Source: file.exe |
Virustotal: Detection: 8% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.8% probability |
Source: C:\Users\user\Desktop\file.exe |
Unpacked PE file: 0.2.file.exe.3820000.2.unpack |
Source: unknown |
HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2 |
Source: |
Binary string: ntdll.pdb source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp |
Source: Joe Sandbox View |
IP Address: 188.114.96.3 188.114.96.3 |
Source: Joe Sandbox View |
IP Address: 188.114.96.3 188.114.96.3 |
Source: Joe Sandbox View |
JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1 |
Source: global traffic |
HTTP traffic detected: POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: jirafasaltas.fun |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: jirafasaltas.fun |
Source: unknown |
HTTP traffic detected: POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: jirafasaltas.fun |
Source: file.exe, 00000000.00000003.2329160540.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D12000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jirafasaltas.fun/: |
Source: file.exe, 00000000.00000002.2343551941.0000000002AD7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2328751588.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2343551941.0000000002AE3000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHa |
Source: file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jirafasaltas.fun:443/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpa |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F1135 |
0_2_033F1135 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F517A |
0_2_033F517A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F776A |
0_2_033F776A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F5766 |
0_2_033F5766 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F4FDF |
0_2_033F4FDF |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F1E12 |
0_2_033F1E12 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F1CB0 |
0_2_033F1CB0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0340448A |
0_2_0340448A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F20EA |
0_2_033F20EA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0348C6AA |
0_2_0348C6AA |
Source: file.exe |
Static PE information: Number of sections : 11 > 10 |
Source: file.exe, 00000000.00000000.2149262379.00000000009E3000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs file.exe |
Source: file.exe, 00000000.00000002.2348716551.00000000047A2000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe |
Source: file.exe, 00000000.00000002.2343092662.00000000028A5000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs file.exe |
Source: classification engine |
Classification label: mal60.evad.winEXE@1/0@1/1 |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: file.exe |
Virustotal: Detection: 8% |
Source: file.exe |
String found in binary or memory: NATS-SEFI-ADD |
Source: file.exe |
String found in binary or memory: NATS-DANO-ADD |
Source: file.exe |
String found in binary or memory: JIS_C6229-1984-b-add |
Source: file.exe |
String found in binary or memory: jp-ocr-b-add |
Source: file.exe |
String found in binary or memory: JIS_C6229-1984-hand-add |
Source: file.exe |
String found in binary or memory: jp-ocr-hand-add |
Source: file.exe |
String found in binary or memory: ISO_6937-2-add |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: file.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: file.exe |
Static file information: File size 8751104 > 1048576 |
Source: file.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c4000 |
Source: file.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2a0400 |
Source: |
Binary string: ntdll.pdb source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\file.exe |
Unpacked PE file: 0.2.file.exe.3820000.2.unpack |
Source: file.exe |
Static PE information: section name: .didata |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F4DC8 push esp; retf |
0_2_033F4DC9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_033F6640 push eax; ret |
0_2_033F6649 |
Source: C:\Users\user\Desktop\file.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 64 |
Thread sleep time: -40880s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 2548 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 |
Jump to behavior |
Source: file.exe, 00000000.00000003.2328751588.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |