Create Interactive Tour

Windows Analysis Report
sotema_7.txt.exe

Overview

General Information

Sample Name:	sotema_7.txt.exe
Analysis ID:	789378
MD5:	b0486bfc2e579b49b0cacee12c52469c
SHA1:	ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
SHA256:	9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Generic Downloader

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Binary contains a suspicious time stamp

Detected potential crypto function

Yara detected Credential Stealer

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

sotema_7.txt.exe (PID: 5560 cmdline: C:\Users\user\Desktop\sotema_7.txt.exe MD5: B0486BFC2E579B49B0CACEE12C52469C)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sotema_7.txt.exe (PID: 5136 cmdline: C:\Users\user\Desktop\sotema_7.txt.exe MD5: B0486BFC2E579B49B0CACEE12C52469C)

cleanup

Malware Configuration

Threatname: RedLine

{
  "C2 url": "87.251.71.195:82",
  "Bot Id": "ServAni"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sotema_7.txt.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x2d75:$v4_2: isWow64 0x39d9:$v4_4: stringKey 0x35c5:$v4_7: xoredString 0x335c:$v4_8: procName 0x31c8:$v4_9: base64EncodedData

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1614c:$a2: https://ipinfo.io/ip%appdata%\ 0x1686c:$a3: Software\Valve\SteamLogin Data 0x1217d:$a4: get_ScannedWallets 0x1111f:$a5: get_ScanTelegram 0x11e06:$a6: get_ScanGeckoBrowsersPaths 0xfdc5:$a7: <Processes>k__BackingField 0xdd7e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xf6f9:$a9: <ScanFTP>k__BackingField
00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x5a068:$: VFZxUUFBT
00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x12ee4c:$a2: https://ipinfo.io/ip%appdata%\ 0x12f56c:$a3: Software\Valve\SteamLogin Data 0x12ae7d:$a4: get_ScannedWallets 0x129e1f:$a5: get_ScanTelegram 0x12ab06:$a6: get_ScanGeckoBrowsersPaths 0x128ac5:$a7: <Processes>k__BackingField 0x126a7e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1283f9:$a9: <ScanFTP>k__BackingField
Process Memory Space: sotema_7.txt.exe PID: 5560	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x63cbd:$: VFZxUUFBT
Process Memory Space: sotema_7.txt.exe PID: 5560	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: sotema_7.txt.exe PID: 5560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sotema_7.txt.exe PID: 5560	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xd89fd:$a4: get_ScannedWallets 0xd79e3:$a5: get_ScanTelegram 0xd868b:$a6: get_ScanGeckoBrowsersPaths 0xd66d5:$a7: <Processes>k__BackingField 0xd46c2:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xd6009:$a9: <ScanFTP>k__BackingField
Process Memory Space: sotema_7.txt.exe PID: 5136	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: sotema_7.txt.exe PID: 5136	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sotema_7.txt.exe PID: 5136	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1d835:$a4: get_ScannedWallets 0x1c81b:$a5: get_ScanTelegram 0x1d4c3:$a6: get_ScanGeckoBrowsersPaths 0x1b50d:$a7: <Processes>k__BackingField 0x194fa:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1ae41:$a9: <ScanFTP>k__BackingField
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.sotema_7.txt.exe.420d900.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.sotema_7.txt.exe.420d900.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.sotema_7.txt.exe.420d900.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xda4b:$u7: RunPE 0x10dd6:$u8: DownloadAndEx 0x15454:$pat14: , CommandLine: 0x1045b:$v2_1: ListOfProcesses 0xdc23:$v2_2: get_ScanVPN 0xdcc6:$v2_2: get_ScanFTP 0xe972:$v2_2: get_ScanDiscord 0xf903:$v2_2: get_ScanSteam 0xf91f:$v2_2: get_ScanTelegram 0xf9d4:$v2_2: get_ScanScreen 0x105ce:$v2_2: get_ScanChromeBrowsersPaths 0x10606:$v2_2: get_ScanGeckoBrowsersPaths 0x108cb:$v2_2: get_ScanBrowsers 0x1097d:$v2_2: get_ScannedWallets 0x109a3:$v2_2: get_ScanWallets 0x109c3:$v2_3: GetArguments 0x13b56:$v2_3: GetArguments 0xf1db:$v2_4: VerifyUpdate 0x13ba4:$v2_4: VerifyUpdate 0x10c6d:$v2_5: VerifyScanRequest 0x13b6f:$v2_5: VerifyScanRequest
0.2.sotema_7.txt.exe.420d900.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1494c:$a2: https://ipinfo.io/ip%appdata%\ 0x1506c:$a3: Software\Valve\SteamLogin Data 0x1097d:$a4: get_ScannedWallets 0xf91f:$a5: get_ScanTelegram 0x10606:$a6: get_ScanGeckoBrowsersPaths 0xe5c5:$a7: <Processes>k__BackingField 0xc57e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xdef9:$a9: <ScanFTP>k__BackingField
0.2.sotema_7.txt.exe.420d900.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.sotema_7.txt.exe.420d900.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.sotema_7.txt.exe.420d900.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.sotema_7.txt.exe.420d900.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xf64b:$u7: RunPE 0x129d6:$u8: DownloadAndEx 0x17054:$pat14: , CommandLine: 0x1205b:$v2_1: ListOfProcesses 0xf823:$v2_2: get_ScanVPN 0xf8c6:$v2_2: get_ScanFTP 0x10572:$v2_2: get_ScanDiscord 0x11503:$v2_2: get_ScanSteam 0x1151f:$v2_2: get_ScanTelegram 0x115d4:$v2_2: get_ScanScreen 0x121ce:$v2_2: get_ScanChromeBrowsersPaths 0x12206:$v2_2: get_ScanGeckoBrowsersPaths 0x124cb:$v2_2: get_ScanBrowsers 0x1257d:$v2_2: get_ScannedWallets 0x125a3:$v2_2: get_ScanWallets 0x125c3:$v2_3: GetArguments 0x15756:$v2_3: GetArguments 0x10ddb:$v2_4: VerifyUpdate 0x157a4:$v2_4: VerifyUpdate 0x1286d:$v2_5: VerifyScanRequest 0x1576f:$v2_5: VerifyScanRequest
0.2.sotema_7.txt.exe.420d900.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1654c:$a2: https://ipinfo.io/ip%appdata%\ 0x16c6c:$a3: Software\Valve\SteamLogin Data 0x1257d:$a4: get_ScannedWallets 0x1151f:$a5: get_ScanTelegram 0x12206:$a6: get_ScanGeckoBrowsersPaths 0x101c5:$a7: <Processes>k__BackingField 0xe17e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xfaf9:$a9: <ScanFTP>k__BackingField
2.2.sotema_7.txt.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.sotema_7.txt.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.sotema_7.txt.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.sotema_7.txt.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xf64b:$u7: RunPE 0x129d6:$u8: DownloadAndEx 0x17054:$pat14: , CommandLine: 0x1205b:$v2_1: ListOfProcesses 0xf823:$v2_2: get_ScanVPN 0xf8c6:$v2_2: get_ScanFTP 0x10572:$v2_2: get_ScanDiscord 0x11503:$v2_2: get_ScanSteam 0x1151f:$v2_2: get_ScanTelegram 0x115d4:$v2_2: get_ScanScreen 0x121ce:$v2_2: get_ScanChromeBrowsersPaths 0x12206:$v2_2: get_ScanGeckoBrowsersPaths 0x124cb:$v2_2: get_ScanBrowsers 0x1257d:$v2_2: get_ScannedWallets 0x125a3:$v2_2: get_ScanWallets 0x125c3:$v2_3: GetArguments 0x15756:$v2_3: GetArguments 0x10ddb:$v2_4: VerifyUpdate 0x157a4:$v2_4: VerifyUpdate 0x1286d:$v2_5: VerifyScanRequest 0x1576f:$v2_5: VerifyScanRequest
2.2.sotema_7.txt.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1654c:$a2: https://ipinfo.io/ip%appdata%\ 0x16c6c:$a3: Software\Valve\SteamLogin Data 0x1257d:$a4: get_ScannedWallets 0x1151f:$a5: get_ScanTelegram 0x12206:$a6: get_ScanGeckoBrowsersPaths 0x101c5:$a7: <Processes>k__BackingField 0xe17e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xfaf9:$a9: <ScanFTP>k__BackingField
0.0.sotema_7.txt.exe.df0000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x2d75:$v4_2: isWow64 0x39d9:$v4_4: stringKey 0x35c5:$v4_7: xoredString 0x335c:$v4_8: procName 0x31c8:$v4_9: base64EncodedData
Click to see the 10 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sotema_7.txt.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: sotema_7.txt.exe	ReversingLabs: Detection: 76%
Source: sotema_7.txt.exe	Virustotal: Detection: 73%			Perma Link

