14497415872851779 07/22/22-15:33:30.362703	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49741	587	192.168.2.3	109.99.162.14

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2022 15:33:29.849701881 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:29.895144939 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:29.895684004 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.007388115 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.010684013 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.056446075 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.057645082 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.105433941 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.121973038 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.172768116 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.174324036 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.219968081 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.220487118 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.305110931 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.314565897 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.315073967 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.361059904 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.361115932 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.362607956 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.362703085 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.370491028 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.370620966 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:30.408056021 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:30.415905952 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:34.302337885 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:34.529980898 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:33:34.549921989 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:33:34.550004959 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:35:09.694714069 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:35:09.746292114 CEST	587	49741	109.99.162.14	192.168.2.3
Jul 22, 2022 15:35:09.746540070 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:35:09.748508930 CEST	49741	587	192.168.2.3	109.99.162.14
Jul 22, 2022 15:35:09.795516968 CEST	587	49741	109.99.162.14	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2022 15:33:29.739366055 CEST	58116	53	192.168.2.3	8.8.8.8
Jul 22, 2022 15:33:29.756978035 CEST	53	58116	8.8.8.8	192.168.2.3
Jul 22, 2022 15:33:29.813652039 CEST	57421	53	192.168.2.3	8.8.8.8
Jul 22, 2022 15:33:29.835345984 CEST	53	57421	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2022 15:33:29.739366055 CEST	192.168.2.3	8.8.8.8	0x6f89	Standard query (0)	mail.rematinvest.ro	A (IP address)	IN (0x0001)
Jul 22, 2022 15:33:29.813652039 CEST	192.168.2.3	8.8.8.8	0x5dbf	Standard query (0)	mail.rematinvest.ro	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2022 15:33:29.756978035 CEST	8.8.8.8	192.168.2.3	0x6f89	No error (0)	mail.rematinvest.ro	rematinvest.ro		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2022 15:33:29.756978035 CEST	8.8.8.8	192.168.2.3	0x6f89	No error (0)	rematinvest.ro		109.99.162.14	A (IP address)	IN (0x0001)
Jul 22, 2022 15:33:29.835345984 CEST	8.8.8.8	192.168.2.3	0x5dbf	No error (0)	mail.rematinvest.ro	rematinvest.ro		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2022 15:33:29.835345984 CEST	8.8.8.8	192.168.2.3	0x5dbf	No error (0)	rematinvest.ro		109.99.162.14	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 22, 2022 15:33:30.007388115 CEST	587	49741	109.99.162.14	192.168.2.3	220-cpanel4.romtelecom.net ESMTP Exim 4.93 #2 Fri, 22 Jul 2022 16:33:29 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 22, 2022 15:33:30.010684013 CEST	49741	587	192.168.2.3	109.99.162.14	EHLO 813848
Jul 22, 2022 15:33:30.056446075 CEST	587	49741	109.99.162.14	192.168.2.3	250-cpanel4.romtelecom.net Hello 813848 [84.17.52.2] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 22, 2022 15:33:30.057645082 CEST	49741	587	192.168.2.3	109.99.162.14	AUTH login ZmFjdHVyYXJlQHJlbWF0aW52ZXN0LnJv
Jul 22, 2022 15:33:30.105433941 CEST	587	49741	109.99.162.14	192.168.2.3	334 UGFzc3dvcmQ6
Jul 22, 2022 15:33:30.172768116 CEST	587	49741	109.99.162.14	192.168.2.3	235 Authentication succeeded
Jul 22, 2022 15:33:30.174324036 CEST	49741	587	192.168.2.3	109.99.162.14	MAIL FROM:<facturare@rematinvest.ro>
Jul 22, 2022 15:33:30.219968081 CEST	587	49741	109.99.162.14	192.168.2.3	250 OK
Jul 22, 2022 15:33:30.220487118 CEST	49741	587	192.168.2.3	109.99.162.14	RCPT TO:<lsir34118@gmail.com>
Jul 22, 2022 15:33:30.314565897 CEST	587	49741	109.99.162.14	192.168.2.3	250 Accepted
Jul 22, 2022 15:33:30.315073967 CEST	49741	587	192.168.2.3	109.99.162.14	DATA
Jul 22, 2022 15:33:30.361115932 CEST	587	49741	109.99.162.14	192.168.2.3	354 Enter message, ending with "." on a line by itself
Jul 22, 2022 15:33:30.370620966 CEST	49741	587	192.168.2.3	109.99.162.14	.
Jul 22, 2022 15:33:34.302337885 CEST	587	49741	109.99.162.14	192.168.2.3	250 OK id=1oEsmY-000QvC-Al
Jul 22, 2022 15:33:34.549921989 CEST	587	49741	109.99.162.14	192.168.2.3	250 OK id=1oEsmY-000QvC-Al
Jul 22, 2022 15:35:09.694714069 CEST	49741	587	192.168.2.3	109.99.162.14	QUIT
Jul 22, 2022 15:35:09.746292114 CEST	587	49741	109.99.162.14	192.168.2.3	221 cpanel4.romtelecom.net closing connection

Target ID:	0
Start time:	15:33:19
Start date:	22/07/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe"
Imagebase:	0x570000
File size:	368792 bytes
MD5 hash:	DC73208CEA7EFCB8980E4FE19695FB58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.279564854.0000000004225000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.277476753.0000000003ABF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	15:33:21
Start date:	22/07/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Imagebase:	0xe40000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.275647254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.275647254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.275934725.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.275934725.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.275297805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.275297805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.537735702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.537735702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.539795312.0000000007103000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.274776016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.274776016.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.540034037.0000000007158000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.6%
Total number of Nodes:	74
Total number of Limit Nodes:	3

Executed Functions

Function 010D3E90 Relevance: 2.8, Strings: 2, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<UY, xrefs: 010D4019
h\c|, xrefs: 010D4106

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <UY$h\c|
API String ID: 0-3075139921
Opcode ID: 46482d8d45677524155baf1973573dd14baa8838ed3d453bcfcc6b4683712c9e
Instruction ID: ad1d4ff28c2fc71a0f3f0242173e4928127b73188b77e2b3aca11c4bacb0c0dc
Opcode Fuzzy Hash: 46482d8d45677524155baf1973573dd14baa8838ed3d453bcfcc6b4683712c9e
Instruction Fuzzy Hash: 41F17BB4E0430ADFCB04CFA5D5818AEFBB2FF99300B14949AD546AB215D734EA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010D3F78 Relevance: 2.8, Strings: 2, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<UY, xrefs: 010D4019
h\c|, xrefs: 010D4106

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <UY$h\c|
API String ID: 0-3075139921
Opcode ID: f1934217aaab233a909d31ce83d51f44a7d1a3309207b02bb23fe5588346dd67
Instruction ID: 5ce9011f0bc05eb93d24ef7dd2586fc0b116faf012e6b6a5d769db625bfdb64a
Opcode Fuzzy Hash: f1934217aaab233a909d31ce83d51f44a7d1a3309207b02bb23fe5588346dd67
Instruction Fuzzy Hash: 76D14BB4E0420ADFCB04CFA5D5858AEFBB2FF89300F14D15AD546AB218D734AA42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010D1DE0 Relevance: 2.8, Strings: 2, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zJs, xrefs: 010D1F7F
zJs, xrefs: 010D1F86

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: zJs$zJs
API String ID: 0-1581145645
Opcode ID: 40d2e6900ba401e637a7b4cb9737953885dc53ebd62b37be5820b0763db1e926
Instruction ID: a040746237ba1db9fabbf7690fd838fc73fef0e061a2ad7b0228c1502310d493
Opcode Fuzzy Hash: 40d2e6900ba401e637a7b4cb9737953885dc53ebd62b37be5820b0763db1e926
Instruction Fuzzy Hash: 0FC113B4E04318CFCB04CFA9D980AAEBBF2FF89314F24856AD445AB355DB359942CB14

Uniqueness

Uniqueness Score: -1.00%

Function 010D1E80 Relevance: 2.7, Strings: 2, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zJs, xrefs: 010D1F7F
zJs, xrefs: 010D1F86

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: zJs$zJs
API String ID: 0-1581145645
Opcode ID: c8bb5bea535315902917c03c84b6d02937efd1efe9d537bc8ab2d8254fb9f3b5
Instruction ID: a4480fc1114bc25d311a5d65268bf4a14574ff87516b194154b9f3bea4403d14
Opcode Fuzzy Hash: c8bb5bea535315902917c03c84b6d02937efd1efe9d537bc8ab2d8254fb9f3b5
Instruction Fuzzy Hash: E7B1AEB4E042199FDB04CFA9C980AAEBBF2FF88304F20856AE515AB355DB359941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010DD3E8 Relevance: 1.8, Strings: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pg[9, xrefs: 010DDBCC

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: Pg[9
API String ID: 2591292051-2711290252
Opcode ID: dd207e49df1a7790c79b6bed11b0c8ec6cd1a7dbb9badc0966c0d0d6196faaa6
Instruction ID: 263f3e91281d954a1d3b672ac15764b3436d0e453e5934552436dc1682f63f0e
Opcode Fuzzy Hash: dd207e49df1a7790c79b6bed11b0c8ec6cd1a7dbb9badc0966c0d0d6196faaa6
Instruction Fuzzy Hash: 4A322974D05319CFDB64CFA9D9807EDBBB2BF99300F1090AAD54AA7290DB309A81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 010DF028 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 010DF0B6

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8262e4d58f7bc368da30903b7a351b0b1699c7d61e2ed29762b24cc21a3dc2f8
Instruction ID: 01f4566bbbefd7f82b0d97b10f9cf02b1a67c21a57826dd416d08c70dcf849d5
Opcode Fuzzy Hash: 8262e4d58f7bc368da30903b7a351b0b1699c7d61e2ed29762b24cc21a3dc2f8
Instruction Fuzzy Hash: ED31A6B8D052189FCB10CFAAD984A9EFBF5BB49314F14942AE915B7300C774A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010DAE80 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

$,1D, xrefs: 010DB291

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $,1D
API String ID: 0-2293226186
Opcode ID: cfee5c808150250293b17bf62d594b6f14cf9dbd9a975476cd02a7c83d47dcf3
Instruction ID: 06ba5aa99da1db04dd0dbb95deb17c345a690a6e890f91529aecf36888f6b226
Opcode Fuzzy Hash: cfee5c808150250293b17bf62d594b6f14cf9dbd9a975476cd02a7c83d47dcf3
Instruction Fuzzy Hash: 56D106B4E04229CBDB64CF65D940BDDBBB6EF99300F1095EA961AB3250EB305A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010DAE73 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

$,1D, xrefs: 010DB291

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $,1D
API String ID: 0-2293226186
Opcode ID: 47253ec722500703b58878f58a40104f4af126d9175c090e642de173d76d9ce7
Instruction ID: f4edf6486b5f2f53447e33aa3a38a483d59dc44615a4ad3b28b40b3ba93bc16f
Opcode Fuzzy Hash: 47253ec722500703b58878f58a40104f4af126d9175c090e642de173d76d9ce7
Instruction Fuzzy Hash: ADD108B4E04229CBDB64CF65D940BDDBBB2EF99300F10D5EA960AB3254EB305A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010DB325 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

$,1D, xrefs: 010DB291

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $,1D
API String ID: 0-2293226186
Opcode ID: e9ecc4b93daaaa16d06b29321ba5264f313212b353472dbf6e245bae4a3d539c
Instruction ID: 9f153d0b3ab5eb2f3c49c723d64f1f513fec26939a45099a970f922d5fc8511e
Opcode Fuzzy Hash: e9ecc4b93daaaa16d06b29321ba5264f313212b353472dbf6e245bae4a3d539c
Instruction Fuzzy Hash: EFD1F6B4E04229CBDB64CF65D980BDDBBB5EF99300F1095EA961AB3250DB309AC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010DB2DB Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

$,1D, xrefs: 010DB291

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $,1D
API String ID: 0-2293226186
Opcode ID: 203f0a76d2dd316c867ef38a8e102287962a3497111eda3c9a3df43dc0f4c3b3
Instruction ID: 98be6868bfb9071d67d581591df72f928bc828567eef76ecc83c9a75c9e2fe9d
Opcode Fuzzy Hash: 203f0a76d2dd316c867ef38a8e102287962a3497111eda3c9a3df43dc0f4c3b3
Instruction Fuzzy Hash: 67D1F5B4E04229CBDB64CF64D980BDDBBB5EF99300F1095EA965AB3250DB309AC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010DB2C5 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

$,1D, xrefs: 010DB291

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $,1D
API String ID: 0-2293226186
Opcode ID: e0bf532f584a1610ee20da6927ed40058a15d81449e3cd8deb2d23b2c96dc036
Instruction ID: 6e82799a2ec6e52c177ad6a192cecda40ace90052aa842bb448363688d04f3cb
Opcode Fuzzy Hash: e0bf532f584a1610ee20da6927ed40058a15d81449e3cd8deb2d23b2c96dc036
Instruction Fuzzy Hash: F4C106B4E04229CBDB64CF64D980BDDBBB5EF99300F1095EA960AB3250DB309AC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010D717C Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

#q, xrefs: 010D738F, 010D7394

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #q
API String ID: 0-2107286103
Opcode ID: c1bfde19a2ba6ace5c127e5760571ede5527ef6cf05bc82f023034432a7f7fde
Instruction ID: 9294415ca0454d2caa4dc54e0c560aedee06d746c807b8a424d0822335f5919c
Opcode Fuzzy Hash: c1bfde19a2ba6ace5c127e5760571ede5527ef6cf05bc82f023034432a7f7fde
Instruction Fuzzy Hash: DC81EEB4D04348DFCB59CFA5D4402AEBBB2FF46308F54886ED491AB250EB799902CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010D71D8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

#q, xrefs: 010D738F, 010D7394

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #q
API String ID: 0-2107286103
Opcode ID: 69b5bc7b01e9a140bcacb246b5e1a88f4b73cb11086fd4102f57a89197e0d644
Instruction ID: 50735fb23216ed334febf3f1ff840d5ec95341a0c56d04c798d3224b4dbb58f3
Opcode Fuzzy Hash: 69b5bc7b01e9a140bcacb246b5e1a88f4b73cb11086fd4102f57a89197e0d644
Instruction Fuzzy Hash: FD513770D05319DFDB54DFE5D5806AEBBB2BB85304F50882AE451BB350DB389942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010D1231 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

6{Un, xrefs: 010D13CB

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 6{Un
API String ID: 0-3244694174
Opcode ID: 289b7eab066feec405747c4c521b2838fd074923816a9b6888a02b0445e8646a
Instruction ID: c1ed4aa982f3f09f218c30d3daebc13202066d9bfb45b6f06a2965e411ca0fa8
Opcode Fuzzy Hash: 289b7eab066feec405747c4c521b2838fd074923816a9b6888a02b0445e8646a
Instruction Fuzzy Hash: 22515DB5E047158BE749CFAAD80079ABBF3FFC8310F04C4AAD558A6255EB358942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010D11F3 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

6{Un, xrefs: 010D13CB

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 6{Un
API String ID: 0-3244694174
Opcode ID: 5bae249ea060b57d1e5442830299f16e43a8439fcf79ef96d27b1e79a93ba5dc
Instruction ID: 521f77a117efb5765e1c9a7cd12c82daead156f24ebe56f4a0148b3d8da9ffb0
Opcode Fuzzy Hash: 5bae249ea060b57d1e5442830299f16e43a8439fcf79ef96d27b1e79a93ba5dc
Instruction Fuzzy Hash: 1B415DB1E057188BEB58CFAAD80069AFAF3EFC8310F04C5AAD558A6254EB344942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010D12F0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

6{Un, xrefs: 010D13CB

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 6{Un
API String ID: 0-3244694174
Opcode ID: ed4eb3d7471f34f861c5f0ecc4d96a50f2112991b7a1cdb9ad2df6083ffe332a
Instruction ID: 6245606ba6539e961a9dee702cdf8097638f6e1c3673cb705dc46de719d93c04
Opcode Fuzzy Hash: ed4eb3d7471f34f861c5f0ecc4d96a50f2112991b7a1cdb9ad2df6083ffe332a
Instruction Fuzzy Hash: AD41F871E016188FEB58DFAAD950B9EBBF3AFC9200F04C1BAD508AB254DB305A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010DF510 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19b46bcf7061b6d4bbf7d1354d9fa48aaa2f6d6812445f7027a2601f03fc00d
Instruction ID: 332ac807ab106252157b0bbda1c3a7fec1b657cd9ca6672384ae79792e83cae9
Opcode Fuzzy Hash: d19b46bcf7061b6d4bbf7d1354d9fa48aaa2f6d6812445f7027a2601f03fc00d
Instruction Fuzzy Hash: 4CA1E374E0531ACFDB54CFA9D580ADDBBF2FB88300F10946AD54ABB254DB3099428F55

Uniqueness

Uniqueness Score: -1.00%

Function 010D2BA4 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f7ebd67a4cb4923767dbbe4be99f061925a46e782d726e99f2a2b02db86dc6
Instruction ID: df765457b12d70c7388e6f81ce86dcfcb5234d0cc69880d306b148a1500ad37f
Opcode Fuzzy Hash: 97f7ebd67a4cb4923767dbbe4be99f061925a46e782d726e99f2a2b02db86dc6
Instruction Fuzzy Hash: C2613475E0420ADFCB04CF99D4809AEFBB2FF89320F14956AD556AB314D7749A82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010D26C0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4fd0dcd041a7291ffa8fdb9dc264abb8110ddfc8025f6c95f4a76ea51abb2e
Instruction ID: 04fca8fd2b2860c3e183a652e84dc0f0e5f29eade324315c9415609c0ea4a129
Opcode Fuzzy Hash: 5f4fd0dcd041a7291ffa8fdb9dc264abb8110ddfc8025f6c95f4a76ea51abb2e
Instruction Fuzzy Hash: F6513874E0520A8FCB48CFAAD9416AEFBF2BF88310F15C06AD559A7255D7348A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010D26D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f1417f1c768109ba42408721d0bf84673056406b544c4b067d4a22fbc6e501
Instruction ID: 65de8bc83604d53fbd48bf3f70dc5d68cf11064ea292bf86f4d3ee1605fbcf7a
Opcode Fuzzy Hash: 24f1417f1c768109ba42408721d0bf84673056406b544c4b067d4a22fbc6e501
Instruction Fuzzy Hash: DB512970E0520ACFDB58CFAAD9416AEFBF2FF88310F15C06AD559A7254D7344A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 010D7BE0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20013b66ad920451ea70493fb5e5e3558bb9d35eb50e90849ee6b9e6dccfff39
Instruction ID: fa31866deb699eb29c9e5ccbe4f8b2b372800aabf941fc46ffc4389a3726b8b5
Opcode Fuzzy Hash: 20013b66ad920451ea70493fb5e5e3558bb9d35eb50e90849ee6b9e6dccfff39
Instruction Fuzzy Hash: BE5116B4E15209DFDF04DFA5E9849EEBBB2FB88304F20A46AD901B7350E7359A018F55

Uniqueness

Uniqueness Score: -1.00%

Function 010D7BD0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2eef300998ac74ce680ce8dc8d439e83a9ca902970c6bc4ba378eb0423b0c64
Instruction ID: 0324430f6f54495185f79eb1d62648aad7a63a22bf651c1c7b524c72092d9d22
Opcode Fuzzy Hash: c2eef300998ac74ce680ce8dc8d439e83a9ca902970c6bc4ba378eb0423b0c64
Instruction Fuzzy Hash: A0512674D09209DFCF04DFA5E98499EBBB2FB89304F24A4AAD401B7361E7349A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 010D30B8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2083379d1877151e3083dfe4d2ee5580fadf29873592756a7ba16e0f7b28778d
Instruction ID: 85d240e42f0a3ff6521c08f0fb6f4e7eaa2c25faa70604874c42a86ab6812475
Opcode Fuzzy Hash: 2083379d1877151e3083dfe4d2ee5580fadf29873592756a7ba16e0f7b28778d
Instruction Fuzzy Hash: 4421F8B5E016188BDB18CFAAD9406DEBBF3FFC8350F14C16AD909A7258DB305A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010D30A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c942eb35a79ec87dcb1f0b03c5c57c9b4e9b2fb4c37eb5cfd388510ecfb28069
Instruction ID: fb17a45dc3a1fb46e201a7d808912bac3bd1581e166400361306d568f830f702
Opcode Fuzzy Hash: c942eb35a79ec87dcb1f0b03c5c57c9b4e9b2fb4c37eb5cfd388510ecfb28069
Instruction Fuzzy Hash: E5210AB4E056488BDB58CFAAC95029EBFF3BFC9310F14C06AD409AB358DB345A46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010D0448 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8c71e651141e6882bb0108ded516390dd13e6e6f1e711c878fbdcb9ddd121c
Instruction ID: d973ae6f03bb689496ae8a0964724836fe467c80539dc5801c1ff04bab2381b1
Opcode Fuzzy Hash: cc8c71e651141e6882bb0108ded516390dd13e6e6f1e711c878fbdcb9ddd121c
Instruction Fuzzy Hash: 0F11D071E016199BDB18CF6BDD4469EFBF3BFC8301F04C176D918A6218EB3455528E50

Uniqueness

Uniqueness Score: -1.00%

Function 010D0438 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14554aae783ab223572d443a1a36eea1ac19b864204329c8d114e0d3640e67e
Instruction ID: 2cb63db6f751b98bc2e87a149a49e1c665dba2609810630fb90725460b2ed759
Opcode Fuzzy Hash: c14554aae783ab223572d443a1a36eea1ac19b864204329c8d114e0d3640e67e
Instruction Fuzzy Hash: E911BFB1E116199BDB18CF6BDD44A9EBBF3BFC8304F04C179D508A6268EB3445428E10

Uniqueness

Uniqueness Score: -1.00%

Function 010DA9E5 Relevance: 1.8, APIs: 1, Instructions: 327
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 010DACB7

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 650b4755f02c87381e63ac051e0f6e44c152d9c97cf31314b224dd64cc88b9c0
Instruction ID: 1248834e12a2f269b5a82bd1c366bbc85ed7b3e1a13ded3df07ba295193765c0
Opcode Fuzzy Hash: 650b4755f02c87381e63ac051e0f6e44c152d9c97cf31314b224dd64cc88b9c0
Instruction Fuzzy Hash: 1DC12571E00229CFDB20CFA8C840BEDBBB1BF49314F0495A9D589B7240DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010DA9F0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 010DACB7

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd0a6d6f5f4c9b5ec73d1d7a7a0ea3fdcc2d767b8b8a31342db9d9100026ca9b
Instruction ID: f5df85a6eab220ba0d90b2a9b0bd1c9bc644abeea5d2da1c772a771aeff7aace
Opcode Fuzzy Hash: cd0a6d6f5f4c9b5ec73d1d7a7a0ea3fdcc2d767b8b8a31342db9d9100026ca9b
Instruction Fuzzy Hash: E6C11371D04229CFDB20DFA8C880BEEBBB1BF49314F0495A9D589B7240DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010DA660 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010DA73B

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4dff6765d5ea7a8464f6e661f4fdf6b12e84364bb280df8060b23b6ad3066403
Instruction ID: facecf64c8dc4352ef58eeb96d5d2ebf8c18ef067c779a37e55fbf345caa63b1
Opcode Fuzzy Hash: 4dff6765d5ea7a8464f6e661f4fdf6b12e84364bb280df8060b23b6ad3066403
Instruction Fuzzy Hash: D941B8B4D052489FCF10CFA9D984AEEBBF1BB49314F14942AE815B7200C338AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010DA668 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010DA73B

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 163e8f8bd0f003c02c5169375b822ef99163b7eef3bb635a994fbbb03e023146
Instruction ID: a7938fb4624108fddef0f2247344f1ad8711a2d99e9e576570941ed74a74fd31
Opcode Fuzzy Hash: 163e8f8bd0f003c02c5169375b822ef99163b7eef3bb635a994fbbb03e023146
Instruction Fuzzy Hash: DB4197B5D052589FCF00CFA9D984AEEFBF1BB49314F14942AE919B7200D738AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010DA7B8 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010DA872

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0e9b6ee40685d77396beae610e51f3519904987b9d8cab12f02030e105c8981d
Instruction ID: db5c7621610dad56cf551ab938ecfa83019d97b8871c885f2dad5eef91b58ebe
Opcode Fuzzy Hash: 0e9b6ee40685d77396beae610e51f3519904987b9d8cab12f02030e105c8981d
Instruction Fuzzy Hash: FC41B9B9D04258DFCF00CFA9D984AEEFBB1BB49314F14942AE815B7210C738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010DA7C0 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010DA872

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ec8555b6542f25d700b63c5439e0f2d494d1e5b177037434c45cc16b629e0648
Instruction ID: 06598774f1b1eaba974f48ea36c17beca90e66956c3c9e0189cf4c8488214a12
Opcode Fuzzy Hash: ec8555b6542f25d700b63c5439e0f2d494d1e5b177037434c45cc16b629e0648
Instruction Fuzzy Hash: 7D4199B5D04258DFCF10CFAAD884AEEFBB1BB49314F14942AE915B7210D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010DA540 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010DA5F2

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b3618146753eebabe7664035179dc7891ba06495f7f4512823da35ad6aab0b7b
Instruction ID: 780fb31c62ea1d0f7d0af039e6f6dc98ab6c7fdb7ef7a746fdb7c10392c047d2
Opcode Fuzzy Hash: b3618146753eebabe7664035179dc7891ba06495f7f4512823da35ad6aab0b7b
Instruction Fuzzy Hash: 944197B8D04258DFCF10CFA9D984A9EFBB1BB59314F14942AE815BB210D734A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010DA548 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010DA5F2

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e25c8b8352e9adab08dddd68a14e8fb97252822c2065a01f53e04b43945eb0f
Instruction ID: bab1f8203cc8f6fdfc66cefb5c9cdf3288a615bfcb18f837d2f89b678b538d5b
Opcode Fuzzy Hash: 9e25c8b8352e9adab08dddd68a14e8fb97252822c2065a01f53e04b43945eb0f
Instruction Fuzzy Hash: F83195B8D04258DFCF10CFA9D980ADEFBB1BB49314F10A42AE915BB200D734A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 010DA418 Relevance: 1.6, APIs: 1, Instructions: 98
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 010DA4CF

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0a0b16b580496cb1150a97a37ed83f80b883bebcaf32d8f606eccfae81c7926d
Instruction ID: 71316be1e267cc272fcb89d7904a72d2d29396a21020a08c07987804ec19198d
Opcode Fuzzy Hash: 0a0b16b580496cb1150a97a37ed83f80b883bebcaf32d8f606eccfae81c7926d
Instruction Fuzzy Hash: 3B41ABB5D05258DFDF14CFA9D984AEEBBF1BB48314F14802AE415B7240D738AA49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010DA420 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 010DA4CF

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 45376c98d5ca5d7611a62f67b0238883d97a39ff2aa5eb99c1e7579a5cc8333c
Instruction ID: 22ce14cfc8905fc8dc5b5620843b6293b90988ba12c99fd1948c63b5b51d8dc0
Opcode Fuzzy Hash: 45376c98d5ca5d7611a62f67b0238883d97a39ff2aa5eb99c1e7579a5cc8333c
Instruction Fuzzy Hash: E531BAB4D012589FDB10CFA9D884AEEBBF0BB48314F14802AE415B7240D738A949CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010DF3F8 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?), ref: 010DF491

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: b1330556e9f9136e334add79b05e0aace6cdb9e1df1cd16d236ca6a81f96ce02
Instruction ID: e87844ec72d4a1d8e8d656c4c9fb3e4e2df754e7f21263d116ba97c0ad708cb5
Opcode Fuzzy Hash: b1330556e9f9136e334add79b05e0aace6cdb9e1df1cd16d236ca6a81f96ce02
Instruction Fuzzy Hash: 6631CBB4D052189FDB14CFA9E984AEEFBB5BF49314F10942AE405B7300CB74A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010DA328 Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 010DA3AE

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 998398d900673933ceea7f7c897bca5cb4fa0901383ece571372a9f7fd018c35
Instruction ID: 9121d52ba1e738650b0e401b40fdf1a6b5305935b83a9c4427c5825b5349b415
Opcode Fuzzy Hash: 998398d900673933ceea7f7c897bca5cb4fa0901383ece571372a9f7fd018c35
Instruction Fuzzy Hash: ED31EDB4D042089FCB14CFA9D884AAEFBB1AB48314F14802AE915B7310DB34A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010DA330 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 010DA3AE

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9af70b4c8a79e8a75af9fce481c5c2a4b1335f815904e3cdb14d257996545c70
Instruction ID: 11584e08dbec71b1510c06c2e2b22d0fb9fa810e8e14b1512e2527a3e5a92080
Opcode Fuzzy Hash: 9af70b4c8a79e8a75af9fce481c5c2a4b1335f815904e3cdb14d257996545c70
Instruction Fuzzy Hash: 4331CAB4D042589FCF10CFA9D884AEEFBB5AF48324F14942AE915B7300CB74A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010DD0B0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010DF1A6

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cac7913f37d754ec48e073c95422f3d401125ab62e8d0d55b4d6416e7ab1ee52
Instruction ID: fafadd1c6f26840bce2c59001fe398c71092ddb5b28d1ea7e106878809fedf8b
Opcode Fuzzy Hash: cac7913f37d754ec48e073c95422f3d401125ab62e8d0d55b4d6416e7ab1ee52
Instruction Fuzzy Hash: 3531CCB8D042099FCB10CFA9D884ADEFBF4EB49324F14906AE915B7300D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010D9A40 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

|@m6, xrefs: 010D9C56

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: |@m6
API String ID: 0-1876872587
Opcode ID: ed421ed9ed3e39032bb2d731ebbfcd21e468768eb450134ed95dcf10c5a50bff
Instruction ID: 88052dbfcc01f838d2649604f4b8208eb3223bc50a8f028321c70d164e890e68
Opcode Fuzzy Hash: ed421ed9ed3e39032bb2d731ebbfcd21e468768eb450134ed95dcf10c5a50bff
Instruction Fuzzy Hash: 26A19B70D0421A9FCF00CFA9CA805AEFBF2FF89314F148659C995AB255D7349A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010D9A30 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

|@m6, xrefs: 010D9C56

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: |@m6
API String ID: 0-1876872587
Opcode ID: 58750f8467df2e5070151f632e2d6e13fdc789b092408a3ec226a2426c63dd79
Instruction ID: 3f8aca8c685ccda18b3361af00eb196443c3a628d7cdc10e32c3a22c7f8e81c8
Opcode Fuzzy Hash: 58750f8467df2e5070151f632e2d6e13fdc789b092408a3ec226a2426c63dd79
Instruction Fuzzy Hash: EFA1B071D0421A8FCF00CFA9CA805AEFBF2FF89314F148259C595EB255D7349A01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010D5F79 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

hS, xrefs: 010D5FE1

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: hS
API String ID: 0-4127065202
Opcode ID: cc4b02788ffb84c17e0ac0157e13424a6aadb139aeb6da4781b6985132deff9e
Instruction ID: 11b15d358e8214df26f18e059cd1534d42f853269bd00bb3706441de8febed68
Opcode Fuzzy Hash: cc4b02788ffb84c17e0ac0157e13424a6aadb139aeb6da4781b6985132deff9e
Instruction Fuzzy Hash: 654107B1E0460A9FDB04CFAAC8815AEFBF2BF88300F24C06AD955B7254E7349A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010D5F88 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

hS, xrefs: 010D5FE1

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: hS
API String ID: 0-4127065202
Opcode ID: 8c08c6adf0b71cd6889b60e35feac8ca7a92e2b0024a83fc00035f4c5db81565
Instruction ID: ccf193af35bf674953193aef7933d68928bb998e5fdb77fa2f07f4c994d156ac
Opcode Fuzzy Hash: 8c08c6adf0b71cd6889b60e35feac8ca7a92e2b0024a83fc00035f4c5db81565
Instruction Fuzzy Hash: 9E41D6B0E0460A9FDB44CFAAC8815AEFBF2BF88300F24C06AD955B7254D7359A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010D65B8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10941a69f8d0c3b334ad12f054484d7b1634d6baab7ccf949a798abd3e3c181a
Instruction ID: 9bb0e06fadefbcfa4c404a0132c208cce12ed50aff377c35d3d81019417369cc
Opcode Fuzzy Hash: 10941a69f8d0c3b334ad12f054484d7b1634d6baab7ccf949a798abd3e3c181a
Instruction Fuzzy Hash: 62817370A082699BCB44DF9AD9C049DFBB3FFC9304B28C659C1599B21AD735E842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010D65A9 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1a662a18ed64af8c0879b981f929be77aa1dd8866f4e7100e5cae56f240a70
Instruction ID: 6e02a4b1a4cb9e5243bc887d17bb87d904271de571939af4c4deae010b0b2505
Opcode Fuzzy Hash: 6d1a662a18ed64af8c0879b981f929be77aa1dd8866f4e7100e5cae56f240a70
Instruction Fuzzy Hash: A071A670A081699BDB44DFA9D9C049DFFB3BFC9304B28C659C1599B21AD735D842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010D6190 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0679bbc78d6ab7afd81a3003c0a4e0f23a1b7f619c1d7f78ca052769ed15ad
Instruction ID: 157476bad0dbc568830f983c778d6d48d5a87d62a4848db923839a0de556fa95
Opcode Fuzzy Hash: cf0679bbc78d6ab7afd81a3003c0a4e0f23a1b7f619c1d7f78ca052769ed15ad
Instruction Fuzzy Hash: 7471F6B4E15219CFCB04CFA9D9904EEFBF2FF88214F28942AE445BB215D7359A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 010D6180 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbb395e5ba7425b602428e929d17baf43944ba097736836db234eea96b35cb9
Instruction ID: 0e3b2fbcde13f883db13e77972b3ba00ba8a43defc3a098cfe2d6f4ae26335dc
Opcode Fuzzy Hash: 6bbb395e5ba7425b602428e929d17baf43944ba097736836db234eea96b35cb9
Instruction Fuzzy Hash: E1610674E152198FCB04CFA9C9904EEFBF2FF88210F28D46AE445BB215D3359A01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 010D5BC8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9781ed8baeb83735e739faee7ead616807f0830b278247c93ba76c71e957f8
Instruction ID: 7137cae55bc30fdd7f93caccc2858423c74b711076e01807a49dcef812439444
Opcode Fuzzy Hash: 4d9781ed8baeb83735e739faee7ead616807f0830b278247c93ba76c71e957f8
Instruction Fuzzy Hash: 136127B0E0420E9FCB04CFA9C9819EEFBB2EF89300F14916AD955A7254D7349682CF94

Uniqueness

Uniqueness Score: -1.00%

Function 010D5BB9 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8077c1457a85ea36962f60045d4ad189f9aa8c1118d07d596affc758e7ea5309
Instruction ID: 8ef5d53e30b7163e6e3abfda74ea7f9158761c8c3e227ec5f2177b96dab49c40
Opcode Fuzzy Hash: 8077c1457a85ea36962f60045d4ad189f9aa8c1118d07d596affc758e7ea5309
Instruction Fuzzy Hash: 25614AB0E1420E9FCB04CFA9C9819EEFBB2FF88300F14955AD955A7654E7349682CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010DD08C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9affcf65d87bc4d37cae2203860a7a428e367defb5475081ec2500ae3a3c7452
Instruction ID: ea5f22ac4cb99ff93b1754d51fd3f9edb8f889636be999535f1f834478e1056c
Opcode Fuzzy Hash: 9affcf65d87bc4d37cae2203860a7a428e367defb5475081ec2500ae3a3c7452
Instruction Fuzzy Hash: 2B51FDB0D043188FDB24CFA9D884BAEFBF1BF49304F14816AE455AB291DB749885CF81

Uniqueness

Uniqueness Score: -1.00%

Function 010DD0A4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207986a70f91e58ecc9c0458f5b531bdd2dae8005502d5a3a5a58505f02f4409
Instruction ID: 47ba4ad58181161ace7400de32cc35bd088be5f2e949299143d820fb613e70db
Opcode Fuzzy Hash: 207986a70f91e58ecc9c0458f5b531bdd2dae8005502d5a3a5a58505f02f4409
Instruction Fuzzy Hash: CA51FDB0D043288FDB24CFA9D884B9EBBF1BF49304F24816AE555BB290DB749845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 010DD0BC Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a46c1902f1d27ddc4ea148b4cbb0a3d3758b377185873e7c9a5b251e2add5d8
Instruction ID: 68ff3787684426dafe2b29d0ae0d1b525e4408c8e7cb6c9caa176c72327cf5fe
Opcode Fuzzy Hash: 6a46c1902f1d27ddc4ea148b4cbb0a3d3758b377185873e7c9a5b251e2add5d8
Instruction Fuzzy Hash: BD51EFB4D043199FDB24CFA9D884BADBBF1BB49308F14812AE456AB250DB749846CF45

Uniqueness

Uniqueness Score: -1.00%

Function 010D83B3 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90064c6199cd8c949a1b09cdcee4532f68296d374ff8701e6477fcdaa662974d
Instruction ID: ba92bf304a9d9ab453df661f9795ad82d1cdb3c3a7c779af60334cd78bce07b8
Opcode Fuzzy Hash: 90064c6199cd8c949a1b09cdcee4532f68296d374ff8701e6477fcdaa662974d
Instruction Fuzzy Hash: 804117B1E056588BDB59CF6B9D542DEBBF3AFC9300F14C1AAC448AA265EF3149428F41

Uniqueness

Uniqueness Score: -1.00%

Function 010D6408 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30576d0f88bd4039c971c908da8d0cb0806cdf8d6874107ff78b78d17473eff0
Instruction ID: 8db67b42c0667d301d8f202a4b7a180c7e1691f44054ba85ecf69e0a614c1333
Opcode Fuzzy Hash: 30576d0f88bd4039c971c908da8d0cb0806cdf8d6874107ff78b78d17473eff0
Instruction Fuzzy Hash: BA41A4B4E0560ADFCB48CFA9C5805EEFBF2FB88310F24C56AC559A7214DB359A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010D6B59 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a92c241b604aa94278a65ac61907867a64db1d0772f96a8f3d5de02fc660f8
Instruction ID: 7649add5f55fd53e4071df6a9ec94d36ecab4f6762226d77c54d76ef9a475f24
Opcode Fuzzy Hash: 58a92c241b604aa94278a65ac61907867a64db1d0772f96a8f3d5de02fc660f8
Instruction Fuzzy Hash: B84157B5E043188FDB08CFAAE944A9DFBF2EF89314F14C46AD544AB261E7359842CF10

Uniqueness

Uniqueness Score: -1.00%

Function 010D63FB Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b28d89f07cb5c2a750e927efb87cd8128ecb3113272eeeb4c88f7ce7ddd0363
Instruction ID: 42c3c56aec2b47bed95d6218e38576f5bd055fc5afe92e7fa7081ab28950ba62
Opcode Fuzzy Hash: 6b28d89f07cb5c2a750e927efb87cd8128ecb3113272eeeb4c88f7ce7ddd0363
Instruction Fuzzy Hash: DE41D7B4E0560ADFCB44CFA9C5805AEFBF2FF88310F14C16AC559A7254DB359A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010D8408 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d178cca9f01f750bcf47963b8dd453e318ec662a22e91cf3e340dc9d918692cc
Instruction ID: 4962bf6f67f4c2d4a0ebdbf17dd0ab403729da051959ab2cafa7dd8745834ea2
Opcode Fuzzy Hash: d178cca9f01f750bcf47963b8dd453e318ec662a22e91cf3e340dc9d918692cc
Instruction Fuzzy Hash: ED316A71E056289BDB68CF6BDD446CEFBF7AFC9304F14C1AA950CA6264DB3159818E40

Uniqueness

Uniqueness Score: -1.00%

Function 010D6BA8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2370899945bd0e5a5a912991db70583014147cd3ee7a4c6bb3a45fbd28f9e9
Instruction ID: 743eb924593abf4e9fdb4ba57e4e0c47a6fdf07b783e763ab3612b44a1ad7e03
Opcode Fuzzy Hash: ac2370899945bd0e5a5a912991db70583014147cd3ee7a4c6bb3a45fbd28f9e9
Instruction Fuzzy Hash: 4A311374E002189BDB18CFAAE844ADEBBF2FF88310F14C16AD548AB314DB345942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010D83F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276906058.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed92ca54eec9977dec2e7611a364c1d4eed4bf7abaf5724cb2331ad9d403711
Instruction ID: 656796d473c6fd2645fba0aae64370bdf754ae3838edd220250851500d595f33
Opcode Fuzzy Hash: aed92ca54eec9977dec2e7611a364c1d4eed4bf7abaf5724cb2331ad9d403711
Instruction Fuzzy Hash: 2C31AD71E056588BDB5DCF6B8D442CEFBF3AFC9300F14C1BA944CAA265EB3149428E40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cvtres.exePID: 6452, Parent PID: 6408COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.7%
Total number of Nodes:	414
Total number of Limit Nodes:	28

Executed Functions

Function 0A805860 Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0A8058C1

Memory Dump Source

Source File: 00000001.00000002.542513710.000000000A800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a800000_cvtres.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c78292266cfb33b2188a2a0ff360183bc74a4a351619c152581f9d0674cefd00
Instruction ID: adfe6b56382c78744134a4a3b928aa7ac7f5fe7924b0ff463d652c1c88cb25c9
Opcode Fuzzy Hash: c78292266cfb33b2188a2a0ff360183bc74a4a351619c152581f9d0674cefd00
Instruction Fuzzy Hash: 9F51A271B102099FCB54EBB4D894AAEB7B6EF88304F04C929E512DB391DF31D8058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AB32AA8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0AB336FB

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 2fb894545352f3ff82de3da0d348e202ffeb73d60d44cb308239fcf0904da973
Instruction ID: b0bcdb456b6f154ef6af95b7aa4c272fbe29a28f60ca896b0396fcb0a6ec5d11
Opcode Fuzzy Hash: 2fb894545352f3ff82de3da0d348e202ffeb73d60d44cb308239fcf0904da973
Instruction Fuzzy Hash: 872115B29042089FCB50DFAAD944BEFFBF5EB88314F14842AE415AB350C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AB30798 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0AB30859

Strings

(s, xrefs: 0AB30844

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: CallProcWindow
String ID: (s
API String ID: 2714655100-98621416
Opcode ID: cbbfd0ef2893b9e752c5be9404ed5af9927e7e5e6d5bd4719385dd4602014fb5
Instruction ID: 949662ffb6298056a4b3bb5526fde811a20dfef265823c18dc145a547674e9a9
Opcode Fuzzy Hash: cbbfd0ef2893b9e752c5be9404ed5af9927e7e5e6d5bd4719385dd4602014fb5
Instruction Fuzzy Hash: 7A414AB5900305CFCB54DF99C488AAABBF5FF88314F15C499E519AB721D374A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EDBF0 Relevance: 1.8, APIs: 1, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bea40fb2ac4084299aa7d5ad7adc64ece3795c218c1a1d9d15efa6a443bfad15
Instruction ID: 1683dd2797ede5d331de8c731b2e3c39645652b711c46277320eba40db87bfdf
Opcode Fuzzy Hash: bea40fb2ac4084299aa7d5ad7adc64ece3795c218c1a1d9d15efa6a443bfad15
Instruction Fuzzy Hash: 8BB18A70B047059FCB55DF78C8946AEBBF6EF89204B00892DD50ADB752DB34E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A805850 Relevance: 1.6, APIs: 1, Instructions: 146
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0A8058C1

Memory Dump Source

Source File: 00000001.00000002.542513710.000000000A800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a800000_cvtres.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15165f1d9d1457c42dbd64f55ecb8276b41c6e8e6522308983ccd19aa3ffa26f
Instruction ID: 2fbb5a97a7d4daf254ca2b719caeabc98fb2f775b08715a953fe2c1f03f143aa
Opcode Fuzzy Hash: 15165f1d9d1457c42dbd64f55ecb8276b41c6e8e6522308983ccd19aa3ffa26f
Instruction Fuzzy Hash: 4D519371B102099FCB54EBB4D884AAEB7F6EF84704F108929E512DB791DF31D9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9ED2C8 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0A9EF022

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ae597e7e9a9e6d7df5cd4cb12f14d6e7107d66b9dbb1f783f21bd8f78f8ddb38
Instruction ID: ec0b134c510c42d56735ec2b583f57973bd18f8593940eefec5c096d846f2e32
Opcode Fuzzy Hash: ae597e7e9a9e6d7df5cd4cb12f14d6e7107d66b9dbb1f783f21bd8f78f8ddb38
Instruction Fuzzy Hash: 1A5120B1D04348AFCB11CFA9C884ADEBFB5FF89304F14852AE415AB212D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0533E16C Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

sT, xrefs: 0533E180

Memory Dump Source

Source File: 00000001.00000002.539230230.000000000533D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0533D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_533d000_cvtres.jbxd

Similarity

API ID:
String ID: sT
API String ID: 0-2777335765
Opcode ID: afd541d6ce13a57c0d736c834b716e24ff29f2382751e98ebba801d6e9810065
Instruction ID: faa4071dcf52d7597d8b676c04e39a1b9787952ca325d7efd22d742eb2824f71
Opcode Fuzzy Hash: afd541d6ce13a57c0d736c834b716e24ff29f2382751e98ebba801d6e9810065
Instruction Fuzzy Hash: F6919B3551F3C06FD703AB308C66A927FB6AB43221B0981D7E084CF0A3E6695959D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EBA60 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac005626a3c89c4a0acf844f11f018b22c92e5ac2e402b3e98887537be069785
Instruction ID: 6106c4efd4e43e5a03a00d66cbf9e4a1fea4b975288dd70f74db79d2cdac1850
Opcode Fuzzy Hash: ac005626a3c89c4a0acf844f11f018b22c92e5ac2e402b3e98887537be069785
Instruction Fuzzy Hash: FE415471E087898FCB01DFB9C8542EEFBF6AFCA210F05856AC444A7251DB389845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EEF04 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0A9EF022

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: aeb0b585c6ecca54a7fc600484cc166aa7b2cd6aec298b05e0ec1bef41f8c245
Instruction ID: b9934b3ac284dfe29aed0f075c2680d79fd471eb27b1ad13c6897bbdd25e9480
Opcode Fuzzy Hash: aeb0b585c6ecca54a7fc600484cc166aa7b2cd6aec298b05e0ec1bef41f8c245
Instruction Fuzzy Hash: F451D0B1D00348AFDF15CFA9C884ADEBFB5BF88314F24852AE415AB211D7719845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A9ED304 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0A9EF022

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5ba6738bc62bba470a344e01a1683aa5d6c09ae4d7f3fc0db5f62702737d92f4
Instruction ID: caa33d87d7dea9ab80aaf32cd4fceb21d882219ae92d1acf7762c6a18e63bf6b
Opcode Fuzzy Hash: 5ba6738bc62bba470a344e01a1683aa5d6c09ae4d7f3fc0db5f62702737d92f4
Instruction Fuzzy Hash: 5951C0B1D00309AFDB15CFA9C884ADEBBB5BF88314F24852AE819AB211D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0AB3166C Relevance: 1.6, APIs: 1, Instructions: 94comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0AB31700

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2e7be632f529289851f4d6b219a204525945d7da381493280eff628efe56ec6d
Instruction ID: 790ce52843fbf2be7d21bff8d69d2d35eb6eefa186bf766c829b510114d08018
Opcode Fuzzy Hash: 2e7be632f529289851f4d6b219a204525945d7da381493280eff628efe56ec6d
Instruction Fuzzy Hash: E03158B1A10208DFDF14CFA9D884BEEBBF5EF88318F144569D504AB291DB749845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F6C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06F6C9BA

Memory Dump Source

Source File: 00000001.00000002.539439119.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f60000_cvtres.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 781559d3d8005dc840c8c6958b75d9144b11515d4a643c0db589fdc65189bc21
Instruction ID: b39eb34309aa2847e03771f82dd6cc0ba94c7c018386709154bcedb197311819
Opcode Fuzzy Hash: 781559d3d8005dc840c8c6958b75d9144b11515d4a643c0db589fdc65189bc21
Instruction Fuzzy Hash: AD3144B1D002489FDB64CFAAC88579EBFB1FF09718F10852AE896A7384D7749485CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F69DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06F6C9BA

Memory Dump Source

Source File: 00000001.00000002.539439119.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f60000_cvtres.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 05599ca15b33d718bba06e7f751491e22a6ca62a85c5a405cee7fde7090f2af5
Instruction ID: c4194cfe184610fe00117cb5352ceda41af2dcf9f9f9625ac2d4e342b728307c
Opcode Fuzzy Hash: 05599ca15b33d718bba06e7f751491e22a6ca62a85c5a405cee7fde7090f2af5
Instruction Fuzzy Hash: 493153B1D002499FDB64DFAAC88579EBFF1FB08318F10852AE896A7380D7749445CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0AB310B8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0AB31700

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b672c3f8aad7445443564ad5724b47ca69127cafc43da73aacc7bd3710e071c4
Instruction ID: f07a40735652c9986859b1b45dd2aa417de9093d3fb99db26d5a9ef3285f4cce
Opcode Fuzzy Hash: b672c3f8aad7445443564ad5724b47ca69127cafc43da73aacc7bd3710e071c4
Instruction Fuzzy Hash: 603105B1900208DFDB10CF99D984BEEBBF9EB48318F148169E504BB391D7B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EDF00 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0A9EDF96

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 33e989e54ed51e983ae568b55727f31c0f647662339bc116d54c20adf4446866
Instruction ID: be03796e92f21f8d3618dbf2bb3291fe4b53450c3b1fa734243c64fa7c502bcf
Opcode Fuzzy Hash: 33e989e54ed51e983ae568b55727f31c0f647662339bc116d54c20adf4446866
Instruction Fuzzy Hash: AB21AEB19093948FCB12CFA9C4447CEBFB0AF46214F19849ED455AB652C3396446CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0A80FB02 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0A80FACE,?,?,?,?,?), ref: 0A80FB8F

Memory Dump Source

Source File: 00000001.00000002.542513710.000000000A800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a800000_cvtres.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1d412e1211d9b8b6d6c0520a1fb1b79169cdb2c96d9e3830dfdbe2001fcd4118
Instruction ID: a82497a37a42158000d8ae3e0d35bf234d6e6a2b3f873ca193e7df71dd28afb2
Opcode Fuzzy Hash: 1d412e1211d9b8b6d6c0520a1fb1b79169cdb2c96d9e3830dfdbe2001fcd4118
Instruction Fuzzy Hash: 7A21E0B5D01249AFDB10CFA9D884AEEBFF8EB48324F14841AE955A7350D378A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0A80F4A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0A80FACE,?,?,?,?,?), ref: 0A80FB8F

Memory Dump Source

Source File: 00000001.00000002.542513710.000000000A800000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a800000_cvtres.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e43916ae0081fa2558a3e2725dc97a48e69c27dcd273ea55e52b46059e146ee6
Instruction ID: ba9f2df6b08a9fa80cc92ddb4582eb3617ab170611c4900924cc817cf0f549f8
Opcode Fuzzy Hash: e43916ae0081fa2558a3e2725dc97a48e69c27dcd273ea55e52b46059e146ee6
Instruction Fuzzy Hash: 4C21F8B5904209EFDB10CFA9D884ADEBBF8FB48324F14841AEA54B7350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EBBE1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0A9EBAB2), ref: 0A9EBB9F

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: dbe6be3e37a010a939e539f3343ae48dd6cd05903c3ea8f96dbaac3e3ee2579c
Instruction ID: 8c57e2ec2d3f708e47807a2fdb75c4c099daaa8b92f280270a164ccb1d848d16
Opcode Fuzzy Hash: dbe6be3e37a010a939e539f3343ae48dd6cd05903c3ea8f96dbaac3e3ee2579c
Instruction Fuzzy Hash: 4311BB31E056599FCF61CFA894053EEBBB0EF49320F0985AAC858A7243D3385550CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0AB33678 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0AB336FB

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9bf094026690eefeb881bef46fbea1d654432d5f0e05726570d7c8b0347e4f8a
Instruction ID: ed57695107d88dab94e020e9bd110bf9b74e43d6eaf055976adb14582674940f
Opcode Fuzzy Hash: 9bf094026690eefeb881bef46fbea1d654432d5f0e05726570d7c8b0347e4f8a
Instruction Fuzzy Hash: C22137B2D042089FCB54DFA9D984BEFBBF5EB88314F148429E415A7250C774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EBB31 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0A9EBAB2), ref: 0A9EBB9F

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b70513a670e409ee66ae20db8d25c2c54f520a978a48fe625a27f715e3f6ac52
Instruction ID: 29d988ef0528d52672931cd0acf02ccd21fddc1b2bdc7a5c69873fa16a7c9f8b
Opcode Fuzzy Hash: b70513a670e409ee66ae20db8d25c2c54f520a978a48fe625a27f715e3f6ac52
Instruction Fuzzy Hash: BE1103B1C006599FCB10CFAAD4847EEFBF4AF48324F15856AD914A7241D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9EA124 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0A9EBAB2), ref: 0A9EBB9F

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c7beb24fd62ff3007b52ccc1829f5e6be6c02a6dcc5d4801e2027f5ee3adbf74
Instruction ID: 5a0d54f51e2ce96c9b0b593fbfac71e3ff63c8fc298a6a61160d1c1eafc16bb7
Opcode Fuzzy Hash: c7beb24fd62ff3007b52ccc1829f5e6be6c02a6dcc5d4801e2027f5ee3adbf74
Instruction Fuzzy Hash: 521114B1D046199BCB10DFAAC844BDEFBF8EB48224F05856AE914B7241D378A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0AB3B478 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,00000000,?,0AB3C449,00000800), ref: 0AB3C4DA

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4ed992301387c96b889a5821ce5a53807bd267c3eda0b9ef59a7f6c1dafe53bb
Instruction ID: 671805e9e93936e817e4576bb146f7d49343bad8f8d7612fa9b99cb7eebbb2e4
Opcode Fuzzy Hash: 4ed992301387c96b889a5821ce5a53807bd267c3eda0b9ef59a7f6c1dafe53bb
Instruction Fuzzy Hash: 5E1106B69002099FDB10DFAAC444BAEBBF4EB89314F15846AE515B7200C374A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F64CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 06F64D42

Memory Dump Source

Source File: 00000001.00000002.539439119.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f60000_cvtres.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ba9f54b33884199d3e5ee1c6270502a157faf6719d184a400927bc93985012e6
Instruction ID: bfeeaf9fd87416ab9702519978dbb2dd5bbd737d97422601910dec41e323fe8e
Opcode Fuzzy Hash: ba9f54b33884199d3e5ee1c6270502a157faf6719d184a400927bc93985012e6
Instruction Fuzzy Hash: 0C116A71D003458FDBA0EFA9D94879EBBF4EB45314F10C429E505A7640D778A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AB3C469 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,00000000,?,0AB3C449,00000800), ref: 0AB3C4DA

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3de1a337e8281be08d749491282afbf017adb8ebd663dc80e086f3346b2662e3
Instruction ID: 7e446f1280723269199e0727621f8c7dea518f36eaec8641a4dd39b711185376
Opcode Fuzzy Hash: 3de1a337e8281be08d749491282afbf017adb8ebd663dc80e086f3346b2662e3
Instruction Fuzzy Hash: A01147B28002489FCB10CFE9C444BDEBBF4EB89324F05846AE515B7200C374A549CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A9ED22C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0A9EDF96

Memory Dump Source

Source File: 00000001.00000002.542578988.000000000A9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a9e0000_cvtres.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ea6ce26536772dbe5648c168f04d843fbf5f927f185e62a27e054b2db830f656
Instruction ID: b9b828e5d80a69931e43634b88bf4bd2a66ddded2f4b1ba8a9a6d447f08387c2
Opcode Fuzzy Hash: ea6ce26536772dbe5648c168f04d843fbf5f927f185e62a27e054b2db830f656
Instruction Fuzzy Hash: C111F0B5D106598FCB20DF9AC444BDEBBF8EF88224F11882AE919A7201D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0AB30BA0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 0AB30BFF

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d1e4a7d1cb919f3d8cefba032d439949ac26e286e9607e01db2213b707de3988
Instruction ID: fb2fcc8aeaa17ecf54547994b4b5f92ad5e5400870a82a4728c93d2d3cbc64cb
Opcode Fuzzy Hash: d1e4a7d1cb919f3d8cefba032d439949ac26e286e9607e01db2213b707de3988
Instruction Fuzzy Hash: 981115B19002088FCB10DFAAD488BDEFBF8EF88328F15845AD519A7300D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0AB31530 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0AB31585

Memory Dump Source

Source File: 00000001.00000002.542636079.000000000AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab30000_cvtres.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ae59bf95936c91c06ec56141e1dd9bf4a0cf677925e5a5020eaae7f58d07d4eb
Instruction ID: 25124c9f8ce6f3ab34c90eeb450be7b4800a26ebbcfc8f7fb1cfa9fcb85077a5
Opcode Fuzzy Hash: ae59bf95936c91c06ec56141e1dd9bf4a0cf677925e5a5020eaae7f58d07d4eb
Instruction Fuzzy Hash: 461105B19007488FCB20DFA9D488BDEFBF8EB48324F15855AE519A7700D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0533E3DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.539230230.000000000533D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0533D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_533d000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feef42ecdafe14c93a3bb14ccec189847ea147624305ace132ce1f80a9bdd695
Instruction ID: f527b7b1bd417ec4937879436ebd73706c734a42c5e0212d0be3253fe023fc2e
Opcode Fuzzy Hash: feef42ecdafe14c93a3bb14ccec189847ea147624305ace132ce1f80a9bdd695
Instruction Fuzzy Hash: C82104B5508244EFDB00DF10D5C1B26BB6AFB88324F24C96DE9494B346C37BD856DBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.19730

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.19730

Function 010D3E90 Relevance: 2.8, Strings: 2, Instructions: 349
COMMON

Function 010D3F78 Relevance: 2.8, Strings: 2, Instructions: 302
COMMON

Function 010D1DE0 Relevance: 2.8, Strings: 2, Instructions: 277
COMMON

Function 010D1E80 Relevance: 2.7, Strings: 2, Instructions: 245
COMMON

Function 010DD3E8 Relevance: 1.8, Strings: 1, Instructions: 528
COMMON

Function 010DA9E5 Relevance: 1.8, APIs: 1, Instructions: 327
processCOMMON

Function 010DA9F0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 010DA660 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 010DA668 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 010DA7B8 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Function 010DA7C0 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Function 010DA540 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Function 010DA548 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 010DA418 Relevance: 1.6, APIs: 1, Instructions: 98
threadinjectionCOMMON

Function 010DA420 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre