Edit tour
Windows
Analysis Report
server.exe
Overview
General Information
| Sample Name: | server.exe |
| Analysis ID: | 827054 |
| MD5: | 768928d17e8d3489407b540dbad4a770 |
| SHA1: | 8ce488487dc133ef92dec536608b0c1056a3e16a |
| SHA256: | 5d0be9aaad980137d68677d7ef3758d9ce7a4e2d170df0abee803f64b14dcd67 |
| Tags: | agenziaentrateexegoziisfbITAmefmiseursnif |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
server.exe (PID: 3536 cmdline: C:\Users\u ser\Deskto p\server.e xe MD5: 768928D17E8D3489407B540DBAD4A770)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Gozi, Ursnif | 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module. | No Attribution |
{"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Windows_Trojan_Gozi_fd494041 | unknown | unknown |
| |
| Windows_Trojan_Gozi_261f5ac5 | unknown | unknown |
| |
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 27 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.45.44.43.1749695802033203 03/15/23-14:40:37.858863 |
| SID: | 2033203 |
| Source Port: | 49695 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_02CE1508 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_02CE1508 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_02CE16DF | |
| Source: | Code function: | 0_2_02CE1D8A | |
| Source: | Code function: | 0_2_02CE832C | |
| Source: | Code function: | 0_2_0040110B | |
| Source: | Code function: | 0_2_00401459 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_02CE421F | |
| Source: | Code function: | 0_2_02CE8551 | |
| Source: | Virustotal: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_02CE30D5 | |
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_02CE832B | |
| Source: | Code function: | 0_2_02CE7F39 | |
| Source: | Code function: | 0_2_02E50FA0 | |
| Source: | Code function: | 0_2_02E56228 | |
| Source: | Code function: | 0_2_00401000 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Check user administrative privileges: | ||
| Source: | API call chain: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Debugger detection routine: | ||
| Source: | Code function: | 0_2_00401000 | |
| Source: | Code function: | 0_2_02E4E470 | |
| Source: | Code function: | 0_2_004019F1 | |
| Source: | Code function: | 0_2_02CE3BD3 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004015B0 | |
| Source: | Code function: | 0_2_00401D68 | |
| Source: | Code function: | 0_2_02CE3BD3 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Windows Management Instrumentation | Path Interception | Path Interception | 11 Virtualization/Sandbox Evasion | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
| Default Accounts | 12 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 21 Software Packing | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 12 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Remote System Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 124 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1245293 | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen7 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| checklist.skype.com | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 5.44.43.17 | unknown | Russian Federation | 202423 | MGNHOST-ASRU | true | |
| 31.41.44.108 | unknown | Russian Federation | 56577 | ASRELINKRU | false |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 827054 |
| Start date and time: | 2023-03-15 14:38:10 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 12s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | server.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@1/0@1/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 5.44.43.17 | Get hash | malicious | Ursnif | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ASRELINKRU | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| MGNHOST-ASRU | Get hash | malicious | Ursnif | Browse |
| |
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif, zgRAT | Browse |
| ||
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif CryptOne | Browse |
| ||
| Get hash | malicious | Ursnif CryptOne | Browse |
| ||
| Get hash | malicious | Ursnif CryptOne | Browse |
| ||
| Get hash | malicious | Ursnif CryptOne | Browse |
| ||
| Get hash | malicious | Ursnif CryptOne | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
| ||
| Get hash | malicious | Ursnif | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.191671893434653 |
| TrID: |
|
| File name: | server.exe |
| File size: | 316928 |
| MD5: | 768928d17e8d3489407b540dbad4a770 |
| SHA1: | 8ce488487dc133ef92dec536608b0c1056a3e16a |
| SHA256: | 5d0be9aaad980137d68677d7ef3758d9ce7a4e2d170df0abee803f64b14dcd67 |
| SHA512: | 0827c24c00d00ce10e5f6732d29efed6a051eafcc9aeb6a7c69d5b89615f7eb49b5333b6d5614613b0e64f792b3ff6d850108eb736eb1169eccbda09be3ac869 |
| SSDEEP: | 3072:3SVRi5/ELPnpP0SbcTS7ipobb2m+9vAh2QlNlfkkVjJ:Cri5ELBcV3qbAIn5NJ |
| TLSH: | CC642A1393E1BD85E96A8B729E1ED6F8761EF690CE0D776922289F1F04B1076C263710 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..@[..@[..@[..^.>.`[..^./.T[..^.9.#[..g...I[..@[..3[..^.0.A[..^...A[..^.+.A[..Rich@[..........PE..L.....^b................... |
 | |
| Icon Hash: | a4a4a08484b4a4e0 |
| Entrypoint: | 0x404f66 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x625E87B1 [Tue Apr 19 09:58:09 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 25b97b20ea5f74ae1a1939bb76680477 |
| Instruction |
|---|
| call 00007FBBDCB55A6Bh |
| jmp 00007FBBDCB5393Eh |
| mov edi, edi |
| push ecx |
| mov dword ptr [ecx], 0040125Ch |
| call 00007FBBDCB55AEEh |
| pop ecx |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| call 00007FBBDCB53AA8h |
| test byte ptr [ebp+08h], 00000001h |
| je 00007FBBDCB53AC9h |
| push esi |
| call 00007FBBDCB53D75h |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov ecx, dword ptr [ebp+08h] |
| push ebx |
| xor ebx, ebx |
| push esi |
| push edi |
| cmp ecx, ebx |
| je 00007FBBDCB53AC9h |
| mov edi, dword ptr [ebp+0Ch] |
| cmp edi, ebx |
| jnbe 00007FBBDCB53ADDh |
| call 00007FBBDCB55D4Eh |
| push 00000016h |
| pop esi |
| mov dword ptr [eax], esi |
| push ebx |
| push ebx |
| push ebx |
| push ebx |
| push ebx |
| call 00007FBBDCB55CD7h |
| add esp, 14h |
| mov eax, esi |
| jmp 00007FBBDCB53AF2h |
| mov esi, dword ptr [ebp+10h] |
| cmp esi, ebx |
| jne 00007FBBDCB53AC6h |
| mov byte ptr [ecx], bl |
| jmp 00007FBBDCB53A9Ch |
| mov edx, ecx |
| mov al, byte ptr [esi] |
| mov byte ptr [edx], al |
| inc edx |
| inc esi |
| cmp al, bl |
| je 00007FBBDCB53AC5h |
| dec edi |
| jne 00007FBBDCB53AB5h |
| cmp edi, ebx |
| jne 00007FBBDCB53AD2h |
| mov byte ptr [ecx], bl |
| call 00007FBBDCB55D13h |
| push 00000022h |
| pop ecx |
| mov dword ptr [eax], ecx |
| mov esi, ecx |
| jmp 00007FBBDCB53A83h |
| xor eax, eax |
| pop edi |
| pop esi |
| pop ebx |
| pop ebp |
| ret |
| push 0000000Ch |
| push 0040EEC0h |
| call 00007FBBDCB54DF4h |
| and dword ptr [ebp-1Ch], 00000000h |
| mov esi, dword ptr [ebp+08h] |
| cmp esi, dword ptr [02AE8870h] |
| jnbe 00007FBBDCB53AE4h |
| push 00000004h |
| call 00007FBBDCB55E70h |
| pop ecx |
| and dword ptr [ebp+00h], 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf14c | 0x64 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x26e9000 | 0x1f6e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2709000 | 0xa40 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x11c0 | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2d98 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x184 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xea34 | 0xec00 | False | 0.5837526483050848 | data | 6.736125354250025 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x10000 | 0x26d89c8 | 0x17400 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x26e9000 | 0x1f6e8 | 0x1f800 | False | 0.4157831101190476 | data | 4.733170034701941 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2709000 | 0x78fc | 0x7a00 | False | 0.0759157274590164 | data | 0.9356665533967813 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x2704e08 | 0x2 | data | ||
| AFX_DIALOG_LAYOUT | 0x2704df0 | 0xe | data | ||
| AFX_DIALOG_LAYOUT | 0x2704e00 | 0x2 | data | ||
| JOSEFUZITILEP | 0x27034a8 | 0x18d4 | ASCII text, with very long lines (6356), with no line terminators | Serbian | Italy |
| MOXUCAKOSAMIZIJAYIG | 0x2702cd0 | 0x7d1 | ASCII text, with very long lines (2001), with no line terminators | Serbian | Italy |
| RT_CURSOR | 0x2704e10 | 0x330 | Device independent bitmap graphic, 48 x 96 x 1, image size 0 | ||
| RT_CURSOR | 0x2705140 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0x2705298 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
| RT_CURSOR | 0x2706140 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
| RT_CURSOR | 0x27069e8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
| RT_CURSOR | 0x2706f80 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
| RT_CURSOR | 0x27070b0 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | ||
| RT_ICON | 0x26e9c60 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26eab08 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26eb3b0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26eba78 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26ebfe0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26ee588 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26ef630 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26efb00 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Serbian | Italy |
| RT_ICON | 0x26f09a8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Serbian | Italy |
| RT_ICON | 0x26f1250 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Serbian | Italy |
| RT_ICON | 0x26f1918 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Serbian | Italy |
| RT_ICON | 0x26f1e80 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Serbian | Italy |
| RT_ICON | 0x26f4428 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Serbian | Italy |
| RT_ICON | 0x26f54d0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Serbian | Italy |
| RT_ICON | 0x26f5e58 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Serbian | Italy |
| RT_ICON | 0x26f6338 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26f71e0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26f7a88 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26f7ff0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fa598 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fb640 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fbfc8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fc498 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fd340 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fdbe8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fe2b0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Serbian | Italy |
| RT_ICON | 0x26fe818 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x2700dc0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x2701e68 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Serbian | Italy |
| RT_ICON | 0x27027f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Serbian | Italy |
| RT_STRING | 0x2707380 | 0x2be | data | ||
| RT_STRING | 0x2707640 | 0x492 | data | ||
| RT_STRING | 0x2707ad8 | 0x5c6 | data | ||
| RT_STRING | 0x27080a0 | 0x118 | data | ||
| RT_STRING | 0x27081b8 | 0x52a | data | ||
| RT_ACCELERATOR | 0x2704d80 | 0x48 | data | Serbian | Italy |
| RT_ACCELERATOR | 0x2704dc8 | 0x18 | data | Serbian | Italy |
| RT_GROUP_CURSOR | 0x2705270 | 0x22 | data | ||
| RT_GROUP_CURSOR | 0x2706f50 | 0x30 | data | ||
| RT_GROUP_CURSOR | 0x2707160 | 0x22 | data | ||
| RT_GROUP_ICON | 0x26fc430 | 0x68 | data | Serbian | Italy |
| RT_GROUP_ICON | 0x26efa98 | 0x68 | data | Serbian | Italy |
| RT_GROUP_ICON | 0x26f62c0 | 0x76 | data | Serbian | Italy |
| RT_GROUP_ICON | 0x2702c58 | 0x76 | data | Serbian | Italy |
| RT_VERSION | 0x2707188 | 0x1f8 | data | ||
| None | 0x2704de0 | 0xa | data |
| DLL | Import |
|---|---|
| KERNEL32.dll | CreateHardLinkA, CallNamedPipeW, GetCommConfig, GetConsoleAliasesA, GetWindowsDirectoryA, FindResourceExA, GlobalAlloc, LoadLibraryW, CreateEventA, GetConsoleAliasExesLengthW, GetStringTypeExW, GetExitCodeProcess, lstrcpynW, EnumSystemCodePagesA, GetFileAttributesW, LocalReAlloc, WriteConsoleW, GetBinaryTypeA, MultiByteToWideChar, SetLastError, FindCloseChangeNotification, VirtualAlloc, GetFileType, WriteProfileSectionW, FreeEnvironmentStringsW, GetPrivateProfileSectionA, GetStringTypeW, EnumDateFormatsW, FindAtomW, DeleteTimerQueueTimer, GlobalAddAtomW, OpenFileMappingA, LCMapStringW, OpenJobObjectA, GetProcAddress, GetStartupInfoW, HeapAlloc, GetLastError, HeapFree, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, SetUnhandledExceptionFilter, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetStartupInfoA, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, RaiseException, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetModuleHandleA, LCMapStringA, WideCharToMultiByte, GetStringTypeA, GetLocaleInfoA |
| USER32.dll | NotifyWinEvent, LoadMenuW, GetMenuInfo, ValidateRect, ArrangeIconicWindows |
| GDI32.dll | GetGlyphIndicesA |
| ADVAPI32.dll | MapGenericMask |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Serbian | Italy |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.45.44.43.1749695802033203 03/15/23-14:40:37.858863 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49695 | 80 | 192.168.2.4 | 5.44.43.17 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 15, 2023 14:40:37.787641048 CET | 49695 | 80 | 192.168.2.4 | 5.44.43.17 |
| Mar 15, 2023 14:40:37.841355085 CET | 80 | 49695 | 5.44.43.17 | 192.168.2.4 |
| Mar 15, 2023 14:40:37.841609001 CET | 49695 | 80 | 192.168.2.4 | 5.44.43.17 |
| Mar 15, 2023 14:40:37.858863115 CET | 49695 | 80 | 192.168.2.4 | 5.44.43.17 |
| Mar 15, 2023 14:40:37.912709951 CET | 80 | 49695 | 5.44.43.17 | 192.168.2.4 |
| Mar 15, 2023 14:40:37.913563967 CET | 80 | 49695 | 5.44.43.17 | 192.168.2.4 |
| Mar 15, 2023 14:40:37.913654089 CET | 49695 | 80 | 192.168.2.4 | 5.44.43.17 |
| Mar 15, 2023 14:40:37.926760912 CET | 49695 | 80 | 192.168.2.4 | 5.44.43.17 |
| Mar 15, 2023 14:40:37.980429888 CET | 80 | 49695 | 5.44.43.17 | 192.168.2.4 |
| Mar 15, 2023 14:40:57.963377953 CET | 49696 | 80 | 192.168.2.4 | 31.41.44.108 |
| Mar 15, 2023 14:41:00.968698025 CET | 49696 | 80 | 192.168.2.4 | 31.41.44.108 |
| Mar 15, 2023 14:41:06.971541882 CET | 49696 | 80 | 192.168.2.4 | 31.41.44.108 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 15, 2023 14:39:17.005433083 CET | 56572 | 53 | 192.168.2.4 | 8.8.8.8 |
| Mar 15, 2023 14:39:17.028251886 CET | 53 | 56572 | 8.8.8.8 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 15, 2023 14:39:17.005433083 CET | 192.168.2.4 | 8.8.8.8 | 0xa670 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 15, 2023 14:39:17.028251886 CET | 8.8.8.8 | 192.168.2.4 | 0xa670 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49695 | 5.44.43.17 | 80 | C:\Users\user\Desktop\server.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Mar 15, 2023 14:40:37.858863115 CET | 93 | OUT |
| Target ID: | 0 |
| Start time: | 14:39:04 |
| Start date: | 15/03/2023 |
| Path: | C:\Users\user\Desktop\server.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 316928 bytes |
| MD5 hash: | 768928D17E8D3489407B540DBAD4A770 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE1508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163encryptionCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE3BD3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE421F Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 38% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE3CE0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222memorystringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE7B83 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126networkstringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 92% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE6815 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151timememoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 83% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE7FC5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209libraryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 51% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE415A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5E40 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE6675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE51D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
Download Yara Rule
| C-Code - Quality: 50% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE2523 Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
Download Yara Rule
| C-Code - Quality: 59% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE7040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
Download Yara Rule
| C-Code - Quality: 22% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5251 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE4358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE12C6 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
Download Yara Rule
| C-Code - Quality: 47% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE61DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE790B Relevance: 3.1, APIs: 2, Instructions: 112COMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE33F1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02E4EB93 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE472F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5006 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE2839 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| C-Code - Quality: 34% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02E4E852 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5063 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE1D8A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE30D5 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE16DF Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
Download Yara Rule
| C-Code - Quality: 49% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE8551 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE832C Relevance: .1, Instructions: 77COMMONCrypto
Download Yara Rule
| C-Code - Quality: 71% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02E4E470 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE2B91 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278memorystringCOMMON
Download Yara Rule
| C-Code - Quality: 76% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE37DF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109librarymemoryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE3FA5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92networksynchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 43% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE3A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE4C94 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
Download Yara Rule
| C-Code - Quality: 88% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 39% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE607C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE35D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE4781 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE69E6 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
Download Yara Rule
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE7843 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE3230 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE2058 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE5DE4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CE7563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |