Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	885493
MD5:	da7adaa57242edd6c3d836b3731c5c76
SHA1:	3cfb7ba031108a6dd3d840711ba31c5859af494d
SHA256:	3d9d9746dab8d68d2149a28c8790910c9f0593a75bc42d61652b09ae97a3d691
Tags:	exe
Infos:

Detection

PrivateLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected PrivateLoader

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect virtualization through RDTSC time measurements

May check the online IP address of the machine

PE file contains section with special chars

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

PE / OLE file has an invalid certificate

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64

file.exe (PID: 5092 cmdline: C:\Users\user\Desktop\file.exe MD5: DA7ADAA57242EDD6C3D836B3731C5C76)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PrivateLoader	According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.	No Attribution	https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise https://intel471.com/blog/privateloader-malware	https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
00000000.00000002.795172104.0000000000F01000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.4150d78.2.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
0.2.file.exe.f00000.0.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security

HTTP traffic detected: GET /widget/demo/102.129.143.77 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: ipinfo.io

Source: global traffic

TCP traffic: 192.168.2.4:49694 -> 194.169.175.123:50500

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695

Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123
Source: unknown	TCP traffic detected without corresponding DNS query: 194.169.175.123

Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 00000000.00000002.797293499.00000000023A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com0
Source: file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllt
Source: file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797293499.0000000002388000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797293499.00000000023A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/Content-Type:
Source: file.exe, 00000000.00000002.797293499.0000000002388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/N
Source: file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.143.77
Source: file.exe, 00000000.00000002.797293499.000000000237D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.143.77l
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: global traffic

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49695 version: TLS 1.2

Source: file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name: .vmp!+~&
Source: file.exe	Static PE information: section name: .vmp!+~&
Source: file.exe	Static PE information: section name: .vmp!+~&

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs file.exe
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll8 vs file.exe
Source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll8 vs file.exe
Source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs file.exe

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: file.exe

Virustotal: Detection: 24%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\LocalSimblphXP_35PHcV

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/6@1/2

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: file.exe, 00000000.00000002.795401757.00000000010AB000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.795401757.00000000010AB000.00000004.00000001.01000000.00000003.sdmp, nss3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: file.exe

Static file information: File size 7864024 > 1048576

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static PE information: Raw size of .vmp!+~& is bigger than: 0x100000 < 0x760400

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.0.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.0.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.0.dr

Source: file.exe	Static PE information: section name: .vmp!+~&
Source: file.exe	Static PE information: section name: .vmp!+~&
Source: file.exe	Static PE information: section name: .vmp!+~&
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: mozglue.dll.0.dr	Static PE information: section name: .didat

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp!+~&

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\vcruntime140.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 2230005 value: E9 FB BF B0 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 77D3C000 value: E9 0A 40 4F 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 2240008 value: E9 AB E0 B3 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 77D7E0B0 value: E9 60 1F 4C 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 3DE0005 value: E9 CB 5A 7F 73	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 775D5AD0 value: E9 3A A5 80 8C	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 3DF0005 value: E9 5B B0 80 73	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 775FB060 value: E9 AA 4F 7F 8C	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 3F10005 value: E9 DB F8 C1 70	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 74B2F8E0 value: E9 2A 07 3E 8F	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 3F20005 value: E9 FB 42 C3 70	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 5092 base: 74B54300 value: E9 0A BD 3C 8F	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000015769DB second address: 00000000013387E2 instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 adc al, 5Eh 0x00000006 cmc 0x00000007 xor bl, cl 0x00000009 mov edx, dword ptr [esp+ecx] 0x0000000c movzx ax, dl 0x00000010 lea ebp, dword ptr [ebp-00000004h] 0x00000016 nop 0x00000018 mov dword ptr [ebp+00h], edx 0x0000001c lea edi, dword ptr [edi-00000004h] 0x00000022 mov eax, dword ptr [edi] 0x00000024 test si, 101Dh 0x00000029 cmp ebx, 01BB0A57h 0x0000002f xor eax, ebx 0x00000031 test esi, ecx 0x00000033 add eax, 7C8B5468h 0x00000038 not eax 0x0000003a dec eax 0x0000003b jmp 00007F5AE078E127h 0x00000040 ror eax, 1 0x00000042 clc 0x00000043 cmp cl, FFFFFFAAh 0x00000046 test eax, 02C60026h 0x0000004b xor ebx, eax 0x0000004d test cl, 0000007Eh 0x00000050 add esi, eax 0x00000052 jmp 00007F5AE04B9A50h 0x00000057 jmp 00007F5AE071FCA3h 0x0000005c lea eax, dword ptr [esp+60h] 0x00000060 cmp ebp, eax 0x00000062 jmp 00007F5AE07F71E7h 0x00000067 ja 00007F5AE06C5722h 0x0000006d jmp esi 0x0000006f sub edi, 00000001h 0x00000075 movzx ecx, byte ptr [edi] 0x00000078 sub ax, di 0x0000007b xor cl, bl 0x0000007d btr edx, 08h 0x00000081 xor cl, 00000032h 0x00000084 not dh 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000182D6DE second address: 000000000182D6E9 instructions: 0x00000000 rdtsc 0x00000002 add ch, 0000006Bh 0x00000005 popfd 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 movzx eax, di 0x0000000b rdtsc

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 868

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 8	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1312	Thread sleep count: 868 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1312	Thread sleep time: -86800s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\vcruntime140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797293499.0000000002397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.797293499.0000000002397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USnn

Stealing of Sensitive Information

Yara detected PrivateLoader

Source: Yara match	File source: 0.2.file.exe.4150d78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.795172104.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PrivateLoader

Source: Yara match	File source: 0.2.file.exe.4150d78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.795172104.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	1 Credential API Hooking	11 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	1 Input Capture	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	13 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	11 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	24%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\mozglue.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\mozglue.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\msvcp140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\nss3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\nss3.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\softokn3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/102.129.143.77	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.winimage.com/zLibDllt	file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.0.dr	false		high
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	false		high
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe	unknown
https://ipinfo.io/	file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797293499.0000000002388000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797293499.00000000023A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.maxmind.com/en/locate-my-ip-address	file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.thawte.com0	file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	false	URL Reputation: safe	unknown
http://www.mozilla.com0	file.exe, 00000000.00000002.797757865.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.798123882.0000000004320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	false		high
https://ipinfo.io/widget/demo/102.129.143.77l	file.exe, 00000000.00000002.797293499.000000000237D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/N	file.exe, 00000000.00000002.797293499.0000000002338000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/Mozilla/5.0	file.exe, 00000000.00000002.797293499.0000000002388000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/Content-Type:	file.exe, 00000000.00000002.795374968.0000000001081000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
194.169.175.123	unknown	Germany		43659	CLOUDCOMPUTINGDE	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	885493
Start date and time:	2023-06-11 03:22:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/6@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.59.81	sample.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	04451999.exe.lnk	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	o5QR1PuuAx.exe	Get hash	malicious	Orcus	Browse	ipinfo.io/ip
	SecuriteInfo.com.Win64.PWSX-gen.23885.14599.exe	Get hash	malicious	Bandit Stealer	Browse	ipinfo.io/country
	RcNRT1gqfb.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/country
	0Y3hOsXLQ0.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/country
	Info_9_may_3263893.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	Notice_3_may_7692707.js	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Notice_3_may_2248985.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	Notice_3_may_9755407.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	Notice_3_may.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	https://fossiil.com/tkw6f	Get hash	malicious	Phisher	Browse	ipinfo.io/ip
	Notice_3_may_1533151.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	https://panaka.net/x1/	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Notice_3_may_4766220.js	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	https://datauncovered.com/snq3b	Get hash	malicious	NetSupport RAT, Phisher	Browse	ipinfo.io/ip
	Notice_25_apr_5809264.js	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Notice_26_apr_7305393.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	https://brightideasfortheweb.com/lsi4b	Get hash	malicious	NetSupport RAT, Phisher	Browse	ipinfo.io/ip
	Notice_25_apr_6088558.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	ATT68376.HTM	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	fU8ln1UegE.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, Vidar	Browse	34.117.59.81
	PAYMENT SLIP.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	j1xb9O5lE3.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	nopagadafacturaSii.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	Sii_NopagadaFacMarzo.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	sample.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Factmarzosiinopagada.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	facturanopagamarzoSii.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Vector Stealer	Browse	34.117.59.81
	https://dev-verficamospyitu.pantheonsite.io/	Get hash	malicious	Unknown	Browse	34.117.59.81
	#Ud83c#Udfb5 vm_Sound attached.htm	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	Roblox_Game_Manager.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	SiiMarzo.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	ID-FACT.1685085247.zip	Get hash	malicious	Unknown	Browse	34.117.59.81
	FACT64747.msi	Get hash	malicious	Unknown	Browse	34.117.59.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	http://armycac.com	Get hash	malicious	Unknown	Browse	34.117.157.22
	https://gmlnk.com/api/v1/track/link/click/5e5d7c3c713292b8c35ef86a/1683146707297/?link=http://tvyordb.pocketlet.com/47251/@.com/@.com	Get hash	malicious	Unknown	Browse	34.117.179.238
	http://dev.hilotech.ca	Get hash	malicious	Unknown	Browse	34.117.60.46
	ATT68376.HTM	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	fU8ln1UegE.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	https://gmlnk.com/api/v1/track/link/click/5e5d7c3c713292b8c35ef86a/1683146707297/?link=http://peoti.021cityliving.co.za/?7128186=kris.ong@faro.com	Get hash	malicious	Unknown	Browse	34.117.179.238
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, Vidar	Browse	34.117.59.81
	PAYMENT SLIP.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	ZparFzqF3A.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	File.exe	Get hash	malicious	Amadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, SystemBC	Browse	34.117.59.81
	nopagadafacturaSii.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://mikkymax.com	Get hash	malicious	Unknown	Browse	34.117.157.22
	U_prilogu_je_predracun.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	http://reg.ru	Get hash	malicious	Unknown	Browse	34.117.157.22
	NEW_ORDER89028902.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	winrar-64-6.21-installer_AmGAP-1.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	winrar-64-6.21-installer_AmGAP-1.exe	Get hash	malicious	RedAlert	Browse	34.117.223.223
	marzofacnopagada.zip	Get hash	malicious	Unknown	Browse	34.117.59.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	file.exe	Get hash	malicious	Fabookie	Browse	34.117.59.81
	rhipolito-da03669nit.vbs	Get hash	malicious	Unknown	Browse	34.117.59.81
	TRX23732373.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	TRX23732373.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	Kq026ekoTY.exe	Get hash	malicious	SmokeLoader	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, Vidar	Browse	34.117.59.81
	341760070.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	PURCHASE_ORDER.docx.doc	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	file.exe	Get hash	malicious	Fabookie	Browse	34.117.59.81
	fetxySvFfs.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	34.117.59.81
	148428995.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	yCPXLYK1n3.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	34.117.59.81
	weeklyi43804380.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	weeklyi43804380.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	pdf598598.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	TRX326326.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	Calculation-of-costs-647746213.js	Get hash	malicious	Unknown	Browse	34.117.59.81
	lhanish-ic17726eun.vbs	Get hash	malicious	Unknown	Browse	34.117.59.81

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader, Vidar	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader	Browse
	file.exe	Get hash	malicious	Laplas Clipper, PrivateLoader	Browse
	file.exe	Get hash	malicious	Laplas Clipper, PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse
	file.exe	Get hash	malicious	PrivateLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.807000203861606
Encrypted:	false
SSDEEP:	6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
MD5:	EF2834AC4EE7D6724F255BEAF527E635
SHA1:	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
SHA-256:	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
SHA-512:	C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\mozglue.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.78390291752429
Encrypted:	false
SSDEEP:	3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
MD5:	8F73C08A9660691143661BF7332C3C27
SHA1:	37FA65DD737C50FDA710FDBDE89E51374D0C204A
SHA-256:	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
SHA-512:	0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\msvcp140.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	462120
Entropy (8bit):	6.6647691095514485
Encrypted:	false
SSDEEP:	12288:E3QUergtVD7jfIobCFvUkBShUgiW6QR7t5s03Ooc8dHkC2esII:NUXzD3IoCFvUy03Ooc8dHkC2eJI
MD5:	F027303816D6D2AFEAB12183C67B1348
SHA1:	735E1625B17E4122608EB3AFF3702B97E08F1E51
SHA-256:	75DDC9778C23EE95B6C57DB6B689F11C07D164D5A4C158D4C0ACB87A520B8004
SHA-512:	F55F6DF42F266CC5F5F23690A5942068248D50D1C302708BF34D1F9D8831C7BFA174489DE029DADA30707DF4544275B14FBB3DDA09A0A022EB343E2618401797
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.$._.w._.w._.w..2w._.w.'Nw._.w._.w._.w.9.v._.w.9.v._.w.9.v._.w.9.v._.w.9.v._.w.9.v._.w.9"w._.w.9.v._.wRich._.w........................PE..L.....Z.........."!.....T..........@........p...............................0......a&....@A...................................,.......................(?......`@...w..8............................-..@...................`...@....................text...2R.......T.................. ..`.data...T(...p.......X..............@....idata...............p..............@..@.didat..4...........................@....rsrc...............................@..@.reloc..`@.......B..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\nss3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1246160
Entropy (8bit):	6.765536416094505
Encrypted:	false
SSDEEP:	24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
MD5:	BFAC4E3C5908856BA17D41EDCD455A51
SHA1:	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
SHA-256:	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
SHA-512:	2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\softokn3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.539750563864442
Encrypted:	false
SSDEEP:	3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
MD5:	A2EE53DE9167BF0D6C019303B7CA84E5
SHA1:	2A3C737FA1157E8483815E98B666408A18C0DB42
SHA-256:	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
SHA-512:	45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	87352
Entropy (8bit):	6.882331969273483
Encrypted:	false
SSDEEP:	1536:fGcAKWRMbpuRQci+7uXTKLWe+27JofZo0ENm2eK7oJnoUSgpAY8ODcDcm7cIsXh0:fG3KiRQcJ7uj8f7Jofm0ENm2eK7mnoUS
MD5:	AC139E08070885A2F021E30FAB609EEE
SHA1:	3D3C2877CF3C4AA1A1F62708494375404D02CF22
SHA-256:	EEA2DF0C3D2BF84EE8BC811439A81578F6521C8B28B6CC815C93FB870AC7A0D7
SHA-512:	072DC8A2297EEA0778F72F70AB5C8DC0400CECBE399115A4CEE0CB7381D494565019D756F602D80077C22AB635B324EC10C644BF3C219A68D9C75840A8B5309F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .id..:d..:d..:..=:f..:m.A:o..:d..:L..:w..;k..:w..;w..:w..;`..:w..;...:w..;e..:w.-:e..:w..;e..:Richd..:........PE..L.....Z.........."!......... ..............................................P............@A................................. .......0..................8?...@..H...p ..8............................ ..@............ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc..H....@......................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9673301520478725
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	7864024
MD5:	da7adaa57242edd6c3d836b3731c5c76
SHA1:	3cfb7ba031108a6dd3d840711ba31c5859af494d
SHA256:	3d9d9746dab8d68d2149a28c8790910c9f0593a75bc42d61652b09ae97a3d691
SHA512:	9522e2d8ebfb1747b753646def331f8b28b86804fe17f097b7cd0f98f1e754da6ed4961c71c3bfe1d51349aee08c012eb5478611191de466d4c86aa8bb2f3aad
SSDEEP:	196608:xkAVh0QLZY36FsVa2yJB59CyaWXoxBiV4DzCzTm0cySYxNHVA:xkAN1K7Va26Tkw4xBiCCf++HC
TLSH:	ED86236323250141E1DACD3EC633FCC634F22BBE9F40987E16E9A5C62A759E5DA43643
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............."......4.....h.z...........@...................................x...@................................

File Icon


Icon Hash:	0c1c0ce4a4ac78e4

Static PE Info

General

Entrypoint:	0xbae568
Entrypoint Section:	.vmp!+~&
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6482E8A3 [Fri Jun 9 08:53:55 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	00143c7843a6bccd9702bb42aef6cd34

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=HDD Western Digital My Book 16TB (WDBBGB0160HBK-EESN)
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	6/8/2023 1:27:09 PM 6/9/2033 1:27:09 PM
Subject Chain	CN=HDD Western Digital My Book 16TB (WDBBGB0160HBK-EESN)
Version:	3
Thumbprint MD5:	92C2CBD5AA483BD02E39DE1FBFD2CF90
Thumbprint SHA-1:	FD61242B40D5CA53220446F47A4DA3E493F98DAC
Thumbprint SHA-256:	6421AC8B68D8FCFE488DB738E7A6AD62F8DD9A7A7ECDC7E05CD4A603EE970F45
Serial:	600479562A475A9544F26D0DCE72E3AE

Entrypoint Preview

Instruction
push 2DF93442h
mov dword ptr [esp+00h], 289635DAh
not dword ptr [esp+00h]
call 00007F5AE0ABCF21h
rol edx, 03h
clc
cmp edi, ebx
sub edx, 2987521Bh
clc
jmp 00007F5AE0A80F8Ch
dec edx
test si, 3E01h
not edx
xor ebx, edx
add ebp, edx
jmp 00007F5AE0A36147h
add cl, al
mov word ptr [ebp+04h], cx
xchg ah, al
lahf
movsx eax, ax
pushfd
test bx, 68DFh
rcl ax, cl
pop dword ptr [ebp+00h]
lea edi, dword ptr [edi-00000004h]
sar ax, FF85h
shl ah, FFFFFFB1h
mov eax, dword ptr [edi]
cmp al, dl
xor eax, ebx
dec eax
stc
jmp 00007F5AE111BCDBh
jmp edi
mov cx, word ptr [edi]
mov ax, word ptr [edi+02h]
sub edi, 00000002h
add cx, ax
jmp 00007F5AE0B1E320h
inc edx
stc
cmc
ror edx, 02h
clc
add edx, 3EBF5A88h
jmp 00007F5AE0C052DAh
jmp esi
test esi, eax
bswap eax
cmp ax, ax
jmp 00007F5AE10F9938h
jmp esi
mov ecx, dword ptr [esi]
bts eax, ecx
add esi, 00000004h
bsf ax, di
xor ah, FFFFFFA3h
add ah, al
xor ecx, ebx
rol ecx, 1
setnp ah
dec ecx
ror ax, cl
movsx ax, dl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x801770	0x104	.vmp!+~&
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe7c000	0x1ce61	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x77e600	0x18d8	.vmp!+~&
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe7b000	0x600	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x728c34	0x18	.vmp!+~&
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xe7a210	0x40	.vmp!+~&
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x719000	0x564	.vmp!+~&
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17f2fd	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x181000	0x296d6	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1ab000	0xa760	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp!+~&	0x1b6000	0x5624bc	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp!+~&	0x719000	0x6f0	0x800	False	0.58154296875	data	4.526615592136478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp!+~&	0x71a000	0x7602d0	0x760400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xe7b000	0x600	0x600	False	0.53515625	data	4.357104909822443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xe7c000	0x1ce61	0x1d000	False	0.6327283135775862	data	7.283420783456975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xe7c160	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536
RT_ICON	0xe8c988	0xbdf9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xe98784	0x22	data
RT_VERSION	0xe987a8	0x2b8	COM executable for DOS	English	United States
RT_MANIFEST	0xe98a60	0x401	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	FreeResource, CreateToolhelp32Snapshot, CreateEventW, MultiByteToWideChar, Sleep, GetTempPathA, GetModuleHandleExA, GetTimeZoneInformation, CopyFileA, GetLastError, GetFileAttributesA, TzSpecificLocalTimeToSystemTime, CreateFileA, SetEvent, LoadLibraryA, GetVersionExA, LockResource, DeleteFileA, Process32Next, CloseHandle, GetSystemInfo, CreateThread, GetWindowsDirectoryA, LoadResource, SetFileAttributesA, GetLocalTime, GetProcAddress, LocalFree, RemoveDirectoryA, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, FreeLibrary, WideCharToMultiByte, CreateDirectoryA, GetSystemTime, CreateFileMappingW, MapViewOfFile, GetPrivateProfileStringA, IsWow64Process, GetComputerNameA, SetUnhandledExceptionFilter, lstrcatA, lstrcpyA, HeapFree, HeapAlloc, lstrcpynA, GetProcessHeap, ReadFile, SetFilePointer, CreateFileW, GetLocaleInfoA, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, FindClose, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, WaitForSingleObjectEx, DeleteFileW, HeapReAlloc, LoadLibraryW, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, SystemTimeToFileTime, GetSystemTimeAsFileTime, FormatMessageA, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, WriteConsoleW, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, SetStdHandle, GetModuleHandleA, GetCurrentThreadId, LocalAlloc, WaitForSingleObject, GetVolumeInformationA, lstrlenA, FindResourceA, FindNextFileA, GetUserDefaultLocaleName, TerminateProcess, WriteFile, GetCurrentProcess, FindFirstFileA, Process32First, EnumSystemLocalesW, GetModuleFileNameA, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetFileSizeEx, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, GetStdHandle, GetModuleFileNameW, GetPrivateProfileSectionNamesA, SizeofResource, EnterCriticalSection, FreeLibraryAndExitThread, ExitThread, GetModuleHandleExW, GetFileType, SetFilePointerEx, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetLastError, RaiseException, RtlUnwind, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFinalPathNameByHandleW, GetModuleHandleW, GetFileInformationByHandleEx, GetLocaleInfoEx, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, InitializeCriticalSectionAndSpinCount, ResetEvent, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, GetStartupInfoW, InitializeSListHead
USER32.dll	ReleaseDC, GetDesktopWindow, GetKeyboardLayoutList, wsprintfA, GetSystemMetrics, GetDC, GetWindowRect, EnumDisplayDevicesA, CharNextA
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, DeleteObject, BitBlt
ADVAPI32.dll	SystemFunction036, RegOpenKeyExA, GetUserNameA, CredFree, RegCloseKey, GetCurrentHwProfileA, RegQueryValueExA, CredEnumerateA, RegEnumKeyExA
SHELL32.dll	ShellExecuteA, SHGetFolderPathA
WS2_32.dll	closesocket, getaddrinfo, WSACleanup, send, socket, connect, WSAStartup, freeaddrinfo, setsockopt, WSAGetLastError, shutdown, recv
CRYPT32.dll	CryptUnprotectData, CryptStringToBinaryA
gdiplus.dll	GdiplusShutdown, GdiplusStartup, GdipSaveImageToFile, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipAlloc, GdipCloneImage, GdipGetImageEncoders
SETUPAPI.dll	SetupDiGetDeviceInterfaceDetailA, SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiEnumDeviceInfo
KERNEL32.dll	GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, LoadLibraryA, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, WriteConsoleW, SetStdHandle, IsProcessorFeaturePresent, DecodePointer, GetCommandLineA, RaiseException, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringW, GetStringTypeW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapSize, WriteFile, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, HeapReAlloc, VirtualQuery
USER32.dll	CharUpperBuffW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 21
• 50500 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2023 03:23:00.465500116 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:00.492361069 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:23:00.492544889 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:00.520092964 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:23:00.573349953 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:00.733788967 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:00.760757923 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:23:00.807832956 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:01.139144897 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.139240026 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.139369011 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.143112898 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.143155098 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.205610991 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.205878973 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.227166891 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.227221012 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.227648020 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.276845932 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.453165054 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.496301889 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.587950945 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.588109016 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.588417053 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.591439009 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.591509104 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.591547012 CEST	49695	443	192.168.2.4	34.117.59.81
Jun 11, 2023 03:23:01.591562033 CEST	443	49695	34.117.59.81	192.168.2.4
Jun 11, 2023 03:23:01.592303991 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:01.674948931 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:23:03.934226990 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:04.003173113 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:23:35.941334963 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:23:36.018965960 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:24:07.365874052 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:24:07.456659079 CEST	50500	49694	194.169.175.123	192.168.2.4
Jun 11, 2023 03:24:38.868856907 CEST	49694	50500	192.168.2.4	194.169.175.123
Jun 11, 2023 03:24:38.956785917 CEST	50500	49694	194.169.175.123	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2023 03:23:01.106024027 CEST	58565	53	192.168.2.4	8.8.8.8
Jun 11, 2023 03:23:01.125612020 CEST	53	58565	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 11, 2023 03:23:01.106024027 CEST	192.168.2.4	8.8.8.8	0x4715	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 11, 2023 03:23:01.125612020 CEST	8.8.8.8	192.168.2.4	0x4715	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	34.117.59.81	443	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-11 01:23:01 UTC	0	OUT	GET /widget/demo/102.129.143.77 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: ipinfo.io
2023-06-11 01:23:01 UTC	0	IN	HTTP/1.1 200 OK access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin content-type: application/json; charset=utf-8 content-length: 1006 date: Sun, 11 Jun 2023 01:23:01 GMT x-envoy-upstream-service-time: 2 strict-transport-security: max-age=2592000; includeSubDomains vary: Accept-Encoding Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-06-11 01:23:01 UTC	0	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 37 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 37 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 5a c3 bc 72 69 63 68 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 37 2e 33 37 32 31 2c 38 2e 35 34 31 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 30 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 45 75 72 6f 70 65 2f 5a Data Ascii: { "input": "102.129.143.77", "data": { "ip": "102.129.143.77", "city": "Zrich", "region": "Zurich", "country": "CH", "loc": "47.3721,8.5417", "org": "AS212238 Datacamp Limited", "postal": "8001", "timezone": "Europe/Z
2023-06-11 01:23:01 UTC	1	IN	Data Raw: 72 65 73 73 22 3a 20 22 33 30 30 20 41 63 61 63 69 61 20 52 6f 61 64 2c 20 44 61 72 72 65 6e 77 6f 6f 64 2c 20 52 61 6e 64 62 75 72 67 2c 20 47 61 75 74 65 6e 67 20 32 31 39 34 2c 20 53 6f 75 74 68 20 41 66 72 69 63 61 2c 20 52 61 6e 64 62 75 72 67 2c 20 4f 74 68 65 72 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 5a 41 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 56 69 6e 63 65 6e 74 61 73 20 47 72 69 6e 69 75 73 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 32 38 2e 30 2f 31 37 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a 2b 32 37 2d 31 30 2d 35 39 35 2d 31 32 37 Data Ascii: ress": "300 Acacia Road, Darrenwood, Randburg, Gauteng 2194, South Africa, Randburg, Other", "country": "ZA", "email": "abuse@ipxo.com", "name": "Vincentas Grinius", "network": "102.129.128.0/17", "phone": "tel:+27-10-595-127

Statistics

CPU Usage

• file.exe

Click to jump to process

Memory Usage

• file.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: file.exePID: 5092, Parent PID: 3528

Function Logs

General

Target ID:	0
Start time:	03:22:58
Start date:	11/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xf00000
File size:	7864024 bytes
MD5 hash:	DA7ADAA57242EDD6C3D836B3731C5C76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000000.00000002.797616715.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000000.00000002.795172104.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Created

File Written

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: C:\Users\user\Desktop\file.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\Desktop\file.exe	DNS query: name: ipinfo.io

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\freebl3.dll

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\mozglue.dll

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\msvcp140.dll

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\nss3.dll

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\softokn3.dll

C:\Users\user\AppData\Local\Temp\LocalSimbaphXP_35PHcV\vcruntime140.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
file.exe