Machine Learning detection for sample

Source: sotema_7.txt.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "87.251.71.195:82", "Bot Id": "ServAni"}

Source: sotema_7.txt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: sotema_7.txt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: (PZoHC:\Windows\System.ServiceModel.pdb source: sotema_7.txt.exe, 00000002.00000002.514498917.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.251.71.195:82

Source: global traffic

TCP traffic: 192.168.2.6:49714 -> 87.251.71.195:82

Source: Joe Sandbox View

ASN Name: RMINJINERINGRU RMINJINERINGRU

Source: Joe Sandbox View

IP Address: 87.251.71.195 87.251.71.195

Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195
Source: unknown	TCP traffic detected without corresponding DNS query: 87.251.71.195

Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.251.71.195:82
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.251.71.195:82/
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.251.71.195:824
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0#
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0D
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: sotema_7.txt.exe, 00000000.00000002.256471096.0000000001559000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: sotema_7.txt.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

.NET source code contains very large strings

Source: sotema_7.txt.exe, SystemServiceModelHostNameComparisonModeHelper19984.cs	Long String: Length: 183690
Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, SystemServiceModelHostNameComparisonModeHelper19984.cs	Long String: Length: 183690

Source: sotema_7.txt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: sotema_7.txt.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: sotema_7.txt.exe, 00000000.00000002.256471096.0000000001559000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs sotema_7.txt.exe
Source: sotema_7.txt.exe, 00000000.00000000.248446579.0000000000E52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpiremes.exe4 vs sotema_7.txt.exe
Source: sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiazoes.exe4 vs sotema_7.txt.exe
Source: sotema_7.txt.exe, 00000002.00000002.514028611.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiazoes.exe4 vs sotema_7.txt.exe
Source: sotema_7.txt.exe	Binary or memory string: OriginalFilenameSpiremes.exe4 vs sotema_7.txt.exe

Source: C:\Users\user\Desktop\sotema_7.txt.exe	Code function: 2_2_011CD5E8		2_2_011CD5E8
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Code function: 2_2_011CCCF0		2_2_011CCCF0

Source: sotema_7.txt.exe	ReversingLabs: Detection: 76%
Source: sotema_7.txt.exe	Virustotal: Detection: 73%

Source: sotema_7.txt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sotema_7.txt.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exe
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exe
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exe	Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: sotema_7.txt.exe, SystemServiceModelHostNameComparisonModeHelper19984.cs	Base64 encoded string: 'VoftWinSafeHandlesSafeProcessHandle73115FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQVBrMkxNY0FBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUFKbjhCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBc3dFQ0FBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFOUitBUUJQQUFBQUFLQUJBTlFFQUFBQUFBQUFBQUFBQUFDQUFRQndFd0FBQU1BQkFBd0FBQUM0ZmdFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUEzR3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU5RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQWgvQVFBQUFBQUFTQUFBQUFJQUJRQWtvd0FBbE5zQUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3c4QUFBb0tBbjREQVFBRUpTMFhKbjRDQVFBRS9nYkFBUUFHY3hBQUFBb2xnQU1CQUFRb0FRQUFLMjhTQUFBS0N6aW9BZ0FBQjI4VEFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT0lBQUFRb0ZBQUFDbk1WQUFBS29pVVhIbzFIQUFBQkpkRGFBQUFFS0JRQUFBcHpGUUFBQ3FJbEdCMk5Sd0FBQVNYUTN3QUFCQ2dVQUFBS2N4VUFBQXFpS01nQUFBWnZGZ0FBQ2d3NElnSUFBQklDS0JjQUFBb05jN2tCQUFZVEJIUHlBQUFHRXdVUkJINFlBQUFLZlFFQkFBUitHQUFBQ2hNR0VRUUpjeGtBQUFvb0dnQUFDbThiQUFBS2ZRRUJBQVFSQkhzQkFRQUVIdytOUndBQUFTWFE2Z0FBQkNnVUFBQUtjeFVBQUFwdkhBQUFDaXdhSG8xSEFBQUJKZERWQUFBRUtCUUFBQXB6RlFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRb2dBQUJDZ1VBQUFLY3hVQUFBcHlBUUFBY0g0WUFBQUtLQjBBQUFvb0hnQUFDbThjQUFBS0xRNFJCSHNCQVFBRUtNc0FBQVlyREJFRWV3RUJBQVFveWdBQUJoTUdFUVlvSHdBQUNqb3lBUUFBRVFZV2J5QUFBQW9UQ0JJSUtDRUFBQXB2SWdBQUNoRUdGaGR2SXdBQUNpZ2tBQUFLRXdZUkJIc0JBUUFFS01rQUFBWVRCeEVIS0I4QUFBbzY4Z0FBQUJFRkVRWnY1Z0FBQmhFRkVRZHY2QUFBQmhFRkVRVCtCcm9CQUFaekpRQUFDbjRFQVFBRUpTMFhKbjRDQVFBRS9nYkJBUUFHY3lZQUFBb2xnQVFCQUFRb0FnQUFLMi9xQUFBR0VRVVJCUDRHdXdFQUJuTW5BQUFLZmdVQkFBUWxMUmNtZmdJQkFBVCtCc0lC
Source: 0.0.sotema_7.txt.exe.df0000.0.unpack, SystemServiceModelHostNameComparisonModeHelper19984.cs	Base64 encoded string: 'VoftWinSafeHandlesSafeProcessHandle73115FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQVBrMkxNY0FBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUFKbjhCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBc3dFQ0FBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFOUitBUUJQQUFBQUFLQUJBTlFFQUFBQUFBQUFBQUFBQUFDQUFRQndFd0FBQU1BQkFBd0FBQUM0ZmdFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUEzR3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU5RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQWgvQVFBQUFBQUFTQUFBQUFJQUJRQWtvd0FBbE5zQUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3c4QUFBb0tBbjREQVFBRUpTMFhKbjRDQVFBRS9nYkFBUUFHY3hBQUFBb2xnQU1CQUFRb0FRQUFLMjhTQUFBS0N6aW9BZ0FBQjI4VEFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT0lBQUFRb0ZBQUFDbk1WQUFBS29pVVhIbzFIQUFBQkpkRGFBQUFFS0JRQUFBcHpGUUFBQ3FJbEdCMk5Sd0FBQVNYUTN3QUFCQ2dVQUFBS2N4VUFBQXFpS01nQUFBWnZGZ0FBQ2d3NElnSUFBQklDS0JjQUFBb05jN2tCQUFZVEJIUHlBQUFHRXdVUkJINFlBQUFLZlFFQkFBUitHQUFBQ2hNR0VRUUpjeGtBQUFvb0dnQUFDbThiQUFBS2ZRRUJBQVFSQkhzQkFRQUVIdytOUndBQUFTWFE2Z0FBQkNnVUFBQUtjeFVBQUFwdkhBQUFDaXdhSG8xSEFBQUJKZERWQUFBRUtCUUFBQXB6RlFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRb2dBQUJDZ1VBQUFLY3hVQUFBcHlBUUFBY0g0WUFBQUtLQjBBQUFvb0hnQUFDbThjQUFBS0xRNFJCSHNCQVFBRUtNc0FBQVlyREJFRWV3RUJBQVFveWdBQUJoTUdFUVlvSHdBQUNqb3lBUUFBRVFZV2J5QUFBQW9UQ0JJSUtDRUFBQXB2SWdBQUNoRUdGaGR2SXdBQUNpZ2tBQUFLRXdZUkJIc0JBUUFFS01rQUFBWVRCeEVIS0I4QUFBbzY4Z0FBQUJFRkVRWnY1Z0FBQmhFRkVRZHY2QUFBQmhFRkVRVCtCcm9CQUFaekpRQUFDbjRFQVFBRUpTMFhKbjRDQVFBRS9nYkJBUUFHY3lZQUFBb2xnQVFCQUFRb0FnQUFLMi9xQUFBR0VRVVJCUDRHdXdFQUJuTW5BQUFLZmdVQkFBUWxMUmNtZmdJQkFBVCtCc0lC

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_01

Source: C:\Users\user\Desktop\sotema_7.txt.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sotema_7.txt.exe.log

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winEXE@4/1@0/1

Source: sotema_7.txt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: sotema_7.txt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: sotema_7.txt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: (PZoHC:\Windows\System.ServiceModel.pdb source: sotema_7.txt.exe, 00000002.00000002.514498917.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp

Source: sotema_7.txt.exe

Static PE information: 0xB8BCC0EF [Mon Mar 19 10:18:23 2068 UTC]

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.exe

Static PE information: sotema_7.txt.exe

Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe TID: 5140

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Process created: C:\Users\user\Desktop\sotema_7.txt.exe C:\Users\user\Desktop\sotema_7.txt.exe

Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Users\user\Desktop\sotema_7.txt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Users\user\Desktop\sotema_7.txt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sotema_7.txt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\sotema_7.txt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR

Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sotema_7.txt.exe.420d900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sotema_7.txt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sotema_7.txt.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sotema_7.txt.exe PID: 5136, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	11 Masquerading	1 Input Capture	21 Virtualization/Sandbox Evasion	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sotema_7.txt.exe	77%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
sotema_7.txt.exe	74%	Virustotal		Browse
sotema_7.txt.exe	100%	Avira	HEUR/AGEN.1235110
sotema_7.txt.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.sotema_7.txt.exe.df0000.0.unpack	100%	Avira	HEUR/AGEN.1235110		Download File
2.2.sotema_7.txt.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234957		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetArguments	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://tempuri.org/0D	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://ocsp.sectigo.com0#	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetArgumentsResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyScanRequest	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyScanRequestResponse	0%	URL Reputation	safe
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	0%	Avira URL Cloud	safe
87.251.71.195:82	0%	Avira URL Cloud	safe
http://87.251.71.195:82	0%	Avira URL Cloud	safe
http://87.251.71.195:82/	0%	Avira URL Cloud	safe
http://87.251.71.195:824	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
87.251.71.195:82	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetArguments	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://87.251.71.195:82/	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0D	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://87.251.71.195:824	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0#	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetArgumentsResponse	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org	sotema_7.txt.exe, 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyScanRequest	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://87.251.71.195:82	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyScanRequestResponse	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	sotema_7.txt.exe, 00000002.00000002.515933473.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.251.71.195	unknown	Russian Federation		49877	RMINJINERINGRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	789378
Start date and time:	2023-01-23 00:15:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sotema_7.txt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@4/1@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
Execution Graph export aborted for target sotema_7.txt.exe, PID 5136 because it is empty
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.251.71.195	HjsWdhuCuY.exe	Get hash	malicious	Browse	87.251.71.195:11924//

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RMINJINERINGRU	HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exe	Get hash	malicious	Browse	87.251.71.195
	14jxqkI8dt.exe	Get hash	malicious	Browse	87.251.71.195
	1ULY9wkde4.exe	Get hash	malicious	Browse	87.251.71.195
	1DCAB4CDFFDF269EA33719990AC81C515345B50FE1C60.exe	Get hash	malicious	Browse	87.251.71.195
	5GBK05PTFO.dll	Get hash	malicious	Browse	185.153.199.225
	e8k60omgBH.exe	Get hash	malicious	Browse	185.153.198.216
	BFB5D8AB558D5057F1980C1BAB9BFB8215D43F41F0065.exe	Get hash	malicious	Browse	87.251.71.82
	E10C2C073D337A5CD7BC1FE1FB48B314730D257FB0D21.exe	Get hash	malicious	Browse	87.251.71.64
	ileEIP26cf.exe	Get hash	malicious	Browse	87.251.71.64
	G2Shy4flZe.exe	Get hash	malicious	Browse	87.251.71.44
	BC2CCE5055F9411C04EDEEE699D7161C257574B4C5540.exe	Get hash	malicious	Browse	87.251.71.195
	srJfa3GmXh.exe	Get hash	malicious	Browse	87.251.71.44
	oGC5UCbzoL.exe	Get hash	malicious	Browse	87.251.71.44
	nVJouCa1cO.exe	Get hash	malicious	Browse	87.251.71.44
	GIqD5HuY5M.exe	Get hash	malicious	Browse	87.251.71.64
	J3Z409zKc6.exe	Get hash	malicious	Browse	87.251.71.44
	SHxBXBGCyS.exe	Get hash	malicious	Browse	185.153.198.58
	WyhX1MJx8v.exe	Get hash	malicious	Browse	87.251.71.68
	6clffER1J0.exe	Get hash	malicious	Browse	185.153.198.58
	SmartPDF.exe	Get hash	malicious	Browse	87.251.71.14

Process:	C:\Users\user\Desktop\sotema_7.txt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.739157527036374
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	sotema_7.txt.exe
File size:	389120
MD5:	b0486bfc2e579b49b0cacee12c52469c
SHA1:	ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
SHA256:	9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
SHA512:	b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075
SSDEEP:	6144:Q9Sl9qalveLsj2ebm0+wc9fc3ETdsfHXfD16gmiktKpRA3Is3LeEXB:KSl9qalveYj2ebm0bc9fc3EefHXfD16F
TLSH:	5384452868BFC01984E3EEA12DDCA8FBD99A55E7640D703701B4633B8B51B84DE4F479
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............Z.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x46015a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB8BCC0EF [Mon Mar 19 10:18:23 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60108	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x2a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x600ec	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5e160	0x5e400	False	0.27560044346816975	data	3.7510584782896013	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x2a8	0x400	False	0.2998046875	data	2.1632117842384715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x400	False	0.025390625	data	0.04468700625387198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x62058	0x24c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2023 00:16:34.541400909 CET	49714	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:16:37.584929943 CET	49714	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:16:43.581149101 CET	49714	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:16:56.833153009 CET	49715	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:16:59.848057985 CET	49715	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:05.848617077 CET	49715	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:18.897645950 CET	49720	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:21.912477970 CET	49720	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:27.921582937 CET	49720	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:40.946590900 CET	49722	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:43.961141109 CET	49722	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:17:49.977324009 CET	49722	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:18:02.996228933 CET	49724	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:18:06.010751009 CET	49724	82	192.168.2.6	87.251.71.195
Jan 23, 2023 00:18:12.012851954 CET	49724	82	192.168.2.6	87.251.71.195

Statistics

Click to jump to process

Memory Usage

• sotema_7.txt.exe
• conhost.exe
• sotema_7.txt.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• sotema_7.txt.exe
• conhost.exe
• sotema_7.txt.exe

Click to jump to process

Target ID:	0
Start time:	00:16:10
Start date:	23/01/2023
Path:	C:\Users\user\Desktop\sotema_7.txt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\sotema_7.txt.exe
Imagebase:	0xdf0000
File size:	389120 bytes
MD5 hash:	B0486BFC2E579B49B0CACEE12C52469C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.256621171.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	00:16:11
Start date:	23/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	00:16:11
Start date:	23/01/2023
Path:	C:\Users\user\Desktop\sotema_7.txt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\sotema_7.txt.exe
Imagebase:	0x850000
File size:	389120 bytes
MD5 hash:	B0486BFC2E579B49B0CACEE12C52469C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.514028611.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Function 011CD5E8 Relevance: 1.1, Instructions: 1107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63b9538aa02e9e13d7cde6542c4d1211a4c5e9921c5d2c8b4cd5847eedc79ec
Instruction ID: e4b65e9bb0300e70deae2f266f3558907a8f6579baeb59fa9866eb1b00e217f6
Opcode Fuzzy Hash: f63b9538aa02e9e13d7cde6542c4d1211a4c5e9921c5d2c8b4cd5847eedc79ec
Instruction Fuzzy Hash: CFA21B34B002158FDB18DF68D995B6DBBB2BF88710F1084A9E90AAB391DF349D46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011C6A30 Relevance: 2.0, Instructions: 1973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7eb89813a04a4ccda2b2dd1494a1ea34eb623051110859b5dca60de84ef7fc
Instruction ID: 19cebbc5755789d972395418dec7c44c9f9b11d9e065013fe19774ad27e3f558
Opcode Fuzzy Hash: be7eb89813a04a4ccda2b2dd1494a1ea34eb623051110859b5dca60de84ef7fc
Instruction Fuzzy Hash: 2E13FE34901205EFCF2AAF60D550AA9B732FF99706B9084BEDC1176B64CB3B9952DF01

Uniqueness

Uniqueness Score: -1.00%

Function 011C6A29 Relevance: 2.0, Instructions: 1968COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126d9aa9a034d7bc323eb876757b14149cdc7b239d534ab0f171e5e4208fa011
Instruction ID: 179d86cbffb6f0f2edeb3d880339b8f26c3483624f3dec196242a3c4c85d7d7e
Opcode Fuzzy Hash: 126d9aa9a034d7bc323eb876757b14149cdc7b239d534ab0f171e5e4208fa011
Instruction Fuzzy Hash: 2313FE34901205EFCF2AAF60D550AA9B732FF99706B9084BEDC1176B64CB3B9952DF01

Uniqueness

Uniqueness Score: -1.00%

Function 011C0520 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a9b57f71486a7627ae1913b097054cfdb3ebdb2d69a47c32c5ce7f916db484
Instruction ID: f4928e93ae2f0932b628da1520a6a27cc2309c7960931b4a7fda5c08c27c2bbc
Opcode Fuzzy Hash: c5a9b57f71486a7627ae1913b097054cfdb3ebdb2d69a47c32c5ce7f916db484
Instruction Fuzzy Hash: B0021836600215DFCB5A9FA4C904E997BB2FF5C710F4681E9E2099B272DB32D9A4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 011CC460 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e317ad97c408d26d302ea22e4bce65697b06fd21b72d0c19015e3bfde29d6e48
Instruction ID: 643ad1356349c930fc83051d807e67fd1552dfc5cef893cd92e18fa458a15c6c
Opcode Fuzzy Hash: e317ad97c408d26d302ea22e4bce65697b06fd21b72d0c19015e3bfde29d6e48
Instruction Fuzzy Hash: 3DE15134600609DFCB18DF69D594A9EBBB2FF88710F148468E51AAB355DB34EC46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011CE051 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1069449535064384df6261f02153acace9b8765a6bdbf5283aa2c9767f2118c
Instruction ID: d91a435513d424522ec4d2c895ee58d58169e97145f792e738d0561995e698fe
Opcode Fuzzy Hash: c1069449535064384df6261f02153acace9b8765a6bdbf5283aa2c9767f2118c
Instruction Fuzzy Hash: ABD13C34A01219CFDB29DF64D854BAD7BB2BF88701F1484A9E50AAB391DF359D82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011CB9A0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf3d646c935f6db2971857ce7ed7a38554f14faa0b41e1243fd1be8dbf222d8
Instruction ID: 9f53c0876d532e5343f0a7c22bc9e689a7c88e4fab5c82b5f80142516241ebd7
Opcode Fuzzy Hash: 5bf3d646c935f6db2971857ce7ed7a38554f14faa0b41e1243fd1be8dbf222d8
Instruction Fuzzy Hash: 35716E35E0030A8FDB18DFA9C45569EBBF2BF89740F248529E40AEB354DB749C46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011CC451 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acaaac9c5ad143b6e9d73c272aeffc2839c7da5d95f1d942256ee3bcdfb953ae
Instruction ID: 7eb4f6b0273801ca35cd2436d8bcce3d0a16fff4b6adf5795b48be5cd17eec56
Opcode Fuzzy Hash: acaaac9c5ad143b6e9d73c272aeffc2839c7da5d95f1d942256ee3bcdfb953ae
Instruction Fuzzy Hash: 36811F34A00209DFCB18DF64D594A9DBBB2FF48710B158569F81AAB365DB34EC46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011C22DB Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e5e523102c4f0ade37e0aa29d6e3ca389875fc07c2369400545e89abdf310d
Instruction ID: 59bfa8fd17c9080d7ba3c40a0245a9e2ce75dc2a47ebae46ff764366c74efe26
Opcode Fuzzy Hash: 81e5e523102c4f0ade37e0aa29d6e3ca389875fc07c2369400545e89abdf310d
Instruction Fuzzy Hash: D751C131720604CFC718ABB8D45866EBBB2FF89320F65465DE4529B3E4DF34A84ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 011CB788 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6185a85ea48c8cbfe9c1d309f1301cf4658af3f940e2a94ac7490534928dd320
Instruction ID: a9f90adb711004d5fa184a266f98b20976fb910d197a94ef3e8a87a86222ca67
Opcode Fuzzy Hash: 6185a85ea48c8cbfe9c1d309f1301cf4658af3f940e2a94ac7490534928dd320
Instruction Fuzzy Hash: AD511A34A05219DFDB19DFA4E895AEDBBB6FF88750F108029F902A7360DB349941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 011C8CF3 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b69ebf02436210cec6db34916df8e9f016b0e489aa94ade20e2c620a00d27f1
Instruction ID: 7c1483d7c3a588e5003c14908d4f13f564de9d3622039323cc0a9722f8ed4e28
Opcode Fuzzy Hash: 0b69ebf02436210cec6db34916df8e9f016b0e489aa94ade20e2c620a00d27f1
Instruction Fuzzy Hash: B35184307002095BDF18EB64D860B7EB6B7BBC8604F64401CD11AAB3C5CF76AE059BE5

Uniqueness

Uniqueness Score: -1.00%

Function 011C8CF8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c9d5dbaf900ff8ef769743ca9d22f89381bc8cecc8c0e7d3348b70e25027d2
Instruction ID: 8932803bb1cdab16a2dfd37a8c836d2f6061d335d19ee5a7371b4bb8b2558cd9
Opcode Fuzzy Hash: d4c9d5dbaf900ff8ef769743ca9d22f89381bc8cecc8c0e7d3348b70e25027d2
Instruction Fuzzy Hash: 6051833070020A5BDF18EB64D860B7EA6A7BBC8604F64401CD11AAB3C5CF76AE059BE5

Uniqueness

Uniqueness Score: -1.00%

Function 011CC821 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2216764eb60a0d23b3d89b467173dda94545bd1ba595d3ffdc2f6e11f4c5ab3
Instruction ID: 9a256f88e6579b10180daeaf03c9a378f0c444afc52bf23234037edae219c187
Opcode Fuzzy Hash: d2216764eb60a0d23b3d89b467173dda94545bd1ba595d3ffdc2f6e11f4c5ab3
Instruction Fuzzy Hash: 7D510B34A00209DFDB18DF94D594A9DBBB2FF98710F158468E915AB355CB35EC82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011C3E4B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1f73eacf50cc39fc3bb118e15f5a56068a49753df8e1ca07414c657d532b3
Instruction ID: 672ee45212f25fc6358a8e53ca9a91bc7ed505f9c8ad8e3f68247f831197ba09
Opcode Fuzzy Hash: 4eb1f73eacf50cc39fc3bb118e15f5a56068a49753df8e1ca07414c657d532b3
Instruction Fuzzy Hash: EB31BE343002455BD70DB768E864B3E62ABEBD5A60B244828E807D3398CF796D5253B2

Uniqueness

Uniqueness Score: -1.00%

Function 011CB98F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d680c2c490e1f6df8c613d1b55725ed1de1dfa0796deb25a19a08d1f6f8ce6ac
Instruction ID: b8689bdc5e0aebbbef2f037d35243cdc5c393cf926864bb7975764f2ed96157a
Opcode Fuzzy Hash: d680c2c490e1f6df8c613d1b55725ed1de1dfa0796deb25a19a08d1f6f8ce6ac
Instruction Fuzzy Hash: 48414C75E00719CFDB19CFA9C8416CEBBF6BF89740F24851AE805BB214DB70A946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011CBC80 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b755a09d0497eff4ceb6f0af9d5428777f804c2f1642e4c8927cb91487214166
Instruction ID: 9a88fb172dd20920ecc6ef1d52475281baa4dec78b6c610264d63bfc27beac09
Opcode Fuzzy Hash: b755a09d0497eff4ceb6f0af9d5428777f804c2f1642e4c8927cb91487214166
Instruction Fuzzy Hash: EF31EF35B052048FD7189B28D86577EBBB6EF85710F2480ADD80ADB381DF35CC4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 011C3E50 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c86284419eba526da6ef3d550e189d10243f850ada63398223ca2999752047
Instruction ID: f32d4b7333d5886f0b3cbb8155ec978e8c37effd37f4026dcb77ee1206306bce
Opcode Fuzzy Hash: 96c86284419eba526da6ef3d550e189d10243f850ada63398223ca2999752047
Instruction Fuzzy Hash: 9831AF343002455BD70DB768A864B3E62AFEBD5A64F244828E807D7398CF796D5353B2

Uniqueness

Uniqueness Score: -1.00%

Function 011CD55F Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf35cc12f306eb2ef0b6fb96456e7c3499a8f05ea9b827eeb3b05292d8b365f
Instruction ID: 414e1058813b653d6008b868e515923cb66785f7d976fedefd195be989252cc5
Opcode Fuzzy Hash: 5cf35cc12f306eb2ef0b6fb96456e7c3499a8f05ea9b827eeb3b05292d8b365f
Instruction Fuzzy Hash: F7314471A002158FDF09DFA8E885BAA7FB0EF65714F1480AEE9458B361DB30D801CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011C6178 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee04ee274bd1e1effcd887e122dd51325f94f79677cef629473677ff51ba8df
Instruction ID: 8f75ec356c801e48e197421e357f09cc71040c4be171d3f56188e6da290e42f9
Opcode Fuzzy Hash: dee04ee274bd1e1effcd887e122dd51325f94f79677cef629473677ff51ba8df
Instruction Fuzzy Hash: 33311A347112088FDB18DF68C4A9A6E7BF2EF88711F14406CE906AB3A0DF759C42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 011C63E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1628f0382a33b1a8d4ec741ca044fdfe7fb3f68e10c05700cc8cb51ea5550e
Instruction ID: cdaceba56b183e898fe67e1cd9e15300f4979ca0b413df397c8e03e5acae4150
Opcode Fuzzy Hash: 5d1628f0382a33b1a8d4ec741ca044fdfe7fb3f68e10c05700cc8cb51ea5550e
Instruction Fuzzy Hash: 8D2105347163458FC308A779A42512E7FE7AFC5210B148C39E90ADB381EE388C0687B2

Uniqueness

Uniqueness Score: -1.00%

Function 011C9213 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bead7ba2dd099f957aa0de774544dce296728fe54febb2ba477068d1f31d110d
Instruction ID: cb795aaf203012820c974ae415179010e2609faecb03c443351dd76c51dfe6af
Opcode Fuzzy Hash: bead7ba2dd099f957aa0de774544dce296728fe54febb2ba477068d1f31d110d
Instruction Fuzzy Hash: 88318B32D10706DACB10AFB9C8403D9B771FF99320F25871AE559B7240EB71BAA4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011C9218 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9e6a06dd96bbc3a2d87bc6f4ea8dfaa0f0a0c06f3ba41f910389479e83d0df
Instruction ID: e2a9dab7ea74557031265ea9c00317d7d2fb1482f287031517405f817549a5de
Opcode Fuzzy Hash: 8a9e6a06dd96bbc3a2d87bc6f4ea8dfaa0f0a0c06f3ba41f910389479e83d0df
Instruction Fuzzy Hash: 43319C32D10706DACB10AFB9C8003D9B771FF99320F25871AE549B7240EB71BAA4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011CB210 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cb7a1a508b26f0a25ebb48faff5ba10218a0e8f283a5ca0819f22e12be731f
Instruction ID: 7b9ca7b0c17ecc4293613b302137eebde29d21d17d49467104fdc07b7f276c10
Opcode Fuzzy Hash: 23cb7a1a508b26f0a25ebb48faff5ba10218a0e8f283a5ca0819f22e12be731f
Instruction Fuzzy Hash: 4C210A3121A3809FC7115774D85576E7FB6EF86315F04086AE882CB392DE79980AC721

Uniqueness

Uniqueness Score: -1.00%

Function 011CD5C0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526ff0b3c6b909cf2217c79971d255fc5aaba448b809ca70f84ca7101925e037
Instruction ID: 1353cf24556e7857c57957e0408a0730505c582fb67fcd935de43313fc6981bd
Opcode Fuzzy Hash: 526ff0b3c6b909cf2217c79971d255fc5aaba448b809ca70f84ca7101925e037
Instruction Fuzzy Hash: 4131D071A00215DFDF09DFA8D895AAE7BB5EFA4714F148479EA058B361DB30D841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011C6169 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f84bdefbb3c9fc8d4ef11dce16b031c9203bd8b3bcf435c8aa1831197989d2
Instruction ID: 5f29395180670d035b8cb2f134fae50c6bea8e58c99c901a36ad136dbb764876
Opcode Fuzzy Hash: c6f84bdefbb3c9fc8d4ef11dce16b031c9203bd8b3bcf435c8aa1831197989d2
Instruction Fuzzy Hash: 83313C357012088FD708DF69C4A9AAE7BF2EF98B10F14406CE502AB361CB769D41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 011C3A3B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6b2054230bbc9af0baeb33e2bbfdeccf9b2c77d879345d2d554d33208ca3b3
Instruction ID: 888a0728c6fdb0ddcab229ef80196ec20f2788e9308ed519bdd9b5a8ce7ef807
Opcode Fuzzy Hash: 6a6b2054230bbc9af0baeb33e2bbfdeccf9b2c77d879345d2d554d33208ca3b3
Instruction Fuzzy Hash: B5311339910209EFCB01AFA4E899A9DBFB6FF4C311F048855FA01A3264CB765E55DF20

Uniqueness

Uniqueness Score: -1.00%

Function 011C3A40 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6836015ed22a3b948e284033eacaf7e89de198c1cc7d934345b01c8731760f8
Instruction ID: 8a449fa42300fb1f594b5edaa077fc6a0c7bbfc385876dee51795fb4fba42198
Opcode Fuzzy Hash: a6836015ed22a3b948e284033eacaf7e89de198c1cc7d934345b01c8731760f8
Instruction Fuzzy Hash: 2D311339910209EFCB01AFA4E899A9DBFB6FF48311F048855FA01A3264CB765E55DF20

Uniqueness

Uniqueness Score: -1.00%

Function 011C6900 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41ed8b92215e6083b32c052f7dca08ddf41aaf7dfd2cad68e1d1c8cf968b642
Instruction ID: fefc7b4827ebfe49aa99a57591013126896e337b51f62a1a11a51973f098ea59
Opcode Fuzzy Hash: c41ed8b92215e6083b32c052f7dca08ddf41aaf7dfd2cad68e1d1c8cf968b642
Instruction Fuzzy Hash: 5B31B130E1070A8BCB14AFB8D4502AEF7B1FF85310B118629D959B3340EF35A996CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011C68F9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fbf4af3231a914597e75371152a993feb9c3bcca3ffcbe19b94d040c934552
Instruction ID: a76367d09901990952fd9640a2c18a52297312940d8cdfa73b0c2fe5a7158858
Opcode Fuzzy Hash: 07fbf4af3231a914597e75371152a993feb9c3bcca3ffcbe19b94d040c934552
Instruction Fuzzy Hash: AE31DF31E1070A8BCB14AFB8D4502EEF7B1FF95714B118629D859B7340EF35A996CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011CCB50 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae02861d7ccb8c0c442f8b29718a38023e53f0b54d192d450c7a535983a43a6
Instruction ID: 623b101f0fe633489c4da3b5dbc73d95419adf69fb4bf81ccc702c914cf22a36
Opcode Fuzzy Hash: eae02861d7ccb8c0c442f8b29718a38023e53f0b54d192d450c7a535983a43a6
Instruction Fuzzy Hash: B021D1397122019BE7185B7CD06972E3EE6EBC4261F144438E90EDB384DF78DC4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0116D210 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2c4032136d99a1d0e923cef68ac26e72a6718c210e02b1b00d5cb498186bd2
Instruction ID: 1ca33004e2ca19c84c3e083ddde688ad7a13d4930533b726bf74fcbbeb61221a
Opcode Fuzzy Hash: 7b2c4032136d99a1d0e923cef68ac26e72a6718c210e02b1b00d5cb498186bd2
Instruction Fuzzy Hash: EA21D872604240DFDF09DF94E9C4B26BF69FB88720F24856DE9451B246C337D466CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D124 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0089cfc16014f643581a73740dba2cc7ea3cf683e52efa9e737ac9f3c861fb4
Instruction ID: 0f1890b0eb68c1c8d6476b3a0bd8846762c398f681deaf7e156ba6c2b3deeb80
Opcode Fuzzy Hash: c0089cfc16014f643581a73740dba2cc7ea3cf683e52efa9e737ac9f3c861fb4
Instruction Fuzzy Hash: 3F2128B2604244DFDF09DF98E8C0B26BF69FB88324F248569E8850B246C377D465C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011C99C8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca0daeb6db946eb1e4f84d68d19a4d8fac20674a6589a94f8bce2128c1fc70f
Instruction ID: 085a2841833c10e834e1f2430b270fb918b759f1cbba57996527c55ead70234e
Opcode Fuzzy Hash: 6ca0daeb6db946eb1e4f84d68d19a4d8fac20674a6589a94f8bce2128c1fc70f
Instruction Fuzzy Hash: D62190307272958BDB2D5B39A02A33D3EA5AB51B69B05402DFC47C6681DF6EC843CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011C30D3 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c3c4011968186bd4c414bb6e0ef9b153058a429550c0f51bedf5ff695ce925
Instruction ID: 0a5f64848e33937837936797f9cac4f683529386a69181ae15ec7422a4174e48
Opcode Fuzzy Hash: 09c3c4011968186bd4c414bb6e0ef9b153058a429550c0f51bedf5ff695ce925
Instruction Fuzzy Hash: D9313835900209EFCB05BFA0E95DEAD7FBAFB48301F048854FA04A6264CB325E15DF20

Uniqueness

Uniqueness Score: -1.00%

Function 011C30D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f486a9c4dedb890a4ac2245d9a4689af2d101dd8cb850fd8b1c8b85f6854f160
Instruction ID: 577417745bd3b15dfc456b5c0ed290eb8ad2f17c7602ff631bf2099b78dc43a9
Opcode Fuzzy Hash: f486a9c4dedb890a4ac2245d9a4689af2d101dd8cb850fd8b1c8b85f6854f160
Instruction Fuzzy Hash: A7314A35900209EFCB05BFA0E95DEAD7FBAFB48301F048854FA0496264CB325E15DF20

Uniqueness

Uniqueness Score: -1.00%

Function 011C5F92 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2773508a6287b5ae562d412dc570fb6abbc9ed4682a988a05d17f2db693b9b79
Instruction ID: 8727c8011e3727072a93e78cda1289fa708f4999fff79c419b18fe1f51126fc3
Opcode Fuzzy Hash: 2773508a6287b5ae562d412dc570fb6abbc9ed4682a988a05d17f2db693b9b79
Instruction Fuzzy Hash: 472180342047828FC725DF28C0805AF7FE1AF98610B148A19E8868B755DF38E84ADB65

Uniqueness

Uniqueness Score: -1.00%

Function 011C99C3 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4c3c61b463d3cd162f2fb409bfe07bb040f6505dbefb675072ea7b79cc676d
Instruction ID: dc435fe000564219fe6c364872176273294e62006d4bfa372214d30c98a50507
Opcode Fuzzy Hash: 4a4c3c61b463d3cd162f2fb409bfe07bb040f6505dbefb675072ea7b79cc676d
Instruction Fuzzy Hash: F4217C306272998BDB2E6B39A01A23D3EA4AB61A69705405DFC4786641DF6DC803CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011CCA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc097292863b9fe201d40530e50a71d9e3e6ea5b89091495584e160df3ea610
Instruction ID: 902b2ce9496b9ebbff5cdadc066b984db72887f804d9ac33dab1b72de25708ab
Opcode Fuzzy Hash: acc097292863b9fe201d40530e50a71d9e3e6ea5b89091495584e160df3ea610
Instruction Fuzzy Hash: BB11E1353102019BC708EF28E9847AD7BAAEF94744F54882DE64A8B291DB75DD0AC7E0

Uniqueness

Uniqueness Score: -1.00%

Function 011C2531 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42843e31df528ed71eb9dc10aee4fd38d6ec63e682538fea8c481caf58a5e1c0
Instruction ID: 570af817bf506f29fbbb6c0c0f69adf0de156eb89297c187449e1acb6b95b746
Opcode Fuzzy Hash: 42843e31df528ed71eb9dc10aee4fd38d6ec63e682538fea8c481caf58a5e1c0
Instruction Fuzzy Hash: C8218134211600CFC354AB28E69896E7BB3FFC9315B644859E84B8B750DF36FC068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 011C64EC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71cb4d158cd9eb432622f7f3d1761ddb50b7144dc0ce5794e0d53589828996b
Instruction ID: 41ebfb99b44f81571acbe7d76c306543757bcce2edbb0ac7c06f72d57bfb1a90
Opcode Fuzzy Hash: d71cb4d158cd9eb432622f7f3d1761ddb50b7144dc0ce5794e0d53589828996b
Instruction Fuzzy Hash: BD119B3540D7C58FC729DB38D8510997FB5FE32620709488FD0899B753CB29910ACBB6

Uniqueness

Uniqueness Score: -1.00%

Function 011C2540 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfe95b8aef0fbe23af95c055957b63520feb059b61e1f7091c9f1047f4bf9c3
Instruction ID: 1c76d263f809be3289303ceb278724520ebdb7ac7636a1d4f12f4fef77d40280
Opcode Fuzzy Hash: 3dfe95b8aef0fbe23af95c055957b63520feb059b61e1f7091c9f1047f4bf9c3
Instruction Fuzzy Hash: 3F115E34211600CFC354AB28E59892EBBB7FFD92157944819E94B8B750CF36FC068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 011CCA90 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb09a258df3ec2f93ad17a3c819b8b75e06f87e892a1daaa36b65acb32c93b8
Instruction ID: 91adde45c755342f6bd5d679228fe9ae2cf2a1e04f4aae66735b888450bb3fe4
Opcode Fuzzy Hash: 7fb09a258df3ec2f93ad17a3c819b8b75e06f87e892a1daaa36b65acb32c93b8
Instruction Fuzzy Hash: B71173303102019BD708EE29E4947AE7B9AEB94750F90882DE50A8B291DF75DD4687E5

Uniqueness

Uniqueness Score: -1.00%

Function 0116D20B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f87ba3aa2c64edba505929a8d0f86639ffc52edd14bb0fad99d14871d38c3be
Instruction ID: 44bec7bcaaa8bbb6b4d2e7f54abc91f6810a956c6a6e7de301c981c95f0c3463
Opcode Fuzzy Hash: 5f87ba3aa2c64edba505929a8d0f86639ffc52edd14bb0fad99d14871d38c3be
Instruction Fuzzy Hash: FB219D76504280DFDF06CF94E9C4B16BF71FB88324F2486A9D9440B65AC33AD466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011C8AA0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7320ee4684eef566711290a0a1b141bf6dbaff4516e6e9efb9825ff3451e8e
Instruction ID: 8a75d2574f4444bfcf36bf4a3d9c8fb2e09f76c9f7f6be6c1e4b371031bfe93f
Opcode Fuzzy Hash: 9c7320ee4684eef566711290a0a1b141bf6dbaff4516e6e9efb9825ff3451e8e
Instruction Fuzzy Hash: 2D11E530B012049FD715AB78982576E3FF6AF85700F1080A5E90ADB3D5DF34CD0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0116D11F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515218351.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_116d000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5289b4a0742b719c39296e888207fcd63aeccd178d6e4a91aef647a94db2ca4b
Instruction ID: 4735017702606c17457c5bf927ae2e00fdd3175dee088de85eb5a8342e9ba1cf
Opcode Fuzzy Hash: 5289b4a0742b719c39296e888207fcd63aeccd178d6e4a91aef647a94db2ca4b
Instruction Fuzzy Hash: 3711B176504284CFDF16CF54D9C4B16BF71FB84324F2486A9D8440B616C33AD466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011CB270 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d791fa207e4b0577a11c88aaa1a60216f81b8fafe19e64a0b211d7332991a4e3
Instruction ID: a2179c62306c377cc50c8e14b03690950ba7ccff0425cfccd70acf9d236a26fa
Opcode Fuzzy Hash: d791fa207e4b0577a11c88aaa1a60216f81b8fafe19e64a0b211d7332991a4e3
Instruction Fuzzy Hash: 9C01A1303123409FCB545B74E48872EFBABFBC8265F54482DE9468B381CFB5A8078B60

Uniqueness

Uniqueness Score: -1.00%

Function 011C0439 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c000c04278d7fd91e26b305d98caa6d8e5945a5401705a7778e7e3c0d1a850
Instruction ID: d2764babbc98bb3be3938adaab45e38166970e487b0b743e40628395b56139cc
Opcode Fuzzy Hash: 97c000c04278d7fd91e26b305d98caa6d8e5945a5401705a7778e7e3c0d1a850
Instruction Fuzzy Hash: 1A01B574B042199FCB14DBA8D864AAEBFFAFBD8310F10802AD50AE3355DA755D0287B1

Uniqueness

Uniqueness Score: -1.00%

Function 011C5F00 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af369680739a9a3ca0168b68df776b44b673193e8eef09477c21a08cad648fdf
Instruction ID: a167434c84de5c2422057a822eb1f1a3e33928ac94684136b97d431cd5c82558
Opcode Fuzzy Hash: af369680739a9a3ca0168b68df776b44b673193e8eef09477c21a08cad648fdf
Instruction Fuzzy Hash: 81F0443531A2112BE328227C1C25BAE3EA79BC7670F24423AF529DB3C1DE295C028321

Uniqueness

Uniqueness Score: -1.00%

Function 011C1A37 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94e646e448451dd85939e20feda19604ac0f8143007ceaadf93b4cf677bc559
Instruction ID: e55c434b6588774d916fb993f818577ffa8a8b4e162a2c1c56eeb55f37dc2fe8
Opcode Fuzzy Hash: a94e646e448451dd85939e20feda19604ac0f8143007ceaadf93b4cf677bc559
Instruction Fuzzy Hash: 9E019275E002158FCB44EF68E8556AEBBF5EB89210B144429E909E3300DB354D068BE5

Uniqueness

Uniqueness Score: -1.00%

Function 011C0448 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696c694a746fe7498bdc7d889a355b013a49b05da23390b0eb940610a59efedd
Instruction ID: ea4e7a1a96e01f05c196ac94824786b1852f2968bf1ce349ea14b42379c3fb99
Opcode Fuzzy Hash: 696c694a746fe7498bdc7d889a355b013a49b05da23390b0eb940610a59efedd
Instruction Fuzzy Hash: FA018F34B002199BCB18ABA9D864B6EBBBBFBC8310F204029D50AE3344CA755D0247F1

Uniqueness

Uniqueness Score: -1.00%

Function 011C1A40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c4d69212eb84ca62a0f4acc4c71be14ca9d1145a5520e43bb11da2a1303c9f
Instruction ID: 32ffd3af5a88f7149f0fe0f762ecbb6dbb6b396cfc5ad642ee7b7749d572ac0e
Opcode Fuzzy Hash: 42c4d69212eb84ca62a0f4acc4c71be14ca9d1145a5520e43bb11da2a1303c9f
Instruction Fuzzy Hash: 1F01A275F002159FCB04EFA8E8545AEBBF9EBC9220B104469E909E3344EF754E068BF5

Uniqueness

Uniqueness Score: -1.00%

Function 011CA9E3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d01fd085ce194bb8a3d7155d2c71dad2c69d4c232cdca69507d54420eb68a6
Instruction ID: 9a0e47e97a86c8d8e9a53be040c7a4b76985919cfa588f273174dc879c5a6e1c
Opcode Fuzzy Hash: 37d01fd085ce194bb8a3d7155d2c71dad2c69d4c232cdca69507d54420eb68a6
Instruction Fuzzy Hash: 22017C35200605CFC714DF1DE584A8ABBA5EF84710B558469E5058B721EBB4F8018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 011CA9F0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e309160a48d9a5be60a020ecc880bd8c6bd21de0b26c032f3e4ce28cf8406c
Instruction ID: 41da62936b94cb7be9a06271600c4102317ac7e965e279b706a3fc3fcb0d1d04
Opcode Fuzzy Hash: e8e309160a48d9a5be60a020ecc880bd8c6bd21de0b26c032f3e4ce28cf8406c
Instruction Fuzzy Hash: 32014B35200605CFC754DF19E544D9ABBA6EF88710751C46AE5458B721DBB0F9028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 011CBC71 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582d0fdbf39d3c04bbe098e71a22520f2855f3aae3ef85b54efe852242de87e8
Instruction ID: 4af62059357d01617c3ae709e7d9a5d306994ffd8f05c0674a3fdba3eacbb02e
Opcode Fuzzy Hash: 582d0fdbf39d3c04bbe098e71a22520f2855f3aae3ef85b54efe852242de87e8
Instruction Fuzzy Hash: 71F0BE327042088FD7189B29E89ABABFBA9EFD4620F24803ED50687351DB719C45CA90

Uniqueness

Uniqueness Score: -1.00%

Function 011C9D57 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8667e185279ea64b762a3f54ed8dfbd0355570efde5ef325c8e90e2bf4d291c
Instruction ID: 6fb1c0c1cc3090e84f8945a6450bbe2c50e0c530f981344155182fb02e3080f1
Opcode Fuzzy Hash: e8667e185279ea64b762a3f54ed8dfbd0355570efde5ef325c8e90e2bf4d291c
Instruction Fuzzy Hash: 0EF01471A01619DFCB54EF69D40959EBFF1BF88714B004A2AE849E3240D7745A0A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 011CB95D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86d0bad3fdcdf346d0b7c3b6ad5193aaeee9481e8f5f7785c135e57cadc7a24
Instruction ID: 6ce5ad00ba975fc39ab1cb02d527494df63065784b0ac88370d81fb598efe0e6
Opcode Fuzzy Hash: d86d0bad3fdcdf346d0b7c3b6ad5193aaeee9481e8f5f7785c135e57cadc7a24
Instruction Fuzzy Hash: F501F674A05219EBDF04CF90D985FEDBB72BF48700F104009E841BA2A0DB355940DB60

Uniqueness

Uniqueness Score: -1.00%

Function 011C9D60 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401300a1f5fea9676e66abdb5c22f10121289a30c753bcf41cc7b094b628b8e6
Instruction ID: c62025063ff960a0cfadd3b6a0b2dfd5e1d29ac4c0145eebd3ecf22afb1d4061
Opcode Fuzzy Hash: 401300a1f5fea9676e66abdb5c22f10121289a30c753bcf41cc7b094b628b8e6
Instruction Fuzzy Hash: C8F0F971A01619CFCB54EF69D40559EBFF5FF88720B00462AE949E3310DB746A058FA5

Uniqueness

Uniqueness Score: -1.00%

Function 011C5EFB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d1ea23b81f5840f302c85a7113611477686b6e8f810218ad1ad3caeeeb00f6
Instruction ID: 6b78537f7046ec22bcc7bffb586163e499cdcd9451a81653f903d7f1dc1183b8
Opcode Fuzzy Hash: 64d1ea23b81f5840f302c85a7113611477686b6e8f810218ad1ad3caeeeb00f6
Instruction Fuzzy Hash: 3DE0D83631832133E528145E6C41FAB694F97C6A70E744328B13DA73C0CD5168014168

Uniqueness

Uniqueness Score: -1.00%

Function 011CCB41 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cd6bf93358b4ec7ad62d234f55a66f2e3265cea758709a8b27809853296b5b
Instruction ID: 9958cc043ed8d65f570ba523ff5bc4c9867cd3dbe2245fa8945938bf481a86e9
Opcode Fuzzy Hash: 87cd6bf93358b4ec7ad62d234f55a66f2e3265cea758709a8b27809853296b5b
Instruction Fuzzy Hash: EBE02B322102419BD3189A9DE880B9ABFBDFBC5764F084829E60C87350CF76A806C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 011CDA18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c5ac9a8a2d77b0e954ad33d1330f6f71a5c955d174b4f4bcd1c5770ffbb73a
Instruction ID: cd6d94d203c4907bdef359e40caf28dc194262618933f8bc01974bd085f6e60c
Opcode Fuzzy Hash: 93c5ac9a8a2d77b0e954ad33d1330f6f71a5c955d174b4f4bcd1c5770ffbb73a
Instruction Fuzzy Hash: FAF0E9719141599BDF24CE68EC807DABBB4EB94350F0086BBD515E22C0DF705A54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 011C9CF3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6f6036cc67ba2c736bf22ca9c31f789cf1fbf982e7a1e67b03160aca6c7568
Instruction ID: d25bc4c50c53dc411e21a3c4a7c8153cc203895936f73de742b2e6c55068dce9
Opcode Fuzzy Hash: 7f6f6036cc67ba2c736bf22ca9c31f789cf1fbf982e7a1e67b03160aca6c7568
Instruction Fuzzy Hash: FCE0223620120167C704266AFC84A6EFE6EEBCA220F40403AFA08C3300EEB68C0656B1

Uniqueness

Uniqueness Score: -1.00%

Function 011C63D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6732b7fa9d9a0f97b9bef7584cca43179c10ce35619d1b955e582a68fa607db
Instruction ID: 18546a346a15337e5163d1af380a40ba08b3a38b64ecf0d18ad953630d25fe07
Opcode Fuzzy Hash: d6732b7fa9d9a0f97b9bef7584cca43179c10ce35619d1b955e582a68fa607db
Instruction Fuzzy Hash: FDE06F3230131893C31801AAA8106B9FB5ADBE1620B0C0439EA04CB300FE28C80282A0

Uniqueness

Uniqueness Score: -1.00%

Function 011C9D00 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d9b9094724aff63fd63c9f2b4eaf393e959c8414bce631c45b409851da514f
Instruction ID: 1f6cd4cbbd7630dd617fe781315335f416dd1e7094370565054f3e469b024499
Opcode Fuzzy Hash: f8d9b9094724aff63fd63c9f2b4eaf393e959c8414bce631c45b409851da514f
Instruction Fuzzy Hash: C6E0203531121067C304376AFC4485FFE6ED7CA220B40443AF90DC3300DEB64C0646B1

Uniqueness

Uniqueness Score: -1.00%

Function 011C4F53 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8b256bd966b0a83af86073110add6106e7fd67e3e0efb914dddea6a43e2c1f
Instruction ID: d232a6dc62ee1d94bb5d97b1a1834ff3a5f41553edcb2b619e4f4c168fc7237e
Opcode Fuzzy Hash: bb8b256bd966b0a83af86073110add6106e7fd67e3e0efb914dddea6a43e2c1f
Instruction Fuzzy Hash: A7E01A35612300CB83295A25F84545ABBB6FBC96A6364447EFC0683710DEB6E843CB60

Uniqueness

Uniqueness Score: -1.00%

Function 011C8A90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34713ed09b0343bfd51834678835fedc6205085a25074af7412f17ea987712a
Instruction ID: 51a33506f28a1af29f4aa6a9969248315a6c20129e4efb9b6b9f391b08f88a53
Opcode Fuzzy Hash: a34713ed09b0343bfd51834678835fedc6205085a25074af7412f17ea987712a
Instruction Fuzzy Hash: 51E086316001149FC714DB6CD985B997BB8FF04614F640068EA05D7251DF21DC39CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011C8C70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4383273e25c29210d8a021656b2320b1df68617f98fa0a340159a946a8fe65af
Instruction ID: 9e8acda928fa1d0cf4a1b77366c726645940aa0ebfa13d7197f3bde65e0504c1
Opcode Fuzzy Hash: 4383273e25c29210d8a021656b2320b1df68617f98fa0a340159a946a8fe65af
Instruction Fuzzy Hash: D9E0C233100224A7EB04CB98D891BDFBB78DF41260F24011ED116E7600EE701E2082E4

Uniqueness

Uniqueness Score: -1.00%

Function 011C4F58 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da320b2ae6227949e26ef083c6acde0718391f337ac1ac19965f9ce12cc4d3f
Instruction ID: 6a51aed67047bcd45a78496d558c6cea25be0600557cf2326b993e5746c0a5c5
Opcode Fuzzy Hash: 6da320b2ae6227949e26ef083c6acde0718391f337ac1ac19965f9ce12cc4d3f
Instruction Fuzzy Hash: 55E0BF35712704CBC3295B25F8454567BB6FBC9666364447EFC0683710DE76E843CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011C04D9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2e5221877cdcd5aa8f6d193bcd8152d7bb7c09e41e2a082a5a036c294c7fd5
Instruction ID: f11f88a82703250f52ae8b351548019242f439192a9b31131a2cc13295172651
Opcode Fuzzy Hash: ea2e5221877cdcd5aa8f6d193bcd8152d7bb7c09e41e2a082a5a036c294c7fd5
Instruction Fuzzy Hash: 03E04F7091124CEFCB58EFA8D5416EC77B4FB55244F204AAAD408E7345EB311F449B40

Uniqueness

Uniqueness Score: -1.00%

Function 011C04E8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55420305b8717d0b1ed230f38c9a3babe9b9e0e27d83b9c7b77ad79b622aef86
Instruction ID: 0c42b9010bfa66cfe0b1b758fc7f045df5fbe27dbe52da7c1fc87f3a8c9817da
Opcode Fuzzy Hash: 55420305b8717d0b1ed230f38c9a3babe9b9e0e27d83b9c7b77ad79b622aef86
Instruction Fuzzy Hash: 9DD05E70A0024CEFCB48FFA8D94055DB7B9FB44204B2049A9E408E3344EF322F04EB94

Uniqueness

Uniqueness Score: -1.00%

Function 011C8C80 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e72a4c1dbab69b2608fdae9bca8b0f28bcf2bf32a52841a2d796266b2ac3a14
Instruction ID: 01c0bc78a49a24587257790c2f0d7045f2ed90944a053893528b42e1e040d801
Opcode Fuzzy Hash: 6e72a4c1dbab69b2608fdae9bca8b0f28bcf2bf32a52841a2d796266b2ac3a14
Instruction Fuzzy Hash: 69D01233604328AB5B04DAE9A4509DFBFBDDA85170F01416ED519EB740ED751E4042E9

Uniqueness

Uniqueness Score: -1.00%

Function 011C2EB3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdf4eabf362371fc945376a055b377041f20358c5ef1b39314c9629914fe319
Instruction ID: 7f501228fa52ac494ed00a8f700aadb90b1684c519a50cabef0a4b4fa5859ebb
Opcode Fuzzy Hash: 4fdf4eabf362371fc945376a055b377041f20358c5ef1b39314c9629914fe319
Instruction Fuzzy Hash: 7AD05E3931422497D6097A4CF46474FB66AEB8A308F988014A109C734DDFA64C0657E2

Uniqueness

Uniqueness Score: -1.00%

Function 011C9CB1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9894b1e2811fd352754f78b46dff58c8e289bfec537635de254717b38340f2ee
Instruction ID: 9fc336864c6243d41b2844816932e1f3316f36708939f75e23bc5252b2922f4e
Opcode Fuzzy Hash: 9894b1e2811fd352754f78b46dff58c8e289bfec537635de254717b38340f2ee
Instruction Fuzzy Hash: ECE017B4A012948BEB18EF29E09476FBBA2AB89304F5481589005CB349DBB5CE819B50

Uniqueness

Uniqueness Score: -1.00%

Function 011C2CD3 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59705b2764531d1ca2a683d63e46953f28391f8837c90fb1affd2b8c1e1cc42a
Instruction ID: 2c73fbc97f78d7f7de563350385c7e0d96db44f64936a4efc2773899d1383b60
Opcode Fuzzy Hash: 59705b2764531d1ca2a683d63e46953f28391f8837c90fb1affd2b8c1e1cc42a
Instruction Fuzzy Hash: 08A0128910020642E006359CD06230DC0159FC1104FC0C40001489A344DD1D44013373

Uniqueness

Uniqueness Score: -1.00%

Function 011C8C59 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98dd21c82b528e8f86dec3cdddcee5f52262d368a93037ac312552617b4a23e
Instruction ID: 6ac79b3a56c4161fa934bc21daaec2151c652947f325baeca5e3baeba51a3e63
Opcode Fuzzy Hash: a98dd21c82b528e8f86dec3cdddcee5f52262d368a93037ac312552617b4a23e
Instruction Fuzzy Hash: D3A0012961122287EE089B64E9EA57DBB26BB813553684459A912C7240DE288D26F660

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011CCCF0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.515377444.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_11c0000_sotema_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e33815ff7d9aeae38291315e6ba21b7ad5e8bea658e77b295bdedfece3880a
Instruction ID: aaebbb883fff2ba70a1f3fd25c86de7280161fb9d80522d2a33d79afef24c10c
Opcode Fuzzy Hash: 79e33815ff7d9aeae38291315e6ba21b7ad5e8bea658e77b295bdedfece3880a
Instruction Fuzzy Hash: 39D19035B002058FDB18DB79D854A6E7BF6AF99710F148469E90ADB391DF34DC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sotema_7.txt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sotema_7.txt.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
sotema_7.txt.exe