Edit tour

Windows Analysis Report
SharkHCShark.exe

Overview

General Information

Sample name:	SharkHCShark.exe
Analysis ID:	1500381
MD5:	1714616095f0d3f62aac384222620ad5
SHA1:	31412d21c22f20efa0f5f57b45842d1df6db0c11
SHA256:	4788d6606f23c828bbaaad8f8d3418fa86d704fc35aabebd48db7de370fb0f3b
Tags:	exe
Infos:

Detection

PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Reads the System eventlog

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables security privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SharkHCShark.exe (PID: 4904 cmdline: "C:\Users\user\Desktop\SharkHCShark.exe" MD5: 1714616095F0D3F62AAC384222620AD5)

conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 5256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2125917148.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ed2d:$s1: file:/// 0x4ec89:$s2: {11111-22222-10009-11112} 0x4ecbd:$s3: {11111-22222-50001-00000} 0x4c1ff:$s4: get_Module 0x4837e:$s5: Reverse 0x48849:$s6: BlockCopy 0x48346:$s7: ReadByte 0x4ed3f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ed2d:$s1: file:/// 0x4ec89:$s2: {11111-22222-10009-11112} 0x4ecbd:$s3: {11111-22222-50001-00000} 0x4c1ff:$s4: get_Module 0x4837e:$s5: Reverse 0x48849:$s6: BlockCopy 0x48346:$s7: ReadByte 0x4ed3f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SharkHCShark.exe.6d41a000.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.SharkHCShark.exe.6d41a000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SharkHCShark.exe.6d41a000.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ed2d:$s1: file:/// 0x4ec89:$s2: {11111-22222-10009-11112} 0x4ecbd:$s3: {11111-22222-50001-00000} 0x4c1ff:$s4: get_Module 0x4837e:$s5: Reverse 0x48849:$s6: BlockCopy 0x48346:$s7: ReadByte 0x4ed3f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SharkHCShark.exe.6d41a000.2.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.SharkHCShark.exe.6d41a000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SharkHCShark.exe.6d41a000.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4cf2d:$s1: file:/// 0x4ce89:$s2: {11111-22222-10009-11112} 0x4cebd:$s3: {11111-22222-50001-00000} 0x4a3ff:$s4: get_Module 0x4657e:$s5: Reverse 0x46a49:$s6: BlockCopy 0x46546:$s7: ReadByte 0x4cf3f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SharkHCShark.exe.6d3f0000.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.SharkHCShark.exe.6d3f0000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SharkHCShark.exe.6d3f0000.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x7732d:$s1: file:/// 0x77289:$s2: {11111-22222-10009-11112} 0x772bd:$s3: {11111-22222-50001-00000} 0x747ff:$s4: get_Module 0x7097e:$s5: Reverse 0x70e49:$s6: BlockCopy 0x70946:$s7: ReadByte 0x7733f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SharkHCShark.exe

Virustotal: Detection: 45%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9x.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SharkHCShark.exe

Joe Sandbox ML: detected

Source: SharkHCShark.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.6:49722 version: TLS 1.2

Source: SharkHCShark.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D40B868 FindFirstFileExW,

0_2_6D40B868

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.137
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.137

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.6:49722 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SharkHCShark.exe.6d41a000.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SharkHCShark.exe.6d3f0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

PE file contains section with special chars

Source: d3d9x.dll.0.dr

Static PE information: section name: ."D9

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D3F7FD0 GetModuleHandleW,NtQueryInformationProcess,

0_2_6D3F7FD0

Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D3F1410	0_2_6D3F1410
Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D3F1010	0_2_6D3F1010
Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D411E05	0_2_6D411E05
Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D3F82E0	0_2_6D3F82E0
Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D3F76E0	0_2_6D3F76E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02A92069	3_2_02A92069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02BBEF38	3_2_02BBEF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02BBEF28	3_2_02BBEF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02BBCF54	3_2_02BBCF54

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Security

Jump to behavior

Source: SharkHCShark.exe, 00000000.00000000.2116964133.0000000000ECC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIrisDiana776George.mscL vs SharkHCShark.exe
Source: SharkHCShark.exe, 00000000.00000002.2131097114.000000000160E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SharkHCShark.exe
Source: SharkHCShark.exe, 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameCoverlid.exe" vs SharkHCShark.exe
Source: SharkHCShark.exe	Binary or memory string: OriginalFilenameIrisDiana776George.mscL vs SharkHCShark.exe

Source: SharkHCShark.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SharkHCShark.exe.6d41a000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SharkHCShark.exe.6d3f0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, BjJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, DiQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, Strings.cs

Base64 encoded string: 'GS8nOSoENDQhFRISOAEyPDcLJig1PRkUJz4BVj4TOBknNToIDApYSxkFIBs9MTwPNRIjHjldHCQ9M1xE'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/3@0/0

Source: C:\Users\user\Desktop\SharkHCShark.exe

File created: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03

Source: SharkHCShark.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SharkHCShark.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SharkHCShark.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SharkHCShark.exe

Virustotal: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\SharkHCShark.exe "C:\Users\user\Desktop\SharkHCShark.exe"
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textshaping.dll	Jump to behavior

Source: SharkHCShark.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SharkHCShark.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, DiQ.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, jFP.cs	.Net Code: D4w
Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, jFP.cs	.Net Code: eBW

Source: d3d9x.dll.0.dr

Static PE information: section name: ."D9

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D412534 push ecx; ret

0_2_6D412547

Source: SharkHCShark.exe	Static PE information: section name: .text entropy: 7.109273724380006
Source: d3d9x.dll.0.dr	Static PE information: section name: .text entropy: 6.834247127694947

Source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, jFP.cs

High entropy of concatenated method names: 'PEZ', 'FEA', 'zER', 'JEQ', 'eEy', 'JE0', 'qEJ', 'BFf', 'JEb', 'CEX'

Source: C:\Users\user\Desktop\SharkHCShark.exe

File created: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 32B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 57F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 67F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 6920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D3FA674 rdtsc

0_2_6D3FA674

Source: C:\Users\user\Desktop\SharkHCShark.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SharkHCShark.exe

API coverage: 9.9 %

Source: C:\Users\user\Desktop\SharkHCShark.exe TID: 992	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1836	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D40B868 FindFirstFileExW,

0_2_6D40B868

Source: C:\Users\user\Desktop\SharkHCShark.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D3FA674 rdtsc

0_2_6D3FA674

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D40B1B7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D40B1B7

Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D406D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D406D41
Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D40B1B7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D40B1B7
Source: C:\Users\user\Desktop\SharkHCShark.exe	Code function: 0_2_6D40721A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D40721A

Source: C:\Users\user\Desktop\SharkHCShark.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SharkHCShark.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SharkHCShark.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 474000	Jump to behavior
Source: C:\Users\user\Desktop\SharkHCShark.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B5B008	Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D4073D8 cpuid

0_2_6D4073D8

Source: C:\Users\user\Desktop\SharkHCShark.exe	Queries volume information: C:\Users\user\Desktop\SharkHCShark.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SharkHCShark.exe

Code function: 0_2_6D406E63 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D406E63

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2125917148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2125917148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d41a000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SharkHCShark.exe.6d3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SharkHCShark.exe	45%	Virustotal		Browse
SharkHCShark.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\d3d9x.dll	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500381
Start date and time:	2024-08-28 11:16:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SharkHCShark.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 49 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.113.103.199, 184.28.90.27, 52.165.165.26, 192.229.221.95, 13.85.23.206, 199.232.210.172, 2.23.209.174, 2.23.209.180, 2.23.209.173, 2.23.209.175, 2.23.209.182, 2.23.209.177, 2.23.209.176, 2.23.209.181, 2.23.209.178, 20.166.126.56
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://tekrollindustrial.com.br/wp-includes/kr.html#kh.jang@hyundaimovex.com	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://my-apps-885d2a67.azurewebsites.net	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	LX4CUQO8qI.dll	Get hash	malicious	CobaltStrike	Browse	199.232.210.172
	ibero.bat	Get hash	malicious	SilverRat	Browse	199.232.210.172
	https://www.wpspublish.com/customer/account/createPassword/?id=28732&token=k5FPAv4ZQlJ0DbFv9HIliRQV9FN7ztvs	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://wpspublish.com	Get hash	malicious	Unknown	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://dropbox-files-online.tiiny.site/?token=69090208-80b8-4346-ad00-dfe054582d02=&ci=example@domain.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://tekrollindustrial.com.br/wp-includes/kr.html#kh.jang@hyundaimovex.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://my-apps-885d2a67.azurewebsites.net	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://www.wpspublish.com/customer/account/createPassword/?id=28732&token=k5FPAv4ZQlJ0DbFv9HIliRQV9FN7ztvs	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://bonanzapipeandsteel.marslccs.info/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://wpspublish.com	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	40.126.31.71
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	40.126.31.71
	file.exe	Get hash	malicious	Unknown	Browse	40.126.31.71
	https://dropbox-files-online.tiiny.site/?token=69090208-80b8-4346-ad00-dfe054582d02=&ci=example@domain.com	Get hash	malicious	HTMLPhisher	Browse	40.126.31.71
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	40.126.31.71
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	40.126.31.71
	file.exe	Get hash	malicious	Unknown	Browse	40.126.31.71
	http://tekrollindustrial.com.br/wp-includes/kr.html#kh.jang@hyundaimovex.com	Get hash	malicious	HTMLPhisher	Browse	40.126.31.71
	file.exe	Get hash	malicious	Unknown	Browse	40.126.31.71
	https://my-apps-885d2a67.azurewebsites.net	Get hash	malicious	HTMLPhisher	Browse	40.126.31.71

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SharkHCShark.exe.log

Download File

Process:	C:\Users\user\Desktop\SharkHCShark.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\d3d9x.dll

Download File

Process:	C:\Users\user\Desktop\SharkHCShark.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	671232
Entropy (8bit):	6.633422160662858
Encrypted:	false
SSDEEP:	12288:UepXIlZt+s6qg/FVbVejhhQR8jNUXPeqH3XKxceRjmuou7So3scqbQJyzywyIyrH:VpMC67QR8jNUXPeqH3XKxceRjmuou7SR
MD5:	5EA2EABB109B3734949E5EEA224D93FE
SHA1:	2530257875E917CA87DADACE1B2C82C7876DB3F5
SHA-256:	42F1743D0CBC771D2E74A0C0F6DFAA75DC0734AF80F6A7F8FB09304D8FF486CE
SHA-512:	D8CBCC93A8DF6C8A4738F79BD2A2AA5882F1F59384A2FE13951256A2D6A5C4C29E01B8F9DA042DFDF0CEDAA4028CBD4247F059DEFB7994340D5BF8C17ACC643A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.f...........!...&.............m.......0...............................p............@.........................@...x.......<............................P..........................................@............0..L............................text............................... ..`.rdata..Bh...0...j..................@..@.data...\...........................@...."D9............................... ..`.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.1026902111809305
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SharkHCShark.exe
File size:	692'736 bytes
MD5:	1714616095f0d3f62aac384222620ad5
SHA1:	31412d21c22f20efa0f5f57b45842d1df6db0c11
SHA256:	4788d6606f23c828bbaaad8f8d3418fa86d704fc35aabebd48db7de370fb0f3b
SHA512:	cebc07a2990261d28286f93c856c1e81282e9e99d19905181acde53a7add4add980180296647784309b9947d52c06a69b916955c2382cc6aacf5a425d345861e
SSDEEP:	12288:n6CpQpr4Aqyt0MbXYgDq+qh58WcYrFmYqMdCN1VXmdWnSRv/MEkqI9zDVATDNTkT:nHpCr4Ryt9S+qRcS
TLSH:	CEE481DD365072DFC85BC8728AA81D64FB6078BB471F9203A0671AED9A4D897CF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.f............................N.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4aa44e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CD6EDD [Tue Aug 27 06:14:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa400	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x6e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa8454	0xa8600	79652f311e8eb2c78bcf248c50897df9	False	0.6921674902561247	data	7.109273724380006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x6e0	0x800	0f305f75fae84c0c92204b16651bd7e6	False	0.36328125	data	3.730028585773052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	337dca95d200f00340d74d9aa51162ce	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xac0a0	0x454	data			0.39620938628158847
RT_MANIFEST	0xac4f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:16:57.383944035 CEST	49674	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:16:57.383997917 CEST	49673	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:16:57.712035894 CEST	49672	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:17:06.993275881 CEST	49674	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:17:06.993275881 CEST	49673	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:17:07.321420908 CEST	49672	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:17:08.992367983 CEST	443	49705	173.222.162.64	192.168.2.6
Aug 28, 2024 11:17:08.992465973 CEST	49705	443	192.168.2.6	173.222.162.64
Aug 28, 2024 11:17:24.950434923 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:24.950479984 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:24.950592041 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:24.950730085 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:24.950741053 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:25.724553108 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:25.724646091 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:25.738322973 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:25.738334894 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:25.738610983 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:25.739062071 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:25.739110947 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:25.739125013 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.125813961 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.125837088 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.125878096 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.125894070 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:26.125912905 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.125937939 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:26.125976086 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.126033068 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:26.126338959 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:26.126363993 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:17:26.126389980 CEST	49722	443	192.168.2.6	40.126.31.71
Aug 28, 2024 11:17:26.126396894 CEST	443	49722	40.126.31.71	192.168.2.6
Aug 28, 2024 11:18:37.197204113 CEST	49704	80	192.168.2.6	2.19.126.137
Aug 28, 2024 11:18:37.202689886 CEST	80	49704	2.19.126.137	192.168.2.6
Aug 28, 2024 11:18:37.202738047 CEST	49704	80	192.168.2.6	2.19.126.137

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 11:17:18.081985950 CEST	1.1.1.1	192.168.2.6	0x5b50	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 11:17:18.081985950 CEST	1.1.1.1	192.168.2.6	0x5b50	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:17:19.342850924 CEST	1.1.1.1	192.168.2.6	0x21d0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:17:19.342850924 CEST	1.1.1.1	192.168.2.6	0x21d0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:18:19.058285952 CEST	1.1.1.1	192.168.2.6	0x923e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:18:19.058285952 CEST	1.1.1.1	192.168.2.6	0x923e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\SharkHCShark.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SharkHCShark.exe"
Imagebase:	0xe20000
File size:	692'736 bytes
MD5 hash:	1714616095F0D3F62AAC384222620AD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:16:59
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:17:00
Start date:	28/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x8e0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2125917148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.5%
Total number of Nodes:	65
Total number of Limit Nodes:	5

Executed Functions

Function 6D3F1410 Relevance: 62.0, APIs: 18, Strings: 14, Instructions: 5974filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6D3F63E6
GetModuleHandleA.KERNEL32 ref: 6D3F6437
K32GetModuleInformation.KERNEL32 ref: 6D3F659C
GetModuleFileNameA.KERNEL32 ref: 6D3F65C5
CreateFileA.KERNELBASE ref: 6D3F6606
CreateFileMappingA.KERNEL32 ref: 6D3F6840
CloseHandle.KERNEL32 ref: 6D3F688D
MapViewOfFile.KERNELBASE ref: 6D3F68DE
VirtualProtect.KERNELBASE ref: 6D3F6C29
VirtualProtect.KERNELBASE ref: 6D3F6CCE
FindCloseChangeNotification.KERNELBASE ref: 6D3F6FFE
CloseHandle.KERNEL32 ref: 6D3F701E
CloseHandle.KERNEL32 ref: 6D3F702F
K32GetModuleInformation.KERNEL32 ref: 6D3F746B
GetModuleFileNameA.KERNEL32 ref: 6D3F7494
CreateFileA.KERNEL32 ref: 6D3F74D5
VirtualProtect.KERNEL32 ref: 6D3F75AA
VirtualProtect.KERNEL32 ref: 6D3F764F

Strings

Rm?, xrefs: 6D3F48D2
[H=P, xrefs: 6D3F5C3A
\,r, xrefs: 6D3F5677
1:2$, xrefs: 6D3F53F3
n?\, xrefs: 6D3F3DA1
%|m, xrefs: 6D3F5728
Rm?, xrefs: 6D3F1438
h[Rn, xrefs: 6D3F444C
)M4, xrefs: 6D3F5EAD
WiC#, xrefs: 6D3F5037
@, xrefs: 6D3F759E
\,r, xrefs: 6D3F56C8
%|m, xrefs: 6D3F5788
1:2$, xrefs: 6D3F5393

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: File$Module$CloseHandleProtectVirtual$Create$InformationName$ChangeCurrentFindMappingNotificationProcessView
String ID: %|m$%|m$)M4$1:2$$1:2$$@$Rm?$Rm?$WiC#$[H=P$\,r$\,r$h[Rn$n?\
API String ID: 3371177692-160575036
Opcode ID: 275158fb2ba4492c987598f72b19f4c35f8d1f2f9398185fb4f92e338592391f
Instruction ID: 159f0d510962772aec25526de83e7a739812a2a9e889caf2302bd109122cdccd
Opcode Fuzzy Hash: 275158fb2ba4492c987598f72b19f4c35f8d1f2f9398185fb4f92e338592391f
Instruction Fuzzy Hash: DEB3F171A5421ACFCB15CE3CC9867E9B7F2BB43312F109689D518DB3A4C6369D8A8F11

Function 6D3F7FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 6D3F8109

Strings

NtQueryInformationProcess, xrefs: 6D3F8111
ntdll.dll, xrefs: 6D3F80FD

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-2906145389
Opcode ID: 24b808152e2a485d3b9ddf58b11710418aec045d9a7269dfd693e78cca36e72e
Instruction ID: fd208501c36ff7c32303152d441cf73fe41abf24043ab27018c5bf72b1c32e43
Opcode Fuzzy Hash: 24b808152e2a485d3b9ddf58b11710418aec045d9a7269dfd693e78cca36e72e
Instruction Fuzzy Hash: CE815AB1A1420AAFCF08CFADD5856DEBBF5BF49340F00811AE511EB354D6399905CFA2

Function 6D3FAF08 Relevance: 235.4, APIs: 1, Strings: 131, Instructions: 4380
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 6D48BED3

Strings

vn, xrefs: 6D3F9552
W:, xrefs: 6D3F9390
#%, xrefs: 6D3F94B2
Ki, xrefs: 6D3FEBD7
/~, xrefs: 6D3FB01F
-M, xrefs: 6D3FAD72
#, xrefs: 6D3FCDFD
Zc, xrefs: 6D3FD431
C;, xrefs: 6D40168B
Ra, xrefs: 6D3F900F
l, xrefs: 6D48BDEE
?8, xrefs: 6D3FEAC4
`, xrefs: 6D3FBBAB
2p, xrefs: 6D3F9145
dm, xrefs: 6D3F8A5D
V, xrefs: 6D403D25
yl, xrefs: 6D3F95BD
<e, xrefs: 6D48BC28
-:p, xrefs: 6D48E211
p5, xrefs: 6D3FFD74
++, xrefs: 6D3FD04E
m-, xrefs: 6D3FB95D
k<, xrefs: 6D3FC713
Y, xrefs: 6D3FD53E
<^, xrefs: 6D48BC5A
-L2Rh-, xrefs: 6D3F933D
~7, xrefs: 6D3FDE97
of, xrefs: 6D3F8AEE
R, xrefs: 6D3FBF16
ZD, xrefs: 6D3FA764
K, xrefs: 6D3FAAD2
+, xrefs: 6D48F2C5
4, xrefs: 6D3FDD46
z", xrefs: 6D48F1A1
, xrefs: 6D48B531
;, xrefs: 6D403266
#d, xrefs: 6D3F8FD8
[9, xrefs: 6D3FB39B
X>, xrefs: 6D3F94FF
72, xrefs: 6D48CBBF
!+, xrefs: 6D48B327
ia, xrefs: 6D48BF1E
32, xrefs: 6D3FCF4B
:G, xrefs: 6D3FDCEC
.N, xrefs: 6D3FE2C7
8-, xrefs: 6D3FA947
8E, xrefs: 6D3F98C1
F), xrefs: 6D401364
/S, xrefs: 6D3FC83A
w`, xrefs: 6D48C0B5
+, xrefs: 6D401620
O<, xrefs: 6D3FF48D
@, xrefs: 6D3F9991
><, xrefs: 6D400AB6
mC, xrefs: 6D3F995E
{0, xrefs: 6D3FE317
z6, xrefs: 6D3F9741
02, xrefs: 6D3FDEE5
cR, xrefs: 6D3F901A
3^, xrefs: 6D3FE27D
:1, xrefs: 6D3FF1AA
F, xrefs: 6D48DFA9
yi, xrefs: 6D3FC1AF
(M, xrefs: 6D3FAA4B
]H, xrefs: 6D3FD68F
6, xrefs: 6D49400A
I>, xrefs: 6D3FAF12
],, xrefs: 6D3FBE51
F4, xrefs: 6D3FD670
#", xrefs: 6D48C632
i&, xrefs: 6D4918CB
Rk, xrefs: 6D3FEE4F
T, xrefs: 6D3FC69A
XW, xrefs: 6D3FC5BE
/|, xrefs: 6D3F9C07
k;, xrefs: 6D48F6EB
4B, xrefs: 6D3FA998
', xrefs: 6D48B350
]-, xrefs: 6D490F12
a, xrefs: 6D3FFD34
d^, xrefs: 6D48E53C
u, xrefs: 6D404849
Ew, xrefs: 6D3F9A88
2, xrefs: 6D3FAC0C
/M6t, xrefs: 6D48BD20
H;, xrefs: 6D3F99E6
U, xrefs: 6D3FDB1D
QK, xrefs: 6D3FA395
*~, xrefs: 6D3FCA2E
dU, xrefs: 6D3F8923
", xrefs: 6D3FE01C
j1, xrefs: 6D3FBC29
ym, xrefs: 6D3FA640
\X, xrefs: 6D3FADBF
R#, xrefs: 6D3FD22C
tz, xrefs: 6D3FA38A
YP, xrefs: 6D3FF17D
@ , xrefs: 6D3F9DBA
{, xrefs: 6D3FA1AB
@f, xrefs: 6D3FED4C
s, xrefs: 6D3FD47F
e>, xrefs: 6D3F9567
5%, xrefs: 6D3F9999
F[, xrefs: 6D400182
f, xrefs: 6D3F8B87
(D, xrefs: 6D3FEDFD
p5, xrefs: 6D3FA95F
}(, xrefs: 6D48F043
83, xrefs: 6D3FA9CB
98, xrefs: 6D3F8E13
), xrefs: 6D3FC760
s!, xrefs: 6D400C6F
7C, xrefs: 6D3FFC18
M, xrefs: 6D48E0DA
4, xrefs: 6D3FA717
5, xrefs: 6D48C9BB
>h, xrefs: 6D3FC77D
P, xrefs: 6D3FD411
"J, xrefs: 6D48CE64
,I, xrefs: 6D3FC64C
y], xrefs: 6D3FF42F
"&, xrefs: 6D49209A
m, xrefs: 6D3F99B3
^, xrefs: 6D3FD034
[I, xrefs: 6D48E030
{l, xrefs: 6D3FEA89
^', xrefs: 6D3F8B54
fP, xrefs: 6D3F9E66
0V, xrefs: 6D3FAD59
DJ, xrefs: 6D3FF390
Pb, xrefs: 6D3FBFCC

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: "$-:p$-L2Rh-$-M$/M6t$6$;$@$l$f$ #$ P$!+$"&$"J$#"$#%$#d$'$(D$(M$*~$+$++$,I$.N$/S$/|$/~$02$0V$2p$32$3^$4$4B$5%$72$7C$8-$83$8E$98$:1$:G$<^$<e$><$>h$?8$@ $@f$C;$DJ$Ew$F)$F4$F[$H;$I>$Ki$O<$Pb$QK$R#$Ra$Rk$V$W:$X>$XW$Y$YP$ZD$Zc$[9$[I$\X$],$]-$]H$^'$cR$dU$d^$dm$e>$fP$i&$ia$j1$k;$k<$m-$mC$of$p5$p5$s!$tz$u$vn$w`$y]$yi$yl$ym$z"$z6${0${l$}($~7$$)$+$2$4$5$F$K$M$R$T$U$^$`$a$m$s${
API String ID: 4275171209-1831446191
Opcode ID: cd9bee08899013b8229ba67924423f8697ba602e7b9a72d647b3c62d42730f32
Instruction ID: b094692a8899b6cfc291701311dcbfa45156019c15a2e7915049dd812128800e
Opcode Fuzzy Hash: cd9bee08899013b8229ba67924423f8697ba602e7b9a72d647b3c62d42730f32
Instruction Fuzzy Hash: 326373319A811BCBC7228E7D8588FA97BB4BB03340F54C292D518FB619C625DF47CB96

Non-executed Functions

Function 6D3FA674 Relevance: 161.9, Strings: 126, Instructions: 4394COMMON

Download Yara Rule

Strings

vn, xrefs: 6D3F9552
W:, xrefs: 6D3F9390
#%, xrefs: 6D3F94B2
Ki, xrefs: 6D3FEBD7
/~, xrefs: 6D3FB01F
-M, xrefs: 6D3FAD72
#, xrefs: 6D3FCDFD
Zc, xrefs: 6D3FD431
C;, xrefs: 6D40168B
Ra, xrefs: 6D3F900F
l, xrefs: 6D48BDEE
?8, xrefs: 6D3FEAC4
`, xrefs: 6D3FBBAB
2p, xrefs: 6D3F9145
dm, xrefs: 6D3F8A5D
V, xrefs: 6D403D25
yl, xrefs: 6D3F95BD
<e, xrefs: 6D48BC28
-:p, xrefs: 6D48E211
p5, xrefs: 6D3FFD74
++, xrefs: 6D3FD04E
m-, xrefs: 6D3FB95D
k<, xrefs: 6D3FC713
Y, xrefs: 6D3FD53E
<^, xrefs: 6D48BC5A
-L2Rh-, xrefs: 6D3F933D
~7, xrefs: 6D3FDE97
of, xrefs: 6D3F8AEE
R, xrefs: 6D3FBF16
ZD, xrefs: 6D3FA764
K, xrefs: 6D3FAAD2
+, xrefs: 6D48F2C5
4, xrefs: 6D3FDD46
z", xrefs: 6D48F1A1
, xrefs: 6D48B531
;, xrefs: 6D403266
#d, xrefs: 6D3F8FD8
[9, xrefs: 6D3FB39B
X>, xrefs: 6D3F94FF
72, xrefs: 6D48CBBF
!+, xrefs: 6D48B327
32, xrefs: 6D3FCF4B
:G, xrefs: 6D3FDCEC
.N, xrefs: 6D3FE2C7
8-, xrefs: 6D3FA947
8E, xrefs: 6D3F98C1
F), xrefs: 6D401364
/S, xrefs: 6D3FC83A
w`, xrefs: 6D48C0B5
+, xrefs: 6D401620
O<, xrefs: 6D3FF48D
><, xrefs: 6D400AB6
mC, xrefs: 6D3F995E
{0, xrefs: 6D3FE317
z6, xrefs: 6D3F9741
02, xrefs: 6D3FDEE5
cR, xrefs: 6D3F901A
3^, xrefs: 6D3FE27D
:1, xrefs: 6D3FF1AA
F, xrefs: 6D48DFA9
yi, xrefs: 6D3FC1AF
(M, xrefs: 6D3FAA4B
]H, xrefs: 6D3FD68F
6, xrefs: 6D49400A
],, xrefs: 6D3FBE51
F4, xrefs: 6D3FD670
#", xrefs: 6D48C632
i&, xrefs: 6D4918CB
Rk, xrefs: 6D3FEE4F
T, xrefs: 6D3FC69A
XW, xrefs: 6D3FC5BE
/|, xrefs: 6D3F9C07
k;, xrefs: 6D48F6EB
4B, xrefs: 6D3FA998
', xrefs: 6D48B350
]-, xrefs: 6D490F12
a, xrefs: 6D3FFD34
d^, xrefs: 6D48E53C
u, xrefs: 6D404849
Ew, xrefs: 6D3F9A88
/M6t, xrefs: 6D48BD20
H;, xrefs: 6D3F99E6
U, xrefs: 6D3FDB1D
QK, xrefs: 6D3FA395
*~, xrefs: 6D3FCA2E
dU, xrefs: 6D3F8923
", xrefs: 6D3FE01C
j1, xrefs: 6D3FBC29
ym, xrefs: 6D3FA640
\X, xrefs: 6D3FADBF
R#, xrefs: 6D3FD22C
tz, xrefs: 6D3FA38A
YP, xrefs: 6D3FF17D
@ , xrefs: 6D3F9DBA
{, xrefs: 6D3FA1AB
@f, xrefs: 6D3FED4C
s, xrefs: 6D3FD47F
e>, xrefs: 6D3F9567
F[, xrefs: 6D400182
f, xrefs: 6D3F8B87
(D, xrefs: 6D3FEDFD
p5, xrefs: 6D3FA95F
}(, xrefs: 6D48F043
83, xrefs: 6D3FA9CB
98, xrefs: 6D3F8E13
), xrefs: 6D3FC760
s!, xrefs: 6D400C6F
7C, xrefs: 6D3FFC18
M, xrefs: 6D48E0DA
4, xrefs: 6D3FA717
5, xrefs: 6D48C9BB
>h, xrefs: 6D3FC77D
P, xrefs: 6D3FD411
"J, xrefs: 6D48CE64
,I, xrefs: 6D3FC64C
y], xrefs: 6D3FF42F
"&, xrefs: 6D49209A
m, xrefs: 6D3F99B3
^, xrefs: 6D3FD034
[I, xrefs: 6D48E030
{l, xrefs: 6D3FEA89
^', xrefs: 6D3F8B54
fP, xrefs: 6D3F9E66
0V, xrefs: 6D3FAD59
DJ, xrefs: 6D3FF390
Pb, xrefs: 6D3FBFCC

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID:
String ID: "$-:p$-L2Rh-$-M$/M6t$6$;$l$f$ #$ P$!+$"&$"J$#"$#%$#d$'$(D$(M$*~$+$++$,I$.N$/S$/|$/~$02$0V$2p$32$3^$4$4B$72$7C$8-$83$8E$98$:1$:G$<^$<e$><$>h$?8$@ $@f$C;$DJ$Ew$F)$F4$F[$H;$Ki$O<$Pb$QK$R#$Ra$Rk$V$W:$X>$XW$Y$YP$ZD$Zc$[9$[I$\X$],$]-$]H$^'$cR$dU$d^$dm$e>$fP$i&$j1$k;$k<$m-$mC$of$p5$p5$s!$tz$u$vn$w`$y]$yi$yl$ym$z"$z6${0${l$}($~7$$)$+$4$5$F$K$M$R$T$U$^$`$a$m$s${
API String ID: 0-3895616205
Opcode ID: e5bae1ddb960f12188c21fb7ffa3a1b3e84f863d2834dedc96f15548fa25d30f
Instruction ID: e4a632f0386bc2a856b2ac29ef5d9ed81ff3ab0ade856953613ec2ab0a6b4b4e
Opcode Fuzzy Hash: e5bae1ddb960f12188c21fb7ffa3a1b3e84f863d2834dedc96f15548fa25d30f
Instruction Fuzzy Hash: D56373319A811ACBC7228E7D8988FE87B75BB03340F54C292D518FB619C625DF47CB96

Function 6D40721A Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D407226
IsDebuggerPresent.KERNEL32 ref: 6D4072F2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D40730B
UnhandledExceptionFilter.KERNEL32(?), ref: 6D407315

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c4d6a58ebcf65a6632fa41dafb235e11617e39fccf99bfca59f222b8f98c3eb0
Instruction ID: d7eabfd642394e03dd3aa43789bcb16632e3bc9f547c781f3bbdc1e9b66c64be
Opcode Fuzzy Hash: c4d6a58ebcf65a6632fa41dafb235e11617e39fccf99bfca59f222b8f98c3eb0
Instruction Fuzzy Hash: E731F675D052199BDF20EFA4D949BCDBBF8AF08304F1041AAE50CAB240EB709E85CF45

Function 6D406D41 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6D406E61,6D413934), ref: 6D406D46
UnhandledExceptionFilter.KERNEL32(?), ref: 6D406D4F
GetCurrentProcess.KERNEL32(C0000409), ref: 6D406D5A
TerminateProcess.KERNEL32(00000000), ref: 6D406D61

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 0b7b5b65ae8c1f4e615ac25aac0002094007a4a75348284af07746160580bde9
Instruction ID: 25c1cc35e2ed829417d167ce77ea8fb466b3b13961c71c16d73c6b0d3fae8430
Opcode Fuzzy Hash: 0b7b5b65ae8c1f4e615ac25aac0002094007a4a75348284af07746160580bde9
Instruction Fuzzy Hash: 70D0CA3210020ABBCE003BE0CC0EBA93FB8AB0B256F000000F72A82008CB3189448B61

Function 6D40B1B7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D40B2AF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D40B2B9
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D40B2C6

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0ef718b75305449e6902cb1da1ec4da895df048be8350c34c011089ac7c3ca76
Instruction ID: b1931599ef9d1b846e78f1021fa6bd614430f29f1b42d5771776f6029d533c79
Opcode Fuzzy Hash: 0ef718b75305449e6902cb1da1ec4da895df048be8350c34c011089ac7c3ca76
Instruction Fuzzy Hash: B2319374D012299BCB21DF64D988B9DBBB8BF08314F6041EAE51CA7250E7709F858F49

Function 6D3F76E0 Relevance: 3.1, Strings: 2, Instructions: 622COMMON

Download Yara Rule

Strings

IrQ, xrefs: 6D3F7F92
IrQ, xrefs: 6D3F7B32

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID:
String ID: IrQ$IrQ
API String ID: 0-3487509776
Opcode ID: c059a8b875c7391225f82b9625e9eb91a9a6fea4ad1fb238ddf46940ec41396d
Instruction ID: 1059a24c24461b16819b522c0e21cba84c7d821e8279fef601da0dd2025baf7e
Opcode Fuzzy Hash: c059a8b875c7391225f82b9625e9eb91a9a6fea4ad1fb238ddf46940ec41396d
Instruction Fuzzy Hash: 8132DDB6E5030A8FDB05CEACC591BED7BF6FB46311F108919E528DB394D23A9906CB50

Function 6D411E05 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D411E00,?,?,00000008,?,?,6D411A03,00000000), ref: 6D412032

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 331d50ccf44aa534050ca8fc342260057c45c9eacd1877e594aaa2a86fa4b0a3
Instruction ID: b2917231004e2d99e6d34c3112f9a387b125a838b78d1d41c2919c7a380cce73
Opcode Fuzzy Hash: 331d50ccf44aa534050ca8fc342260057c45c9eacd1877e594aaa2a86fa4b0a3
Instruction Fuzzy Hash: 67B1283122460A9FD715CF28C886B757BE0FF46364F258658E9A9CF2A1C735ED92CB40

Function 6D4073D8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D4073EE

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bf8c7dfb98accff4e740f2e000e38180167058ea22c33278281f722d42de823e
Instruction ID: 43eaeb2d52cf03f1908f3cdcd3527f5b7d4ee2f9457dad8b144510ecb672b949
Opcode Fuzzy Hash: bf8c7dfb98accff4e740f2e000e38180167058ea22c33278281f722d42de823e
Instruction Fuzzy Hash: 44518AB1E196169BEB05CFA4C581BAABBF0FB4A351F24807AC416EB780D379DD00CB51

Function 6D40B868 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c39d19c32a54ac2810f6f757fbc0f7f09505887cc306d65b232c382b103a9f
Instruction ID: 915b0450bb4576b5d453a5bce471049bdabdecc0b8e405cac64749cc458305ff
Opcode Fuzzy Hash: c3c39d19c32a54ac2810f6f757fbc0f7f09505887cc306d65b232c382b103a9f
Instruction Fuzzy Hash: AC4190B5808219AFDB10DF79CC88EAABBB8EF45304F1442EDE459A3210DB359E848F54

Function 6D3F1010 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

a>E}, xrefs: 6D3F11E5

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID:
String ID: a>E}
API String ID: 0-798044449
Opcode ID: 3491f2356789f26b0c837018130fda807e778ec270d4b4120135ac2ae1ea256a
Instruction ID: c7a31003f453674e84ddf77a352dcd9a598bc5aa725a0359c092cab59cbc4039
Opcode Fuzzy Hash: 3491f2356789f26b0c837018130fda807e778ec270d4b4120135ac2ae1ea256a
Instruction Fuzzy Hash: DDB127B2A0424A8FCF04CEBCD8817DEB7F6BB8A352F149119C511EB345C33A9806CB65

Function 6D3F82E0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c34ba34dd5435ab276e82175ebbb1b6c0758d205ecb3163ca4c37e13cd667c
Instruction ID: 6b29bfb1c95ab6cbe6b1c3c4c5deef3465ec0f7b9e1b80ff4f230c21b95a1b1b
Opcode Fuzzy Hash: 36c34ba34dd5435ab276e82175ebbb1b6c0758d205ecb3163ca4c37e13cd667c
Instruction Fuzzy Hash: F5C11BB6A102098FCF0DCE7DC9967DE77F2AB4A331F109219D521E73D4C63A990A8B10

Function 6D408C4A Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D408D69
___TypeMatch.LIBVCRUNTIME ref: 6D408E77
CatchIt.LIBVCRUNTIME ref: 6D408EC8
_UnwindNestedFrames.LIBCMT ref: 6D408FC9
CallUnexpected.LIBVCRUNTIME ref: 6D408FE4

Strings

csm, xrefs: 6D408DA0
csm, xrefs: 6D408CF4
csm, xrefs: 6D408C87

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: e16a664a41db68ec50206e3f8e3b3bd00b2d0f085221b4933cae3e56665d4463
Instruction ID: bb666887ece26e1c69a6389f6923ad227c2be668c4ee4b46dc3202dd1f2f67b7
Opcode Fuzzy Hash: e16a664a41db68ec50206e3f8e3b3bd00b2d0f085221b4933cae3e56665d4463
Instruction Fuzzy Hash: 6AB1467180420AEFCF05EFA4CA80DAEBBB6BF08314B25467AE9146B215D731DE51CBD1

Function 6D407CF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6D407D27
___except_validate_context_record.LIBVCRUNTIME ref: 6D407D2F
_ValidateLocalCookies.LIBCMT ref: 6D407DB8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D407DE3
_ValidateLocalCookies.LIBCMT ref: 6D407E38

Strings

csm, xrefs: 6D407DCD

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 67ff2ba41987b9a675a6290ad30c4a9dd0af7b2e806c4958e5567d99ebbf9207
Instruction ID: e976278a74dc2316edf2317333bb2e9ebb31f1212cd3b4f3c53feccc74ed8a01
Opcode Fuzzy Hash: 67ff2ba41987b9a675a6290ad30c4a9dd0af7b2e806c4958e5567d99ebbf9207
Instruction Fuzzy Hash: 0C416034E08599ABCF00DF68C884EAE7BB5AF45318F208169E9155B352D731DD45CBD1

Function 6D40CBBA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D40CCC9,00000000,6D40A4D0,00000000,00000000,00000001,?,6D40CE42,00000022,FlsSetValue,6D414CD8,6D414CE0,00000000), ref: 6D40CC7B

Strings

ext-ms-, xrefs: 6D40CC25
api-ms-, xrefs: 6D40CC11

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2699334d1383bab39a898be6f6424132910fa75249fcc3bdef9d3c42e6da4437
Instruction ID: 63a1af6ab4644ac9dabdb2ad5ebb7c572be0e60a6efbdc0a4bdfbad66e609248
Opcode Fuzzy Hash: 2699334d1383bab39a898be6f6424132910fa75249fcc3bdef9d3c42e6da4437
Instruction Fuzzy Hash: 5D21D831909112EBDB11AB24DD85F6B3BB99F837A4B224135E925A73C4D730ED05CAE0

Function 6D40829C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6D408293,6D407FF0), ref: 6D4082AA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D4082B8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D4082D1
SetLastError.KERNEL32(00000000,6D408293,6D407FF0), ref: 6D408323

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8cfa0a72c9d9827a694f87546e6dfd4a321fb942523f33f2fa61e9d77d42eb53
Instruction ID: 2fb6b8135d2ca6322e4ed3d52699de61a1c30c2ee3484bf607d6da2e34ebd9a4
Opcode Fuzzy Hash: 8cfa0a72c9d9827a694f87546e6dfd4a321fb942523f33f2fa61e9d77d42eb53
Instruction Fuzzy Hash: 9201D83210DB225FEA0137756E85E2F2EBCEB437B9330023DE221926D0EF62CC419280

Function 6D40BDEE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SharkHCShark.exe, xrefs: 6D40BE0A

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\SharkHCShark.exe
API String ID: 0-3793623226
Opcode ID: b8a0eeb4b2b9ab50f9b09297feb8093313d32794c042c151a3d167149adc1ffd
Instruction ID: 02b2f4846c4fa3de1b8024dfb35c5dd03bcc19da5e7d497a2d536c33091a8499
Opcode Fuzzy Hash: b8a0eeb4b2b9ab50f9b09297feb8093313d32794c042c151a3d167149adc1ffd
Instruction Fuzzy Hash: A9216D71608206AFDB11DF75CC80D6B7BADEF013687218939EB2897240E734ED4187EA

Function 6D409DFE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A1372F1C,00000000,?,00000000,6D412702,000000FF,?,6D409D98,?,?,6D409D6C,?), ref: 6D409E33
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D409E45
FreeLibrary.KERNEL32(00000000,?,00000000,6D412702,000000FF,?,6D409D98,?,?,6D409D6C,?), ref: 6D409E67

Strings

mscoree.dll, xrefs: 6D409E2C
CorExitProcess, xrefs: 6D409E3D

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c88333145f0585015d583f01d8c1951d9ecce154ff13680e6dea89a66fa3a457
Instruction ID: 0126aadfee2ffb3de07979957942bf33a894218312071721975a0e7ac3ee35e0
Opcode Fuzzy Hash: c88333145f0585015d583f01d8c1951d9ecce154ff13680e6dea89a66fa3a457
Instruction Fuzzy Hash: CB01623590466ABBDF01AF50CC09FBFBBF9FB05B55F004529E921A2284DB75DE04CA94

Function 6D408FEF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D409014
CatchIt.LIBVCRUNTIME ref: 6D4090FA

Strings

MOC, xrefs: 6D409026
RCC, xrefs: 6D40902E

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: cc929c80a3c362961632a1255f6bd08f0822931968f98a840564854ff83fdad1
Instruction ID: b9e22a833ae5170021e8b1df24bb13fcafe19520d05237cbd36abcc350e61d7e
Opcode Fuzzy Hash: cc929c80a3c362961632a1255f6bd08f0822931968f98a840564854ff83fdad1
Instruction Fuzzy Hash: 22415875A0020AEFDF01DF94CD85EAE7BB5FF49304F298069FA186A211D3769950DB90

Function 6D408872 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D408823,00000000,?,00000001,?,?,?,6D408912,00000001,FlsFree,6D4143B0,FlsFree), ref: 6D40887F
GetLastError.KERNEL32(?,6D408823,00000000,?,00000001,?,?,?,6D408912,00000001,FlsFree,6D4143B0,FlsFree,00000000,?,6D408371), ref: 6D408889
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D4088B1

Strings

api-ms-, xrefs: 6D408896

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fbf5662dcaf9ee144e10073c07db8e8f8e598801b75c5aa574882eb02731ffbf
Instruction ID: 99aab60784752fc4ef68b8591bae5c29ec61127a0419686ea6f9d002c64d6940
Opcode Fuzzy Hash: fbf5662dcaf9ee144e10073c07db8e8f8e598801b75c5aa574882eb02731ffbf
Instruction Fuzzy Hash: 38E04F3168420ABBFF503F60DD0AF793FA99B81B64F200070FA4DE81E5E761DD549989

Function 6D40EF82 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A1372F1C,00000000,00000000,?), ref: 6D40EFE5

Part of subcall function 6D40C9BC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D40EA20,?,00000000,-00000008), ref: 6D40CA1D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D40F237
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D40F27D
GetLastError.KERNEL32 ref: 6D40F320

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 103f10efdddeef65fcf47faed8f665204065e7d159a6e2f5f074f509e2300011
Instruction ID: 975dbd75ef28c0d8d553bb72850460711c5b054acf2a5963bdc78e4031434411
Opcode Fuzzy Hash: 103f10efdddeef65fcf47faed8f665204065e7d159a6e2f5f074f509e2300011
Instruction Fuzzy Hash: CBD16975D052499FCB05CFE8C880AADBBB9FF49314F24457AE926AB341D730AD42CB54

Function 6D4089F3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D408ABA
___AdjustPointer.LIBCMT ref: 6D408ADD
___AdjustPointer.LIBCMT ref: 6D408B79

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 6e251e1ac6811c89d952155af7b391ffaddd4a95e989c2828812dd29785b47a0
Instruction ID: 18b7c4d239cf3e1f0cae494894128c303359476f973c1d77c4a0952d5c5e41d7
Opcode Fuzzy Hash: 6e251e1ac6811c89d952155af7b391ffaddd4a95e989c2828812dd29785b47a0
Instruction Fuzzy Hash: E5519AB2A09602EFEB15AF14CA80F6A77B5EF04314F21453DE91557691EB31EC81CAD0

Function 6D40B608 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D40C9BC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D40EA20,?,00000000,-00000008), ref: 6D40CA1D

GetLastError.KERNEL32 ref: 6D40B66C
__dosmaperr.LIBCMT ref: 6D40B673
GetLastError.KERNEL32(?,?,?,?), ref: 6D40B6AD
__dosmaperr.LIBCMT ref: 6D40B6B4

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 75a53a6284475318ad0ade6f0f5ceea1a4e7824d55a2a01e871374380024be9b
Instruction ID: 71cde75577a8bcee7a4a71fa4197c8ef91ffb1c85efb5705965948df56aefe43
Opcode Fuzzy Hash: 75a53a6284475318ad0ade6f0f5ceea1a4e7824d55a2a01e871374380024be9b
Instruction Fuzzy Hash: BB21C231618206AF9B12DF65C880D7AB7BDFF00368715893CE91997250DB30ED018BE9

Function 6D40CA5F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D40CA67

Part of subcall function 6D40C9BC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D40EA20,?,00000000,-00000008), ref: 6D40CA1D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D40CA9F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D40CABF

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 486b2af92f7f1577a079df081219af99fada2cb870403fe3a12a9e0fdf1dfb22
Instruction ID: cc477d07b96314fbe5b679231f5eed273e3069eab54f44abf636350cf09bb979
Opcode Fuzzy Hash: 486b2af92f7f1577a079df081219af99fada2cb870403fe3a12a9e0fdf1dfb22
Instruction Fuzzy Hash: A411A1B2519526BFAA01E7B54C89E7F2D7CDE962A87110439FA01E1200EF74CD0289F0

Function 6D4108F6 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D4100B6,00000000,00000001,00000000,?,?,6D40F374,?,00000000,00000000), ref: 6D41090D
GetLastError.KERNEL32(?,6D4100B6,00000000,00000001,00000000,?,?,6D40F374,?,00000000,00000000,?,?,?,6D40F917,00000000), ref: 6D410919

Part of subcall function 6D4108DF: CloseHandle.KERNEL32(FFFFFFFE,6D410929,?,6D4100B6,00000000,00000001,00000000,?,?,6D40F374,?,00000000,00000000,?,?), ref: 6D4108EF

___initconout.LIBCMT ref: 6D410929

Part of subcall function 6D4108A1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D4108D0,6D4100A3,?,?,6D40F374,?,00000000,00000000,?), ref: 6D4108B4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D4100B6,00000000,00000001,00000000,?,?,6D40F374,?,00000000,00000000,?), ref: 6D41093E

Memory Dump Source

Source File: 00000000.00000002.2137809306.000000006D3F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D3F0000, based on PE: true

Associated: 00000000.00000002.2137794265.000000006D3F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137865059.000000006D413000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2137887935.000000006D41A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138029437.000000006D48B000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2138060617.000000006D495000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d3f0000_SharkHCShark.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0a4e7c8afbef178c7d39d00c7a7ce2bdcbedbcee52c6e607ae09d08c697f52a6
Instruction ID: 990f2468256dfa0df3b93d43dae4c7eff48c068eb670829d17e6abdf7109f8a2
Opcode Fuzzy Hash: 0a4e7c8afbef178c7d39d00c7a7ce2bdcbedbcee52c6e607ae09d08c697f52a6
Instruction Fuzzy Hash: 95F0F836448119BBCF226F92DC09FAA7F76EF0A7B5B054054FA1C95220C732CC209BD1

Analysis Process: MSBuild.exePID: 5256, Parent PID: 4904COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	3

Executed Functions

Function 02A92069 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a92e39c32b5280c2895d804f9d213909ca6205b979ce1f798ee216426e798c
Instruction ID: 078edebf67f5d44bc3db9b07b1b1fac5b154178fbac9aa11fb7d3cad12243efd
Opcode Fuzzy Hash: 23a92e39c32b5280c2895d804f9d213909ca6205b979ce1f798ee216426e798c
Instruction Fuzzy Hash: B5123934A00254DFDB15DB69C894BA9BBF2AF88310F1585D9D90AAB361CE31ED81CF50

Function 02A91878 Relevance: 1.8, Strings: 1, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 02A91C5C

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: b1379cb865e37a035e6d37128f86fc3e99aa6d86a4b821c20f8c3bbc6a00dbde
Instruction ID: 596c6aff093ae3d3935c53d8eb7caa88430ce32af3a2d5989e18d3d35a81621c
Opcode Fuzzy Hash: b1379cb865e37a035e6d37128f86fc3e99aa6d86a4b821c20f8c3bbc6a00dbde
Instruction Fuzzy Hash: CA32F474A04219CFCB18DF6AD594B6DBBF2BB88300F6085A9D50A9B355DF70AC81CF51

Function 02BBA188 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BBA3DE

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5b71edd6505ba001bd4dadfb040e3e217d5d26437934b468db7cf7358fc766a
Instruction ID: 32151a96d6064d2f06a296cf006ab4b5ef05bfe13bc8c6e909c0b27c812f5637
Opcode Fuzzy Hash: c5b71edd6505ba001bd4dadfb040e3e217d5d26437934b468db7cf7358fc766a
Instruction Fuzzy Hash: BF713370A00B058FDB25DF6AD5407AABBF5FF88204F108A6DD48AD7A50DBB5E845CB90

Function 02BB3690 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BB4FF1

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5ad2ae3ee4bb0a3f744399dacce249e4bdf4bfd82cb32bbacbd3c9b03d18be5
Instruction ID: 4107f7b239bf9b5d2dc9a7e5a8b457cf31a66bb54821f32f836164c613581a7f
Opcode Fuzzy Hash: d5ad2ae3ee4bb0a3f744399dacce249e4bdf4bfd82cb32bbacbd3c9b03d18be5
Instruction Fuzzy Hash: 9941F1B0C0471DCBEB25CFA9C944BDEBBB5BF48304F6084AAD509AB251DBB16945CF90

Function 02BB4F34 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BB4FF1

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4fa208ceaf1d584a612977aa342c33ba624c0d740d719f8a93c3a3ab1133b0f0
Instruction ID: 4f9933b39ade9f4c3e7957b4893a491367e018a5c671f63ea74ee685185fff76
Opcode Fuzzy Hash: 4fa208ceaf1d584a612977aa342c33ba624c0d740d719f8a93c3a3ab1133b0f0
Instruction Fuzzy Hash: A64102B0C00318CFEB25CFA9C984BDDBBB5BF48304F6084AAD408AB251DBB56945CF90

Function 02BBC729 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BBC6EF

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b6e613da4beb9c3f3b93f17f2f544e7a7c89bf078f56e23e5ee11518745dc563
Instruction ID: 3ff35a0309ef924910d739dd1d6ba22a5aa86281e3b3d5cbd7661afbc33625c0
Opcode Fuzzy Hash: b6e613da4beb9c3f3b93f17f2f544e7a7c89bf078f56e23e5ee11518745dc563
Instruction Fuzzy Hash: 97313E74A943408FF704EFA0E98A7693B69F784360F11892AE941CB3C8DF745890CF11

Function 02BBC660 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BBC6EF

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4dbdd4860490f51807743bc07fbabeaa67ee11a3e5f5d7ef989fe9fdd931cee3
Instruction ID: 3877aeda23cc9ba36e334991686f7914c88f7aacb1522508cda125772429264e
Opcode Fuzzy Hash: 4dbdd4860490f51807743bc07fbabeaa67ee11a3e5f5d7ef989fe9fdd931cee3
Instruction Fuzzy Hash: 7221E3B5D002499FDB10CFAAD984AEEBFF5FB48320F24845AE914A3350D374A954CF64

Function 02BBC668 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BBC6EF

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 261c2ed75ca7f4e02ccb234d88ff09fbe02d8a83089c7eb936a0131faacf192c
Instruction ID: 4068e976e82c76ed34e342bc64e746e39d3e40dfb1e7fc2ee917e336de3c646c
Opcode Fuzzy Hash: 261c2ed75ca7f4e02ccb234d88ff09fbe02d8a83089c7eb936a0131faacf192c
Instruction Fuzzy Hash: C521C4B59002499FDB10CFAAD984ADEBFF4FF48320F14845AE914A3350D374A954CF65

Function 02BB9E70 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BBA459,00000800,00000000,00000000), ref: 02BBA66A

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b04ff69c855b81e93322f83f6fbc005cf8303aaa97d37b66efe4f509a72175c3
Instruction ID: aa685a90d00cbfe401d4ac6b6f450edd24fd2aad47e930638771b958227a2378
Opcode Fuzzy Hash: b04ff69c855b81e93322f83f6fbc005cf8303aaa97d37b66efe4f509a72175c3
Instruction Fuzzy Hash: E31103B6D042099FDB10CFAAC544AEEFBF8EF48710F11846AE919A7300C7B5A544CFA4

Function 02BBA5F9 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BBA459,00000800,00000000,00000000), ref: 02BBA66A

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe404c7e81cf5bc1b6e3da3e6430b9f281a9844d978cd071047fc30683b4bf81
Instruction ID: 271e45d464cf94943ca151eef384984a746fd09b15b7045fba09af497d15937b
Opcode Fuzzy Hash: fe404c7e81cf5bc1b6e3da3e6430b9f281a9844d978cd071047fc30683b4bf81
Instruction Fuzzy Hash: F41123B6C002098FDB11CFAAC944BEEFBF4AF48710F14845AE919A7300C3B8A545CFA4

Function 02BBA378 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BBA3DE

Memory Dump Source

Source File: 00000003.00000002.2127504908.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bb0000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b96279984c15cf290a6cb55c554a929b5bffe3e3adc7fd6453476b38d78aad4f
Instruction ID: 18d88a0a8e85de468f80dcecfc7f4e38c5043e2f3065b11cdc6cc5d23d2290df
Opcode Fuzzy Hash: b96279984c15cf290a6cb55c554a929b5bffe3e3adc7fd6453476b38d78aad4f
Instruction Fuzzy Hash: 8311DFB6C007498FDB10CF9AC544ADEFBF4EF88224F10845AD829A7610D3B9A545CFA5

Function 08B90895 Relevance: .8, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2128483833.0000000008B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa34108e5869acd68698aa9a0179bd722a4c03cb95fe568f0848782239114f9
Instruction ID: 479cc638c5bfb359bfbdd82f87f82fc7959cc8eef40d37b483562ec587eef0c1
Opcode Fuzzy Hash: baa34108e5869acd68698aa9a0179bd722a4c03cb95fe568f0848782239114f9
Instruction Fuzzy Hash: 74C19931701A048FEB26EB76C450BAEB7F6EF89701F1444ADD2869B790CB75E902CB51

Function 02A925A9 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b5206236c12e3e007649c959436714d7b8dcaaf86493f11077759903b70fb8
Instruction ID: 1b21acbe24df26706227d12f84e86cf4d1e3f74b0e0b317bc6b1ce5ebd4575f6
Opcode Fuzzy Hash: 75b5206236c12e3e007649c959436714d7b8dcaaf86493f11077759903b70fb8
Instruction Fuzzy Hash: D4D11675A00254CFCB15DF69C898B99BBF2BF89314F1584E9D90A9B362DB31EC81CB50

Function 08B90448 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2128483833.0000000008B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5b969faef193390277459f137b278fe342044c02450331b312666acefb3e00
Instruction ID: 8c8726a5857e067e1fa15d3ebd71ed7a90d0de8131bd31eec991504f9bc16054
Opcode Fuzzy Hash: 3f5b969faef193390277459f137b278fe342044c02450331b312666acefb3e00
Instruction Fuzzy Hash: DBB19A70B016049FDB15EBA8C594BAEBBF6EF89701F2440A9E545EB3A1CB74DD02CB50

Function 02A9CB08 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0b714a3397dee64fac3786b1cb2cd5a498d749cd06c247c0382d4c0a1f8772
Instruction ID: d5b202906de41b3d6bf44f226150daf4e74143b840c43297b2239ed660468bd9
Opcode Fuzzy Hash: 1f0b714a3397dee64fac3786b1cb2cd5a498d749cd06c247c0382d4c0a1f8772
Instruction Fuzzy Hash: 9B918F30A04604DBDF29ABB6D5A47BD76F3EFC9340FA4046ED506AB290CE31AC41CB12

Function 02A92AEA Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15439efe710d9c88b07ab031d26205808506367a29e841c3b1106898eb61b94f
Instruction ID: d8ec07d199d1bdab38599675b4edfcb56a308fdee9a703186830f79bcc8d078f
Opcode Fuzzy Hash: 15439efe710d9c88b07ab031d26205808506367a29e841c3b1106898eb61b94f
Instruction Fuzzy Hash: 45517B34A04155EFDB09EF2AD984B6A77F2FB88300F214569C8069F395CF74AC41CBA1

Function 02A90973 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d4a1fba58b94ab16715dc95a5f904309a9dd92c449278b24f1c2c85e206f68
Instruction ID: 5ab6d97ebeedc6a44a7cfc76ee428208918b9ba231a16d7d0512c29752fefc25
Opcode Fuzzy Hash: 88d4a1fba58b94ab16715dc95a5f904309a9dd92c449278b24f1c2c85e206f68
Instruction Fuzzy Hash: 6A210871E0D289DFEF46DBB799511E87FF2AF92284B1484DAC485DB202EE315A06CB01

Function 02A928B3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3764f25835a720f2dff7accc1fe7375bdb2eb03400217a702b674b9f3a97b073
Instruction ID: 6dd883665aaac88d3614bfc9c1ca0f3fad9b0fdbccd39852e7cb3be21e2b74d0
Opcode Fuzzy Hash: 3764f25835a720f2dff7accc1fe7375bdb2eb03400217a702b674b9f3a97b073
Instruction Fuzzy Hash: C43125353041409FC758DB39D4A8F69BBF2EF8A610B1540E9E50ACF3B2CA61EC05CB51

Function 02A91868 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e62eab6149850fc45fa702305a6cdaa6b3f9c54f54edcb84288d55b18098532
Instruction ID: fb020361a7d8bc446ad759937fc3df486142dba0257aee6b847512757ae4bcf3
Opcode Fuzzy Hash: 6e62eab6149850fc45fa702305a6cdaa6b3f9c54f54edcb84288d55b18098532
Instruction Fuzzy Hash: E931217890419AEBDF25CB2AD4957FDBFF2AB84300F148996D059EB281CB315C81CF90

Function 029CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127139301.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29cd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24803cba38a90b832fa2de3a785ac82a539b19edee9488330e0e0fc58632a76
Instruction ID: d48224c656306327907d2e443cca91151ae1fd4a066792f752d20b8f9ad6afbb
Opcode Fuzzy Hash: b24803cba38a90b832fa2de3a785ac82a539b19edee9488330e0e0fc58632a76
Instruction Fuzzy Hash: 2821CF75604244EFDB14DF18D980B26BBA5EB88324F30C96DD90A4B296C77AD446CA72

Function 029CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127139301.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29cd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e425e326fa6eaaf9ed312e44c266c07f2000ec9c5befbf97b7e470558f0379
Instruction ID: 5bc7c0644c1f68c80001d3fdb08b9f1c4a0d381a56c65dc5fd9cdc956b4c63d6
Opcode Fuzzy Hash: 61e425e326fa6eaaf9ed312e44c266c07f2000ec9c5befbf97b7e470558f0379
Instruction Fuzzy Hash: 0C21F2B5504204EFDB05DF14D9C0B26BBA5FB88314F30C97DE90A4B29AC776D446CA72

Function 02A90861 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733d30611d2281f81823857f44b1e8fb931e4bdea8fd685893992b3e54138de6
Instruction ID: bc1810998c0f2220a4df1185e883ae39d823bad6d64285c42c4a652704c97ba3
Opcode Fuzzy Hash: 733d30611d2281f81823857f44b1e8fb931e4bdea8fd685893992b3e54138de6
Instruction Fuzzy Hash: 7221A534A0D289DFDB46DBBB98962ED7FF2AF96244B24C0E6C485D7112DE315916CB00

Function 029CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127139301.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29cd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef69c83c15b6aabee0e6b0f7e5f948875e63371aa01b129d92ec61735862219a
Instruction ID: 0bcd74803340350705c285e94b2267701f7a8ac6f61ffc4b88d5d9275032a49e
Opcode Fuzzy Hash: ef69c83c15b6aabee0e6b0f7e5f948875e63371aa01b129d92ec61735862219a
Instruction Fuzzy Hash: 4D2150755093C09FDB12CF24D594715BF71EB46214F28C5EED8498B6A7C33A940ACB62

Function 02A909E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3be91d57320564704e4b69b16b344999168bbb8ad9e02e988ea428b0bdef74
Instruction ID: f33a82a7b912d869849fd0eaf055efbcef405d977b9d38f6178330507755cd62
Opcode Fuzzy Hash: 2c3be91d57320564704e4b69b16b344999168bbb8ad9e02e988ea428b0bdef74
Instruction Fuzzy Hash: 0301B1B180D2C89FEB039BB188612A83FF19DA714031900C7C484DF253D8240907D722

Function 029CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127139301.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29cd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: a21075de8916b35c2c27fc03be5f008178a28eaa14a1f9b9cda53cfc187af79c
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 73119D76504284DFDB15CF10D9C4B15FBB1FB84318F24C6AED8494B6AAC33AD44ACB62

Function 08B907D3 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2128483833.0000000008B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28e2c96de876b37761dcd5ce6038a0262dafdfd92dd60797153f584a4537f71
Instruction ID: 6259f1aa9b26c728220ee7105325d487bed213164847d29fb60cc358069d158e
Opcode Fuzzy Hash: b28e2c96de876b37761dcd5ce6038a0262dafdfd92dd60797153f584a4537f71
Instruction Fuzzy Hash: 9B0192326097849FC7139764D854A9A3FB5AF83315B0A85FBD098CF2A3D735881ACB51

Function 02A908E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8fed48820dc381911d6d798718a28386c74b32b1ed95a56fe981280673eb24
Instruction ID: eb5836ab3a8f07d20eaca60e85aed8347818224180b6523e725e14faf55e3b57
Opcode Fuzzy Hash: dd8fed48820dc381911d6d798718a28386c74b32b1ed95a56fe981280673eb24
Instruction Fuzzy Hash: 67018430E0818ADFEF49DB7B98511AD7FF1AF95340B24C4A9C446D7225EE305A02CB11

Function 02A9E7C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddc5b9ea96c8c1726b4840dbb52a73eff49625b02bd150aa6f18bd2cd51602f
Instruction ID: 7dfe280ac8817a4a849cd12f38f11bbd4e9f4c0376a34edb60eadb39aad8a25f
Opcode Fuzzy Hash: 3ddc5b9ea96c8c1726b4840dbb52a73eff49625b02bd150aa6f18bd2cd51602f
Instruction Fuzzy Hash: E9F0F031B44104D78E14E3ABEA8057E73DBCBC2621798C87BE30EC7702CE22A8018763

Function 02A908F8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef4aade30ec7f8168bee5c9edbf527a0a767cec035ae231ac1e6b2337024687
Instruction ID: 263b6728b7e7d0f98f68f81b6ccfeb5177ea4400bcc71936004a339c9c3bd3c0
Opcode Fuzzy Hash: cef4aade30ec7f8168bee5c9edbf527a0a767cec035ae231ac1e6b2337024687
Instruction Fuzzy Hash: 9F014F31E08109DFEF48EB6B984526D7AF6ABA4340F20C4A9C446D7214EE305A01CB00

Function 02A9779F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b869e1fb4cda64c6fcca8d77d36981fc94cf0e4e20dfc3dbbbad0bd4befaff8e
Instruction ID: 10a4f24e7448a1ddbb7d7cf11a4f6371c0fc19a15b921cceaded4c44315363d0
Opcode Fuzzy Hash: b869e1fb4cda64c6fcca8d77d36981fc94cf0e4e20dfc3dbbbad0bd4befaff8e
Instruction Fuzzy Hash: 21115E74A01214CFDB94DF68C994A99BBF1FF89301F5181E9E60AAB361DB31AD81CF01

Function 02A93EDC Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9945b5534266e125e8cce5f4079d33cf116850579b4e5f3f23481d10d87ae52a
Instruction ID: a3cc4eddd352996463aa355d02ef63fa3d20ce50d88bf305ed7e12c0129d902b
Opcode Fuzzy Hash: 9945b5534266e125e8cce5f4079d33cf116850579b4e5f3f23481d10d87ae52a
Instruction Fuzzy Hash: DD010874A45218CFDB54CF29C948BA8B7F1FF89301F1084DAD149AB261CB359E85CF40

Function 02A942E9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb3c84557fe47db91f395879e0734c69d99caaba540d9e96bfeca20fa116628
Instruction ID: 06ebc8ef378f680b113409e27506f73c90f77d0adcd16615f8ef0ff775d9adfc
Opcode Fuzzy Hash: dcb3c84557fe47db91f395879e0734c69d99caaba540d9e96bfeca20fa116628
Instruction Fuzzy Hash: 5501C970A05614DFEF54CB6AC945B68B7F1EF49304F05C4E6D009AB2A2DB369D86CF01

Function 02A94D4D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b856495b7c0a971105c7b449a61fdf5e38030c3f111d59894006d7debee0466d
Instruction ID: 5d1803fc8a7597d6173bf00170afffcf9956efeb63fbba16f5cc2a1df270d91e
Opcode Fuzzy Hash: b856495b7c0a971105c7b449a61fdf5e38030c3f111d59894006d7debee0466d
Instruction Fuzzy Hash: D80146B4A08209CFCB14CF68D8805A8FBB1FB88214F108AE6D91997281DB309924CF10

Function 02A93337 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32044f512d287b64b4ba2bafb349e62eb212f2b9634067b280c2c20c6a7ffac7
Instruction ID: a4f35da4019a8f4dbc1dd1a4eec644ca7c4e85d1b9bb9ea2c5228a3e9484a06e
Opcode Fuzzy Hash: 32044f512d287b64b4ba2bafb349e62eb212f2b9634067b280c2c20c6a7ffac7
Instruction Fuzzy Hash: 99F0E575A48258CFCF04CFA5D9844ACB7F1FB403257100AD5D0269B295CF72D815CF01

Function 02A908A0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e401741a6e30f30dad595bd58bb8140a0dd19988ebeaa6db492b455be0d98c70
Instruction ID: ba7a10337fd24b198e13acced1477f6137a7482106044621731fd322e051fdd2
Opcode Fuzzy Hash: e401741a6e30f30dad595bd58bb8140a0dd19988ebeaa6db492b455be0d98c70
Instruction Fuzzy Hash: EBE06D725082409EC749AB21D0966F67FB99B8A314F1584AED0964AA02DB31945FEA40

Function 08B90780 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2128483833.0000000008B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2389a54d653a368dd21b812da1b169e9c576f4b2220d1c523dc81a454d6b0f74
Instruction ID: 65ebeaec1386200cd21f4742888619bc360fc4c4cd3f9b2ac0dbf4639afc103c
Opcode Fuzzy Hash: 2389a54d653a368dd21b812da1b169e9c576f4b2220d1c523dc81a454d6b0f74
Instruction Fuzzy Hash: 56E030B0D0071A9FDB50EF6E8845B6BBFF4AF48610F108879D459E3200E77485018B90

Function 02A909A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0a739ac89aeed43cf3589dc4fa55a1dc1f89cb28d279128b722efbe60dea04
Instruction ID: 42aae3c65d26080e65882cb599fcf6916e8793c94cb30f53325675f0e566c225
Opcode Fuzzy Hash: 3b0a739ac89aeed43cf3589dc4fa55a1dc1f89cb28d279128b722efbe60dea04
Instruction Fuzzy Hash: 3EE0E67194810DFF9B00EFA6D60056D7BFAEFD5344B10459AD406E7240DE716E109B56

Function 08B90830 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2128483833.0000000008B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f6b6c74f3eb711dd9e84876fd20317475faaa768c7a22d9fd646f91373869f
Instruction ID: 75e47c3bdc135fb63593dd8350c9e52007d0810599da7983dfddb0ab22dab857
Opcode Fuzzy Hash: 02f6b6c74f3eb711dd9e84876fd20317475faaa768c7a22d9fd646f91373869f
Instruction Fuzzy Hash: 38D02E32B08A10938A28210AA0446BFB6EEDBC4B6330200BEE08EC3200EE31480382D0

Function 02A93F67 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315c424f63a00671fad437f61412ddde9198e55f3b075296882cc458543632c4
Instruction ID: 8ba3dc0a9824b6fb90423325f6776ddcf20f3178932a441c94f8f8362e6124ff
Opcode Fuzzy Hash: 315c424f63a00671fad437f61412ddde9198e55f3b075296882cc458543632c4
Instruction Fuzzy Hash: 3AE0C234A0A620CFEF419F69D54DB64BAF0FB05309F4488E6C046E7154CB7AC942CF41

Function 02A95C90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0960c1498ed968f757ef2faec3624e4eb7a36533c894aedd2c304c8cfd291e
Instruction ID: a0277f9a90f522927f1fc309131a386b4b0f4e3057d00264ed3675b826acf3c4
Opcode Fuzzy Hash: fe0960c1498ed968f757ef2faec3624e4eb7a36533c894aedd2c304c8cfd291e
Instruction Fuzzy Hash: 86E00234E46215CFDB54DF68C998AA8BBF1BF88201F1584D5E91AA7361DB309D40CF10

Function 02A95D1A Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89583b4f46801d4ddafa33627e190ce1bfd1f3c37518d69cbfd9f854cdfcbc21
Instruction ID: 281b1a73c20103dc3d2c533203134925c455419be54c4bbbfe27b946f125e3d3
Opcode Fuzzy Hash: 89583b4f46801d4ddafa33627e190ce1bfd1f3c37518d69cbfd9f854cdfcbc21
Instruction Fuzzy Hash: 48D0C934E07211CFDB00CB25C94A9697BF0AF88241F5544E8A80AA7231DA30DC40CE50

Function 02A92F10 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ffbfd49b0cd0ac7ba635233c1f7229d12daab68d83d428791edf866e46c1ad
Instruction ID: ac94215c7fab5b3641a118aa841103caebf7a1b5ae64f9a12e53dc267e4765d1
Opcode Fuzzy Hash: 80ffbfd49b0cd0ac7ba635233c1f7229d12daab68d83d428791edf866e46c1ad
Instruction Fuzzy Hash: B1D0221080E2C24EC7060778404A9C13FA46F0F03071D56DCC0D20F883D601C4AB8A02

Function 02A9EA10 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction ID: 20159973dc6c4478fa717a34ac84a2881d4813b9dc5cbab7339b5de6a68ee492
Opcode Fuzzy Hash: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction Fuzzy Hash: 0DB01231250208CFC300DB6CE444C0033FCAF4DA1431000D0F10C8B331C721FC008A40

Function 02A9E7A0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba36aef03bc27f84ab667d144efac4fccdcd93af6e34ac239b6cc8976010b3de
Instruction ID: a086de6630c9c25d0d1ef151d61145ab0e9105ca671659dc64f504c3d7f1862d
Opcode Fuzzy Hash: ba36aef03bc27f84ab667d144efac4fccdcd93af6e34ac239b6cc8976010b3de
Instruction Fuzzy Hash: DBB092301402088FC300DA58D445C5077A8AB08A0430500D0E2088B232D622F8008A40

Function 02A92F33 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6a7776ecdc66ff2badcffdaf35b8b1322b3b9dcc2f8f5c8c2b1fa1d7393b36
Instruction ID: 66b4ff20401152a37dd7cd20f697c78aad120993c9283fcd37d3bc67bd9b1e54
Opcode Fuzzy Hash: 3c6a7776ecdc66ff2badcffdaf35b8b1322b3b9dcc2f8f5c8c2b1fa1d7393b36
Instruction Fuzzy Hash: 3BB09270409900CACB08AF12D0481A8F7E2EAC8222B248829D08641054EB300460DA41

Function 02A90890 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2127300694.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d4b6164bdeaee762f78de648d5851e979775bacb75db9e9692325c888bdfd
Instruction ID: b590cc7d45d66e6b43dcf05e006479d0ecdc2c3f807ad64c74c763b16a717708
Opcode Fuzzy Hash: a39d4b6164bdeaee762f78de648d5851e979775bacb75db9e9692325c888bdfd
Instruction Fuzzy Hash: 6490223208C20C8B0200238030080A0330C80800223C00000A00C020000E80302000C0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SharkHCShark.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SharkHCShark.exe.log

C:\Users\user\AppData\Roaming\d3d9x.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
SharkHCShark.exe

Function 6D3F7FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 6D3FAF08 Relevance: 235.4, APIs: 1, Strings: 131, Instructions: 4380
memoryCOMMON

Function 02A92069 Relevance: .5, Instructions: 470
COMMON

Function 02A91878 Relevance: 1.8, Strings: 1, Instructions: 529
COMMON

Function 02BBA188 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 02BB3690 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02BB4F34 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 02BBC729 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Function 02BBC660 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02BBC668 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02BB9E70 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON