Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1500933
MD5:	b7a66864aedc3fa7a4686498eaf2b251
SHA1:	045154b73c8c25e29c5db10d297d44e5371af940
SHA256:	d51fbbda89b717b798dc784dbe3eb4aa151e9ef095c054e19368698fe923317e
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the installation date of Windows

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B7A66864AEDC3FA7A4686498EAF2B251)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.3820000.2.unpack

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2

Source:	Binary string: ntdll.pdb source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: jirafasaltas.fun

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: jirafasaltas.fun

Source: unknown

Source: file.exe, 00000000.00000003.2329160540.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jirafasaltas.fun/:
Source: file.exe, 00000000.00000002.2343551941.0000000002AD7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2328751588.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2343551941.0000000002AE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHa
Source: file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jirafasaltas.fun:443/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpa

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F1135	0_2_033F1135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F517A	0_2_033F517A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F776A	0_2_033F776A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F5766	0_2_033F5766
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F4FDF	0_2_033F4FDF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F1E12	0_2_033F1E12
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F1CB0	0_2_033F1CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0340448A	0_2_0340448A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F20EA	0_2_033F20EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0348C6AA	0_2_0348C6AA

Source: file.exe

Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000000.2149262379.00000000009E3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs file.exe
Source: file.exe, 00000000.00000002.2348716551.00000000047A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe
Source: file.exe, 00000000.00000002.2343092662.00000000028A5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs file.exe

Source: classification engine

Classification label: mal60.evad.winEXE@1/0@1/1

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 8%

Source: file.exe	String found in binary or memory: NATS-SEFI-ADD
Source: file.exe	String found in binary or memory: NATS-DANO-ADD
Source: file.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: file.exe	String found in binary or memory: jp-ocr-b-add
Source: file.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: file.exe	String found in binary or memory: jp-ocr-hand-add
Source: file.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 8751104 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c4000
Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2a0400

Source:	Binary string: ntdll.pdb source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.3820000.2.unpack

Source: file.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F4DC8 push esp; retf		0_2_033F4DC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_033F6640 push eax; ret		0_2_033F6649

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 64	Thread sleep time: -40880s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2548	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: file.exe, 00000000.00000003.2328751588.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	8%	ReversingLabs	Win64.Dropper.Generic
file.exe	8%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
jirafasaltas.fun	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://jirafasaltas.fun:443/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpa	0%	Avira URL Cloud	safe
https://jirafasaltas.fun/:	0%	Avira URL Cloud	safe
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU	0%	Avira URL Cloud	safe
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHa	0%	Avira URL Cloud	safe
https://jirafasaltas.fun:443/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpa	1%	Virustotal		Browse
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU	0%	Virustotal		Browse
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHa	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jirafasaltas.fun	188.114.96.3	true	false	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHa	file.exe, 00000000.00000002.2343551941.0000000002AD7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2328751588.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2343551941.0000000002AE3000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jirafasaltas.fun:443/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpa	file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jirafasaltas.fun/:	file.exe, 00000000.00000003.2329160540.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	jirafasaltas.fun	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500933
Start date and time:	2024-08-29 06:23:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 6728 because there are no executed function
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:24:18	API Interceptor	11x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	www.katasoo.com/7qad/
	709876765465.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	http://allegro-8888.com/	Get hash	malicious	Unknown	Browse	allegro-8888.com/xml/index.html
	PO_112234525626823775.js	Get hash	malicious	Lokibot	Browse	werdotx.shop/Devil/PWS/fre.php
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	pXm5oVO3Go.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0U9QqTZ6/download
	FedEx Shipping Document.scr.exe	Get hash	malicious	Azorult	Browse	l0h5.shop/CM341/index.php
	Quote 1T PN40 082624.exe	Get hash	malicious	FormBook	Browse	www.lampgm.pro/em9t/
	weave.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jirafasaltas.fun	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	PQ2AUndsdb.exe	Get hash	malicious	Amadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	188.114.97.3
	SecuriteInfo.com.Win64.DropperX-gen.21682.4890.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Win64.CrypterX-gen.4166.17445.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Win64.DropperX-gen.4383.5748.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win64.CrypterX-gen.4166.17445.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win64.MalwareX-gen.19968.21519.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Win64.MalwareX-gen.19968.21519.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Payment Advice.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	vYhaKbJF08.exe	Get hash	malicious	LummaC	Browse	104.21.16.74
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.146.35
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	vYhaKbJF08.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	PDF To Excel Converter.exe	Get hash	malicious	LummaC, MicroClip	Browse	188.114.96.3
	z1209627360293827.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	August Shipment - Inv No. 041.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.574678275475394
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	file.exe
File size:	8'751'104 bytes
MD5:	b7a66864aedc3fa7a4686498eaf2b251
SHA1:	045154b73c8c25e29c5db10d297d44e5371af940
SHA256:	d51fbbda89b717b798dc784dbe3eb4aa151e9ef095c054e19368698fe923317e
SHA512:	f1ffab89f395247c69121fe3a700798c8cd5a9af94f33674995642471160f428c2931fa86c6686558ba75e0d6a20131854b987790160cae19a533a7f40862957
SSDEEP:	98304:qAlUumHHsfNHU/J1vD3NSPUv3KWQSy+Bk:Dquh+RlfKkhBk
TLSH:	EB968DFB22E6462DC12D923BC093CF01C437B9794737C6D702915A38DA6AAC15E7EA35
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	0f71e969e9f96117

Static PE Info

General

Entrypoint:	0x8c4e30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x66CF1D1A [Wed Aug 28 12:50:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	937ab3e955faac33827861f288cec9e5

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 20h
dec eax
mov ebp, esp
nop
dec eax
lea ecx, dword ptr [FFFEE388h]
call 00007FCE84AC5540h
dec eax
mov eax, dword ptr [00063B94h]
dec eax
mov ecx, dword ptr [eax]
call 00007FCE84D5FBF1h
dec eax
mov eax, dword ptr [00063B85h]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007FCE84D628A0h
dec eax
mov eax, dword ptr [00063B74h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFEDCDAh]
dec esp
mov eax, dword ptr [0006387Bh]
call 00007FCE84D5FBF3h
dec eax
mov eax, dword ptr [00063B57h]
dec eax
mov ecx, dword ptr [eax]
call 00007FCE84D5FE04h
call 00007FCE84ABD49Fh
jmp 00007FCE84F72D4Ah
nop
nop
call 00007FCE84ABD696h
nop
dec eax
lea esp, dword ptr [ebp+20h]
pop ebp
ret
dec eax
nop
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007FCE84ABCC2Ch
dec eax
add esp, 28h
ret
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x544000	0x9c	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x536000	0x4c44	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ca000	0x2a0400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x588000	0x410dc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x547000	0x4083c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x546000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x537398	0x1208	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x53b000	0x8d6a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c3ec0	0x4c4000	eb6f3eec577ce0124d0cb6c66b3e6b81	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4c5000	0x642c8	0x64400	487de922e1e42c249aa1bbd78953f0b0	False	0.2396377221009975	data	4.708144578377961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x52a000	0xb75c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x536000	0x4c44	0x4e00	29fbdd4e74c9683ef29e7a67a8b2df87	False	0.23913261217948717	data	4.289813206389611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x53b000	0x8d6a	0x8e00	2845d3f12a4110b85b14963d477f5351	False	0.17058208626760563	data	3.981325083586943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x544000	0x9c	0x200	7fa7ebcc509ab4bfbae6047d77b9249e	False	0.26171875	data	1.8963699670102752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x545000	0x1e4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x546000	0x6d	0x200	13c41f6a7226e3b091416c6c3aca58ee	False	0.1953125	data	1.3902637598484393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x547000	0x4083c	0x40a00	dbf93e541c6d8fdf42f95373c32760e7	False	0.4654481987427466	data	6.447929463732892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x588000	0x410dc	0x41200	d26c09bdff615edc673d4a34c3090b93	False	0.49405065379078694	data	6.382261050809335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5ca000	0x2a0400	0x2a0400	8b007c0da5ccf8180a13a8503df917ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x5cbd0c	0x134	data	English	United States	0.38636363636363635
RT_CURSOR	0x5cbe40	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x5cbf74	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x5cc0a8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x5cc1dc	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x5cc310	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x5cc444	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x5cc578	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x5cc6ac	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x5cc87c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x5cca60	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x5ccc30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x5cce00	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x5ccfd0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x5cd1a0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x5cd370	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x5cd540	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x5cd710	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x5cd8e0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x5cd9a0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x5cda80	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x5cdb60	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x5cdc40	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x5cdd00	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x5cddc0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x5cdea0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x5cdf60	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x5ce040	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x5ce128	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x5ce1e8	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	English	United States	0.34438775510204084
RT_BITMAP	0x5ce370	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.45918367346938777
RT_BITMAP	0x5ce4f8	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.30357142857142855
RT_BITMAP	0x5ce680	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.3392857142857143
RT_BITMAP	0x5ce808	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.3829268292682927
RT_BITMAP	0x5cee70	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.39146341463414636
RT_BITMAP	0x5cf4d8	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.3853658536585366
RT_BITMAP	0x5cfb40	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x5cfcc8	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.39207317073170733
RT_BITMAP	0x5d0330	0x110	Device independent bitmap graphic, 24 x 14 x 4, image size 168	English	United States	0.40808823529411764
RT_BITMAP	0x5d0440	0x110	Device independent bitmap graphic, 24 x 14 x 4, image size 168	English	United States	0.4117647058823529
RT_BITMAP	0x5d0550	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.3125
RT_BITMAP	0x5d05c0	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.41964285714285715
RT_BITMAP	0x5d0630	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.3482142857142857
RT_BITMAP	0x5d06a0	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.38392857142857145
RT_BITMAP	0x5d0710	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.3392857142857143
RT_BITMAP	0x5d0780	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.32142857142857145
RT_BITMAP	0x5d07f0	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.36607142857142855
RT_BITMAP	0x5d0860	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.33035714285714285
RT_BITMAP	0x5d08d0	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.41964285714285715
RT_BITMAP	0x5d0940	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.30357142857142855
RT_BITMAP	0x5d09b0	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.33035714285714285
RT_BITMAP	0x5d0a20	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	English	United States	0.41964285714285715
RT_BITMAP	0x5d0a90	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.4107142857142857
RT_BITMAP	0x5d0c18	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.3239795918367347
RT_BITMAP	0x5d0da0	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	English	United States	0.31887755102040816
RT_BITMAP	0x5d0f28	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.30612244897959184
RT_BITMAP	0x5d10b0	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	English	United States	0.32142857142857145
RT_BITMAP	0x5d1238	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.35548780487804876
RT_BITMAP	0x5d18a0	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.375
RT_BITMAP	0x5d1a28	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576	English	United States	0.44939024390243903
RT_BITMAP	0x5d2090	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	English	United States	0.3826530612244898
RT_BITMAP	0x5d2218	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.3853658536585366
RT_BITMAP	0x5d2880	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, 256 important colors	English	United States	0.43902439024390244
RT_BITMAP	0x5d2ee8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x5d2fc8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2953 x 2953 px/m			0.059328049213297054
RT_DIALOG	0x5e37f0	0x52	data			0.7682926829268293
RT_DIALOG	0x5e3844	0x52	data			0.7560975609756098
RT_STRING	0x5e3898	0x410	data			0.4028846153846154
RT_STRING	0x5e3ca8	0x3d8	data			0.4095528455284553
RT_STRING	0x5e4080	0x3a0	data			0.4040948275862069
RT_STRING	0x5e4420	0x40c	data			0.4015444015444015
RT_STRING	0x5e482c	0x3f8	data			0.42322834645669294
RT_STRING	0x5e4c24	0x374	data			0.39819004524886875
RT_STRING	0x5e4f98	0x378	data			0.33783783783783783
RT_STRING	0x5e5310	0x2e0	data			0.4470108695652174
RT_STRING	0x5e55f0	0x468	data			0.3554964539007092
RT_STRING	0x5e5a58	0x2d0	data			0.3888888888888889
RT_STRING	0x5e5d28	0x364	data			0.43663594470046085
RT_STRING	0x5e608c	0x1ac	data			0.5186915887850467
RT_STRING	0x5e6238	0xcc	data			0.6666666666666666
RT_STRING	0x5e6304	0x114	data			0.6086956521739131
RT_STRING	0x5e6418	0x2b4	data			0.4638728323699422
RT_STRING	0x5e66cc	0x408	data			0.3817829457364341
RT_STRING	0x5e6ad4	0x374	data			0.39705882352941174
RT_STRING	0x5e6e48	0x4b4	data			0.31727574750830567
RT_STRING	0x5e72fc	0x308	data			0.38788659793814434
RT_STRING	0x5e7604	0x3bc	data			0.4006276150627615
RT_STRING	0x5e79c0	0x4fc	data			0.3785266457680251
RT_STRING	0x5e7ebc	0x454	data			0.3303249097472924
RT_STRING	0x5e8310	0x380	data			0.36049107142857145
RT_STRING	0x5e8690	0x450	data			0.3903985507246377
RT_STRING	0x5e8ae0	0x17c	data			0.4631578947368421
RT_STRING	0x5e8c5c	0xcc	data			0.6225490196078431
RT_STRING	0x5e8d28	0x1d0	data			0.5344827586206896
RT_STRING	0x5e8ef8	0x3dc	data			0.3765182186234818
RT_STRING	0x5e92d4	0x38c	data			0.3535242290748899
RT_STRING	0x5e9660	0x354	data			0.3826291079812207
RT_STRING	0x5e99b4	0x2e4	data			0.40540540540540543
RT_RCDATA	0x5e9c98	0x10	data			1.5
RT_RCDATA	0x5e9ca8	0xe58	data			0.4863834422657952
RT_RCDATA	0x5eab00	0x19b77	Delphi compiled form 'TBrushDialog'			0.6545877438648122
RT_RCDATA	0x604678	0x415c8	TrueType Font data, 19 tables, 1st "GPOS", 16 names, Macintosh, $g$\252 fonts 1999\251ElektraMediumTransType 3 MAC;Elektra;001.000;18/07/06 23:22:47ElektraVer	English	United States	0.10237935156133274
RT_RCDATA	0x645c40	0x5f80	TrueType Font data, 15 tables, 1st "OS/2", 21 names, Unicode	English	United States	0.3445271596858639
RT_RCDATA	0x64bbc0	0x21b871	data	English	United States	0.8604679107666016
RT_RCDATA	0x867434	0x15f	Delphi compiled form 'Toejtrewer'			0.7293447293447294
RT_RCDATA	0x867594	0xc59	Delphi compiled form 'TPenDialog'			0.4134767478645998
RT_RCDATA	0x8681f0	0x692	Delphi compiled form 'TTeeGalleryForm'			0.4768133174791914
RT_RCDATA	0x868884	0x1661	Delphi compiled form 'TTeeGradientEditor'			0.3459591551754233
RT_GROUP_CURSOR	0x869ee8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x869efc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x869f10	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x869f24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x869f38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x869f4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x869f60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x869f74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x869f88	0x14	data			1.15
RT_VERSION	0x869f9c	0x2e4	data			0.4418918918918919

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	WidenPath, UnrealizeObject, TextOutW, StrokePath, StrokeAndFillPath, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetArcDirection, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, PtVisible, PolylineTo, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PathToRegion, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetTextCharacterExtra, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetObjectW, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, FillPath, ExtTextOutW, ExtSelectClipRgn, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateEnhMetaFileW, CreateEllipticRgnIndirect, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CloseFigure, CloseEnhMetaFile, Chord, BitBlt, BeginPath, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindFirstFileW, FindClose, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
shell32.dll	Shell_NotifyIconW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4977c0
__dbk_fcall_wrapper	2	0x4172f0
dbkFCallWrapperAddr	1	0x92ef58

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 06:24:21.351891994 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.351926088 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:21.352006912 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.353596926 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.353609085 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:21.827838898 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:21.827971935 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.830313921 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.830337048 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:21.830656052 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:21.875257015 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.930613995 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.930613995 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:21.930803061 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:22.274483919 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:22.274553061 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:22.274748087 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:22.274780989 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:22.274792910 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:22.274801016 CEST	443	49715	188.114.96.3	192.168.2.6
Aug 29, 2024 06:24:22.274816990 CEST	49715	443	192.168.2.6	188.114.96.3
Aug 29, 2024 06:24:22.274821043 CEST	443	49715	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 06:24:21.327296972 CEST	52009	53	192.168.2.6	1.1.1.1
Aug 29, 2024 06:24:21.344835997 CEST	53	52009	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 06:24:21.327296972 CEST	192.168.2.6	1.1.1.1	0x157b	Standard query (0)	jirafasaltas.fun	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 06:24:21.344835997 CEST	1.1.1.1	192.168.2.6	0x157b	No error (0)	jirafasaltas.fun		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 06:24:21.344835997 CEST	1.1.1.1	192.168.2.6	0x157b	No error (0)	jirafasaltas.fun		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jirafasaltas.fun

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	188.114.96.3	443	6728	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 04:24:21 UTC	322	OUT	POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Content-Length: 96 Host: jirafasaltas.fun
2024-08-29 04:24:21 UTC	96	OUT	Data Raw: fd ff ff ff 03 00 00 00 00 00 00 00 00 00 00 00 92 00 00 fe ff ff ff 2d 00 00 00 00 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-08-29 04:24:22 UTC	516	IN	HTTP/1.1 204 No Content Date: Thu, 29 Aug 2024 04:24:22 GMT Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8WmH3ya62I20C2lZLUjgcRyIs86TcThsIqkEQFzdr9iV8APu07DGs5DROTE6S86A0s0SGD4fO96hv%2B2hFe6YH%2FFNccSwF1kK%2FNKdkznOrdIK%2F4fcYGKcREWJre1Y%2FXPCILQI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ba9c561687ac330-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	00:24:03
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	8'751'104 bytes
MD5 hash:	B7A66864AEDC3FA7A4686498EAF2B251
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Function 033F1CB0 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

tTq=, xrefs: 033F200C
2S, xrefs: 033F1F80

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID: tTq=$2S
API String ID: 0-543185254
Opcode ID: e339baaa02422576db15edd746f3cbc4c7fcbfe3e090ede554aa3c520f7dbfae
Instruction ID: 3652085c6c270c2e864c9cef62d2dafdc5990f8d86414d4d372b22b7d78a490d
Opcode Fuzzy Hash: e339baaa02422576db15edd746f3cbc4c7fcbfe3e090ede554aa3c520f7dbfae
Instruction Fuzzy Hash: C06136327789854F478CC93C8C5263676C7EBCA235768DB3EA5ABC72E5D924C8438609

Function 033F1E12 Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

tTq=, xrefs: 033F200C
2S, xrefs: 033F1F80

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID: tTq=$2S
API String ID: 0-543185254
Opcode ID: 41587e98690bb531271f1142d322c8ffd1b5d973879c85c1fc7cde5b8bf9e366
Instruction ID: 28c5fbcb02a0821d9226183c442195c8a92063f54d06bb13559c030e09295e03
Opcode Fuzzy Hash: 41587e98690bb531271f1142d322c8ffd1b5d973879c85c1fc7cde5b8bf9e366
Instruction Fuzzy Hash: 0F6137327789854F878CC93C8C5263636D7DBCA235768D73EA5ABC72E5D924C8038609

Function 0348C6AA Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

Q2\!, xrefs: 0348C7FF

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID: Q2\!
API String ID: 0-796754979
Opcode ID: fda47437f6fc69074cd0fc07c01b764f0c4e6b28e09a02de8376cadca83ae7d7
Instruction ID: 1ff79a9f05b153abc184747888508a71803f1535d6c7c8be5ebb9850393b042c
Opcode Fuzzy Hash: fda47437f6fc69074cd0fc07c01b764f0c4e6b28e09a02de8376cadca83ae7d7
Instruction Fuzzy Hash: 78416931F2890C8F9B5CEF7C9C856AA77E2F758315720462DE46ED7691EA30C8928741

Function 033F1135 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec9987ff25aeb479eb36b507c5c683234566d5a86e04e2d98dd650034a1728d
Instruction ID: 33860df8ba22ccf4bc58e9da5834815951acd953c0717c5afb50b5891dc5f70c
Opcode Fuzzy Hash: 1ec9987ff25aeb479eb36b507c5c683234566d5a86e04e2d98dd650034a1728d
Instruction Fuzzy Hash: 1051E635B249444FC78CDB3CCC9666A76D2EB99324B98863EA457C77E4EA38C8428705

Function 033F5766 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220653a4a4cadc53af8c6ce3f2ed5cfd7c41420154ef4ebc40cdd6e9d1e327c8
Instruction ID: 14decec85f3b4daa9b426b69f004b569182ac2e7c271680fa9c12c1fbbe00d06
Opcode Fuzzy Hash: 220653a4a4cadc53af8c6ce3f2ed5cfd7c41420154ef4ebc40cdd6e9d1e327c8
Instruction Fuzzy Hash: 2C51C274E2490C8FEB48EFBCD885A797BF1FB58304F54015AD419D73A0DA349981CB86

Function 033F20EA Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d8fec66991a5c8e682263c7a6966a27c6db31d7d277340809bc3aa0dc81e15
Instruction ID: 3acb43b021cf886c2fbbb89215ba7ac4618d4fd2d91bfbece7812479e900444f
Opcode Fuzzy Hash: 91d8fec66991a5c8e682263c7a6966a27c6db31d7d277340809bc3aa0dc81e15
Instruction Fuzzy Hash: B0412636728A848FC74CEB3CCC9276A77D2EB99324B94467DE197C77E0DA24D8428705

Function 033F517A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cc3ec64853b02de629e73a996ee7555fd754326a9f568214bb8f52e9565089
Instruction ID: f1c47df0074bafedb10868b256b03facb4ff827f8de872407cfe1e70c1cd6cef
Opcode Fuzzy Hash: 43cc3ec64853b02de629e73a996ee7555fd754326a9f568214bb8f52e9565089
Instruction Fuzzy Hash: 6131E331629A844FD388DB3C8C957167AD2FB9A334FA4875DF17AD62E0C735C8528705

Function 033F4FDF Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0641690a1ae636139eb6951a2d31bd3edaeb7558592d072d685aa54fb1f8d80b
Instruction ID: 57f69d0d548626b3fd931da4ca5b3aac4144e2f648f725d2be012ba132fd7699
Opcode Fuzzy Hash: 0641690a1ae636139eb6951a2d31bd3edaeb7558592d072d685aa54fb1f8d80b
Instruction Fuzzy Hash: 8E11B131228D084F9A4CDB3C886956576D2FB993313A4D32EF43AC73F2DE2494828745

Function 033F776A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e46f8872fe86965cf683b4701ffd3a3878fad5ff4cacc2713877e57eb621fb6
Instruction ID: 62dd5091ebf045b5c2e8b77a6af4e5c144646ec931d54b7b260df1ec5f40dc08
Opcode Fuzzy Hash: 5e46f8872fe86965cf683b4701ffd3a3878fad5ff4cacc2713877e57eb621fb6
Instruction Fuzzy Hash: 452137367385454B430CCA3DDCA252676C7FB88324B64CB2DE5A7CB7D5C638C8838A09

Function 0340448A Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344666311.00000000033F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f280d876108d5ac1d030dcc799272a7c6417004d295da9cfc2e65303c059e4
Instruction ID: 26afa63451c2d47c6b11a6a8b5742d776f96237e224df8896cb48d52d3df0e17
Opcode Fuzzy Hash: 93f280d876108d5ac1d030dcc799272a7c6417004d295da9cfc2e65303c059e4
Instruction Fuzzy Hash: 02214332714A094B579CEA7C9C6223B37E2EB88320314462FF23BCB3E4ED21C9824705

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
file.exe