Edit tour

Windows Analysis Report
Gxm6KI51wl.exe

Overview

General Information

Sample name:	Gxm6KI51wl.exe renamed because original name is a hash value
Original sample name:	1a1debc631daab24c955c28aa18e909b.exe
Analysis ID:	1501289
MD5:	1a1debc631daab24c955c28aa18e909b
SHA1:	55e9a22c7d5d1eceffdc9657e78da59ec471f90e
SHA256:	e09370c9adc09c15eb8d05301bd3c74ef76e98b8a2fa2089df9c4ec5d7b4e047
Tags:	exeRedLineStealer
Infos:

Detection

PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Reads the System eventlog

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables security privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Gxm6KI51wl.exe (PID: 4908 cmdline: "C:\Users\user\Desktop\Gxm6KI51wl.exe" MD5: 1A1DEBC631DAAB24C955C28AA18E909B)

conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 2684 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1241589726.0000000000802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ed39:$s1: file:/// 0x4ec95:$s2: {11111-22222-10009-11112} 0x4ecc9:$s3: {11111-22222-50001-00000} 0x4c36c:$s4: get_Module 0x484b3:$s5: Reverse 0x489bb:$s6: BlockCopy 0x484bf:$s7: ReadByte 0x4ed4b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Gxm6KI51wl.exe.6d86b000.2.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.Gxm6KI51wl.exe.6d86b000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Gxm6KI51wl.exe.6d86b000.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4cf39:$s1: file:/// 0x4ce95:$s2: {11111-22222-10009-11112} 0x4cec9:$s3: {11111-22222-50001-00000} 0x4a56c:$s4: get_Module 0x466b3:$s5: Reverse 0x46bbb:$s6: BlockCopy 0x466bf:$s7: ReadByte 0x4cf4b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
3.2.MSBuild.exe.800000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.2.MSBuild.exe.800000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.MSBuild.exe.800000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ed39:$s1: file:/// 0x4ec95:$s2: {11111-22222-10009-11112} 0x4ecc9:$s3: {11111-22222-50001-00000} 0x4c36c:$s4: get_Module 0x484b3:$s5: Reverse 0x489bb:$s6: BlockCopy 0x484bf:$s7: ReadByte 0x4ed4b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4ed39:$s1: file:/// 0x4ec95:$s2: {11111-22222-10009-11112} 0x4ecc9:$s3: {11111-22222-50001-00000} 0x4c36c:$s4: get_Module 0x484b3:$s5: Reverse 0x489bb:$s6: BlockCopy 0x484bf:$s7: ReadByte 0x4ed4b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.Gxm6KI51wl.exe.6d840000.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.Gxm6KI51wl.exe.6d840000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Gxm6KI51wl.exe.6d840000.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x77f39:$s1: file:/// 0x77e95:$s2: {11111-22222-10009-11112} 0x77ec9:$s3: {11111-22222-50001-00000} 0x7556c:$s4: get_Module 0x716b3:$s5: Reverse 0x71bbb:$s6: BlockCopy 0x716bf:$s7: ReadByte 0x77f4b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9x.dll

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: Gxm6KI51wl.exe

ReversingLabs: Detection: 66%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9x.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Gxm6KI51wl.exe

Joe Sandbox ML: detected

Source: Gxm6KI51wl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Gxm6KI51wl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D85C4A8 FindFirstFileExW,

0_2_6D85C4A8

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D848DA0 GetModuleHandleW,NtQueryInformationProcess,

0_2_6D848DA0

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D848DA0	0_2_6D848DA0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D8411D0	0_2_6D8411D0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D8485C0	0_2_6D8485C0
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D862A45	0_2_6D862A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F85FB9	3_2_00F85FB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F8EB98	3_2_00F8EB98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F8EB88	3_2_00F8EB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F8CC54	3_2_00F8CC54

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Security

Jump to behavior

Source: Gxm6KI51wl.exe, 00000000.00000000.1232983026.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIrisKevin186Wendy.mscL vs Gxm6KI51wl.exe
Source: Gxm6KI51wl.exe, 00000000.00000002.1247140436.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Gxm6KI51wl.exe
Source: Gxm6KI51wl.exe, 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameCricketer.exe" vs Gxm6KI51wl.exe
Source: Gxm6KI51wl.exe	Binary or memory string: OriginalFilenameIrisKevin186Wendy.mscL vs Gxm6KI51wl.exe

Source: Gxm6KI51wl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: Gxm6KI51wl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, daD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, daD.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, y7p.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, Strings.cs

Base64 encoded string: 'GwIERx07GzAFKSEpHCoDKR03NR8GKgM2LF8hPh1cNgkcKAM5BSwHPgcoOgkaOCVHGiciBSldQh0dO0NO'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/3@1/0

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

File created: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL

Source: Gxm6KI51wl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Gxm6KI51wl.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Gxm6KI51wl.exe

ReversingLabs: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\Gxm6KI51wl.exe "C:\Users\user\Desktop\Gxm6KI51wl.exe"
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textshaping.dll	Jump to behavior

Source: Gxm6KI51wl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Gxm6KI51wl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, y7p.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, FPZ.cs

.Net Code: NTS

Source: d3d9x.dll.0.dr

Static PE information: section name: .Jpc

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D863174 push ecx; ret

0_2_6D863187

Source: Gxm6KI51wl.exe	Static PE information: section name: .text entropy: 7.165136221561172
Source: d3d9x.dll.0.dr	Static PE information: section name: .text entropy: 6.871072071474358

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

File created: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: 5D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: 5E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory allocated: 6E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

API coverage: 9.1 %

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5376	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D85C4A8 FindFirstFileExW,

0_2_6D85C4A8

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D85BDF7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D85BDF7

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D857981 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D857981
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D85BDF7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D85BDF7
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Code function: 0_2_6D857E5A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D857E5A

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 802000	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 85E000	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 87E000	Jump to behavior
Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6AF008	Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D858018 cpuid

0_2_6D858018

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe	Queries volume information: C:\Users\user\Desktop\Gxm6KI51wl.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Gxm6KI51wl.exe

Code function: 0_2_6D857AA3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D857AA3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1241589726.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1241589726.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d86b000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gxm6KI51wl.exe.6d840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Gxm6KI51wl.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
Gxm6KI51wl.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\d3d9x.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\d3d9x.dll	61%	ReversingLabs	Win32.Trojan.Midie

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown
time.windows.com	unknown	unknown	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501289
Start date and time:	2024-08-29 17:06:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gxm6KI51wl.exe renamed because original name is a hash value
Original Sample Name:	1a1debc631daab24c955c28aa18e909b.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/3@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 21 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 51.124.78.146, 184.28.90.27, 199.232.214.172, 40.126.31.71, 40.126.31.73, 20.190.159.23, 20.190.159.71, 20.190.159.0, 20.190.159.64, 20.190.159.75, 20.190.159.73, 13.95.65.251, 13.85.23.86, 4.231.128.59, 52.165.164.15, 20.242.39.171, 52.183.220.149, 40.68.123.157
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, settings-prod-scus-2.southcentralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, atm-settingsfe-prod-geo2.trafficmanager.net, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, settings-prod-weu-1.westeurope.cloudapp.azure.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, settings-prod-neu-3.northeurope.cloudapp.azure.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Gxm6KI51wl.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://general72.s3-website.us-east-2.amazonaws.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	199.232.214.172
	unitedserviceorganizationsstaff-5.8.9154-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	https://mpcpallc.weebly.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://set.page/cdtautomotive/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	199.232.210.172

Process:	C:\Users\user\Desktop\Gxm6KI51wl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\d3d9x.dll

Download File

Process:	C:\Users\user\Desktop\Gxm6KI51wl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710656
Entropy (8bit):	6.583072660656992
Encrypted:	false
SSDEEP:	12288:LItXaj3jmzqKl/sBFOh2XQifmjlK1L6cfHm8Qqz0w9H4ioVy1ymytypyeyryXyCm:Zjir/6FOh2XQifmjlK1L6cfHm8Qqz0we
MD5:	87F783D7BB2592054664BA866379E207
SHA1:	08EBD308E6B5384C0A8C96A748C9438CAEF0EC06
SHA-256:	8E788B428F5997721540AAE2FD0491FAE2F189F6F10A3CB0F7F3342C41E79304
SHA-512:	FC0C6284550C5181E2618BA4E82E8057FACD269BA2E73BF43201FD94675384897DB0016EEFB7D3FCBF8C527A514A27C8FD52AB03B390F2FF5280A6BA4CDA67FB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!...&.$..."......^y.......@............................................@.........................@...x.......<.......................................................................@............@..L............................text....#.......$.................. ..`.rdata..Bh...@...j...(..............@..@.data...d...........................@....Jpc.........P.......$.............. ..`.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.1587006887290725
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Gxm6KI51wl.exe
File size:	720'896 bytes
MD5:	1a1debc631daab24c955c28aa18e909b
SHA1:	55e9a22c7d5d1eceffdc9657e78da59ec471f90e
SHA256:	e09370c9adc09c15eb8d05301bd3c74ef76e98b8a2fa2089df9c4ec5d7b4e047
SHA512:	ad13d127931ab0a75d6d6732b52df590b548adf45cd2886ee9cb49fe82a0570c474bd6efa80ae3be8364939df964bc127bdc4cb655313ff8be788d6d2a430c56
SSDEEP:	12288:kOxjCHqsMHuZud8HWtEfGI48z2/Ne7FJTPibnlqap5meCVY4B7gxuLHYuaMPtggw:5Ie81eI48647PT
TLSH:	61E492DD325072DFC85BC8728AA81D64FB6074BB971F5203A0671AED9A4E997CF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b139e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CCB3BB [Mon Aug 26 16:56:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb134c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x6d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaf3a4	0xaf400	4c9453a3faa2713eb33a08cf2a62ef63	False	0.705741240192582	data	7.165136221561172	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x6d8	0x800	0974655a9b5ccc8255df2c008d7bde96	False	0.36181640625	data	3.7232127339524883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	987bec5518cef9b50a068eab2f87a73a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb20a0	0x44c	data			0.3981818181818182
RT_MANIFEST	0xb24ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 17:06:55.177093983 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:06:55.489334106 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:06:56.098843098 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:06:57.114434958 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:06:57.114434004 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:06:57.255024910 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:06:57.301841021 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:06:59.708086967 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:07:03.724240065 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:07:04.098731995 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:07:04.520602942 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:07:04.848722935 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:07:06.348726034 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:07:06.723714113 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:06.723731041 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:06.864379883 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:09.319602966 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 29, 2024 17:07:09.319713116 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:09.333182096 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:07:14.130019903 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 17:07:15.286293030 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:07:17.917107105 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:17.918224096 CEST	49716	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:17.918251991 CEST	443	49716	104.98.116.138	192.168.2.7
Aug 29, 2024 17:07:17.918309927 CEST	49716	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:17.923335075 CEST	49716	443	192.168.2.7	104.98.116.138
Aug 29, 2024 17:07:17.923355103 CEST	443	49716	104.98.116.138	192.168.2.7
Aug 29, 2024 17:07:17.927005053 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 29, 2024 17:07:27.192569971 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 17:08:00.728403091 CEST	443	49716	104.98.116.138	192.168.2.7
Aug 29, 2024 17:08:00.728487015 CEST	49716	443	192.168.2.7	104.98.116.138

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 17:07:08.456845999 CEST	62067	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 17:07:08.456845999 CEST	192.168.2.7	1.1.1.1	0x4965	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 17:07:06.627248049 CEST	1.1.1.1	192.168.2.7	0x1a48	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Aug 29, 2024 17:07:06.627248049 CEST	1.1.1.1	192.168.2.7	0x1a48	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 29, 2024 17:07:08.464217901 CEST	1.1.1.1	192.168.2.7	0x4965	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 17:07:56.337891102 CEST	1.1.1.1	192.168.2.7	0xffff	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Aug 29, 2024 17:07:56.337891102 CEST	1.1.1.1	192.168.2.7	0xffff	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:06:59
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Gxm6KI51wl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Gxm6KI51wl.exe"
Imagebase:	0x2c0000
File size:	720'896 bytes
MD5 hash:	1A1DEBC631DAAB24C955C28AA18E909B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:06:59
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:07:00
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x3d0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1241589726.0000000000802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45%
Total number of Nodes:	60
Total number of Limit Nodes:	3

Executed Functions

Function 6D8411D0 Relevance: 75.3, APIs: 17, Strings: 22, Instructions: 7018filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6D8470C5
GetModuleHandleA.KERNEL32 ref: 6D847182
K32GetModuleInformation.KERNEL32 ref: 6D847307
GetModuleFileNameA.KERNEL32 ref: 6D84732F
CreateFileA.KERNELBASE ref: 6D847385
CreateFileMappingA.KERNEL32 ref: 6D84755A
CloseHandle.KERNEL32 ref: 6D847689
MapViewOfFile.KERNELBASE ref: 6D84771C
VirtualProtect.KERNELBASE ref: 6D847AB8
VirtualProtect.KERNELBASE ref: 6D847B5D
CloseHandle.KERNEL32 ref: 6D847D47
GetModuleHandleA.KERNEL32 ref: 6D848466
CreateFileMappingA.KERNEL32 ref: 6D8484D4
CloseHandle.KERNEL32 ref: 6D8484FC
CloseHandle.KERNEL32 ref: 6D84858F

Strings

w9vY, xrefs: 6D8471FD
5}, xrefs: 6D846106
O \, xrefs: 6D844D9A
/c~<, xrefs: 6D8461A4
c00, xrefs: 6D8411F8
h#s=, xrefs: 6D8478C4
)/rF, xrefs: 6D847216
z8a, xrefs: 6D846B9D
.;yp, xrefs: 6D8467A4
0r0, xrefs: 6D844FA6
pA[, xrefs: 6D8457BB
a1-t, xrefs: 6D8468BB
,N}", xrefs: 6D847006
x3^w, xrefs: 6D845F8C
a1-t, xrefs: 6D84686A
x3^w, xrefs: 6D845FF7
YhH, xrefs: 6D8433B8
@, xrefs: 6D847AAC
5}, xrefs: 6D84608B
,N}", xrefs: 6D84704F
$<tE, xrefs: 6D847C31
TCX), xrefs: 6D8454CD

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: Handle$File$CloseModule$Create$MappingProtectVirtual$CurrentInformationNameProcessView
String ID: $<tE$)/rF$,N}"$,N}"$.;yp$/c~<$0r0$5}$5}$@$TCX)$a1-t$a1-t$c00$h#s=$w9vY$x3^w$x3^w$z8a$O \$YhH$pA[
API String ID: 1213677244-3495332049
Opcode ID: f3574032e9f9eaf810e92c518d9b4a642dd97943a26bde7249a7e6dd6eba56a8
Instruction ID: 4253f4fcfc4fc3e09e8184851d0e41fb567ddabea9b413cef1158b9f18517d39
Opcode Fuzzy Hash: f3574032e9f9eaf810e92c518d9b4a642dd97943a26bde7249a7e6dd6eba56a8
Instruction Fuzzy Hash: 8CC34232E6421D8FDF15CE3CC9D97DDB7F2BB8A320F01CA4598199B295D63689898F40

Function 6D848DA0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 482
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6D849077
NtQueryInformationProcess.NTDLL ref: 6D8490FA

Strings

NtQueryInformationProcess, xrefs: 6D84907F
ntdll.dll, xrefs: 6D84906B

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 2776635927-2906145389
Opcode ID: 6d72c4d7698f800ebcf1a93fa012e21f3bfe9f4ad64f9bc0dbbf1f8aee478a2d
Instruction ID: 67cdb367cb512b48c16aff14070b6e901d061490ee867a81cadfccdde4ba64c5
Opcode Fuzzy Hash: 6d72c4d7698f800ebcf1a93fa012e21f3bfe9f4ad64f9bc0dbbf1f8aee478a2d
Instruction Fuzzy Hash: 41F10572A552098FCF04DE7CD6987DE7BF2BB8A320F11D919E515DB394C63A8809CB81

Non-executed Functions

Function 6D857E5A Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D857E66
IsDebuggerPresent.KERNEL32 ref: 6D857F32
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D857F4B
UnhandledExceptionFilter.KERNEL32(?), ref: 6D857F55

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 77fa969f91616a75a3301a468fd8eafbf0d1ca52c796035346d505000b5b444d
Instruction ID: 377bb94b56ce268a4cf5585964b21b45825c7b0ab1cde31d66ca6413695ad87f
Opcode Fuzzy Hash: 77fa969f91616a75a3301a468fd8eafbf0d1ca52c796035346d505000b5b444d
Instruction Fuzzy Hash: 9331F875D052299BDF51DFA4D9497CDBBB8EF08304F1095AAE50CAB240EB709A84CF85

Function 6D857981 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6D857AA1,6D864934), ref: 6D857986
UnhandledExceptionFilter.KERNEL32(?), ref: 6D85798F
GetCurrentProcess.KERNEL32(C0000409), ref: 6D85799A
TerminateProcess.KERNEL32(00000000), ref: 6D8579A1

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: ecccddbc71b0952095a687e615e3c48562d2f90404c97a7fe24df0e74b150e10
Instruction ID: 88da1caff558d3586100d3c58724a8c91d36b4aeb333b31b6b4665024d6584b2
Opcode Fuzzy Hash: ecccddbc71b0952095a687e615e3c48562d2f90404c97a7fe24df0e74b150e10
Instruction Fuzzy Hash: F3D0C932008194ABCE852BE8DA1CBAD3B38EB8E626F011000F71981001CB314454CB92

Function 6D85BDF7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D85BEEF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D85BEF9
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D85BF06

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8676fc82905c9a1b810d628a398100968f6ffdacef88656b1d3d358bc7a90ea1
Instruction ID: 8192a7e2a4f305a49916f05c6929ea0b3914a08db4c1399cbdabca6287782b49
Opcode Fuzzy Hash: 8676fc82905c9a1b810d628a398100968f6ffdacef88656b1d3d358bc7a90ea1
Instruction Fuzzy Hash: 8131D2B4905229ABCB61DF68DD8879DBBB8FF08310F5085EAE51CA7250E7309B918F45

Function 6D8485C0 Relevance: 3.0, Strings: 2, Instructions: 544COMMON

Download Yara Rule

Strings

UmL!, xrefs: 6D848CC5
hck, xrefs: 6D8488F9

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID:
String ID: UmL!$hck
API String ID: 0-940997351
Opcode ID: 99e7b329b91ca936d68fcb9f096d3005f54e7d5fe34f2649242ac8c576c78949
Instruction ID: 6eecd9dbb2ac895550a19803f1c38fa98f74a159ca046c3377c59daccd7a5b40
Opcode Fuzzy Hash: 99e7b329b91ca936d68fcb9f096d3005f54e7d5fe34f2649242ac8c576c78949
Instruction Fuzzy Hash: 5A225675A5520D8FCB05CEACC599BADBBF2BB4A318F10C91AE818EB345C7359805CF81

Function 6D862A45 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D862A40,?,?,00000008,?,?,6D862643,00000000), ref: 6D862C72

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5f0f958e1448195127db6fe5a71d38a17b91542f145b15ced8ff2c7529c82d27
Instruction ID: 7b21c82f125b2012f2bb41ba9eb7363acc31eb9b0fa235f6cf9cec56507c30be
Opcode Fuzzy Hash: 5f0f958e1448195127db6fe5a71d38a17b91542f145b15ced8ff2c7529c82d27
Instruction Fuzzy Hash: D0B15C31620649DFD725CF28C48AB647BE0FF45365F258A98F8A9CF2A1C339D991CB50

Function 6D858018 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D85802E

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bb8e42bb0c569133f0646261280989ac6a1154a795c1201a71fc3999fab15797
Instruction ID: 02cd47598271cdb21112c38af7bc828234b1a4eae02b764edeb9c22a811313cc
Opcode Fuzzy Hash: bb8e42bb0c569133f0646261280989ac6a1154a795c1201a71fc3999fab15797
Instruction Fuzzy Hash: 4B516EB1A2121A9FDF45CF99C4897AABBF4FB8D314F108AAAD415EB250D374D910CF90

Function 6D85C4A8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0753689597fd77c90b55eb7682ab5b95e1e519cce12fdb3b559f2eaa8e93857
Instruction ID: a584ad554904be19be1e698b7c0b2e4030f3baacb60b8e36c92f7810692bef07
Opcode Fuzzy Hash: c0753689597fd77c90b55eb7682ab5b95e1e519cce12fdb3b559f2eaa8e93857
Instruction Fuzzy Hash: 4A41A1B5808219AFDB50DFA9CC8CEBABBB9EB45304F1446D9E419E3201DB359E94CF50

Function 6D85988A Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D8599A9
___TypeMatch.LIBVCRUNTIME ref: 6D859AB7
CatchIt.LIBVCRUNTIME ref: 6D859B08
_UnwindNestedFrames.LIBCMT ref: 6D859C09
CallUnexpected.LIBVCRUNTIME ref: 6D859C24

Strings

csm, xrefs: 6D859934
csm, xrefs: 6D8599E0
csm, xrefs: 6D8598C7

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 9077f829502bca238bbbcea08ea7c814c476a605dde04bd2d516c472ae8ba532
Instruction ID: 88ddd61622e01d7b18f0142bcce23db6a244aa9295c1546282d8406fee7fac13
Opcode Fuzzy Hash: 9077f829502bca238bbbcea08ea7c814c476a605dde04bd2d516c472ae8ba532
Instruction Fuzzy Hash: F0B16BB1C0421AEFDF45EF94C9889AEBBB5FF05314F12495AE9146B201D331EA71CB92

Function 6D858930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6D858967
___except_validate_context_record.LIBVCRUNTIME ref: 6D85896F
_ValidateLocalCookies.LIBCMT ref: 6D8589F8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D858A23
_ValidateLocalCookies.LIBCMT ref: 6D858A78

Strings

csm, xrefs: 6D858A0D

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ca53d4e6df3123c6709ff26fcf5e19ddd00b40801325204936d2c9d9d823e735
Instruction ID: e347b37825988a6b6d284dedfc820ad3075bc0da2a9496825c8dde5bc5bbe926
Opcode Fuzzy Hash: ca53d4e6df3123c6709ff26fcf5e19ddd00b40801325204936d2c9d9d823e735
Instruction Fuzzy Hash: E841C234A14259DBCF41CF6DC888ABE7FB5AF46328F108896E9145B351D7329921CF91

Function 6D85D7FA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D85D909,00000000,6D85B110,00000000,00000000,00000001,?,6D85DA82,00000022,FlsSetValue,6D865CD8,6D865CE0,00000000), ref: 6D85D8BB

Strings

ext-ms-, xrefs: 6D85D865
api-ms-, xrefs: 6D85D851

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 06e2ed7caa21ca99a50c7cbf7629950dfb33efd5607af7d6536ba2d36a98f465
Instruction ID: 4b16a9071153aeb9a0e84bc03977586809a028d04e06906ee7fa3442969b39d0
Opcode Fuzzy Hash: 06e2ed7caa21ca99a50c7cbf7629950dfb33efd5607af7d6536ba2d36a98f465
Instruction Fuzzy Hash: 48210B31D05226ABCB515A29CC4CB6A37B9EBC7770F1A0DA0FD15A7280D730E920CAD1

Function 6D858EDC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6D858ED3,6D858C30), ref: 6D858EEA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D858EF8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D858F11
SetLastError.KERNEL32(00000000,6D858ED3,6D858C30), ref: 6D858F63

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8918315997076fc2d671cd7c4dfa408a2efce9e29026af9deb73a174da331af4
Instruction ID: b2058f3c7aa6bce835dd7628afcafdba5d28cf3dbe156848bdcae4e6ef730cd2
Opcode Fuzzy Hash: 8918315997076fc2d671cd7c4dfa408a2efce9e29026af9deb73a174da331af4
Instruction Fuzzy Hash: 4D012D7611D2269E9A8025BE6C4C72E26F5D74A37A3210B3BF134550E0EF114C308684

Function 6D85CA2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Gxm6KI51wl.exe, xrefs: 6D85CA4A

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\Gxm6KI51wl.exe
API String ID: 0-1939077431
Opcode ID: 7ab875e7ecbbd31dcffcc576a0753df4f47e084661b37fd2aff4e51226299951
Instruction ID: 70a7e411ba978295e75580d7068d61acf99a104335ae407e042d63dd92a8ec97
Opcode Fuzzy Hash: 7ab875e7ecbbd31dcffcc576a0753df4f47e084661b37fd2aff4e51226299951
Instruction Fuzzy Hash: 7921C2B1208206AFDB92DF69885896B7BBCFF053687018D14FA15D7102D732DC20CF91

Function 6D85AA3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BCBE4344,00000000,?,00000000,6D863342,000000FF,?,6D85A9D8,?,?,6D85A9AC,?), ref: 6D85AA73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D85AA85
FreeLibrary.KERNEL32(00000000,?,00000000,6D863342,000000FF,?,6D85A9D8,?,?,6D85A9AC,?), ref: 6D85AAA7

Strings

mscoree.dll, xrefs: 6D85AA6C
CorExitProcess, xrefs: 6D85AA7D

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7a27718751f66994ed9e972289bbdc825e1315ce46716dca72b1a8e378e9c20f
Instruction ID: 3ff0a6d943be79ca81af67b257d1e7964bb357f3944d57e41e4952876e02ad24
Opcode Fuzzy Hash: 7a27718751f66994ed9e972289bbdc825e1315ce46716dca72b1a8e378e9c20f
Instruction Fuzzy Hash: F101A7715046AAEFDB028B44CD0CFBE7BF9FB49721F004925F811A2291DB359900CAA0

Function 6D859C2F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D859C54
CatchIt.LIBVCRUNTIME ref: 6D859D3A

Strings

RCC, xrefs: 6D859C6E
MOC, xrefs: 6D859C66

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 649b7a9750521bc1b8b4c4c9897449cbb2f47a2fb6058efb02a9dc0a0c9d8388
Instruction ID: d29376d0f8eb47a70e372b375a5cdfbd6e3a0cfffcf9350756d678be27dfc86d
Opcode Fuzzy Hash: 649b7a9750521bc1b8b4c4c9897449cbb2f47a2fb6058efb02a9dc0a0c9d8388
Instruction Fuzzy Hash: BA41AFB190020AEFCF45DF98CC84AEE7BB5FF08304F158599FA18AB220D3759960DB50

Function 6D8594B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D859463,00000000,?,6D8E44D0,?,?,?,6D859606,00000004,InitializeCriticalSectionEx,6D8653E8,InitializeCriticalSectionEx), ref: 6D8594BF
GetLastError.KERNEL32(?,6D859463,00000000,?,6D8E44D0,?,?,?,6D859606,00000004,InitializeCriticalSectionEx,6D8653E8,InitializeCriticalSectionEx,00000000,?,6D858FD2), ref: 6D8594C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D8594F1

Strings

api-ms-, xrefs: 6D8594D6

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: ffb06edf3e266ee8dd1c926a95a4616ca5c58fd868da63054f8ad643a4aaf8ec
Instruction ID: 9d5a23c9d1add0353a71b4fe709f6ec75984efd2fde957527ba3546c25223c2a
Opcode Fuzzy Hash: ffb06edf3e266ee8dd1c926a95a4616ca5c58fd868da63054f8ad643a4aaf8ec
Instruction Fuzzy Hash: B3E04871248247FBEF802A64DC4DF7D3FA99B45F61F114820F90CE81D1EB629864D9C5

Function 6D85FBC2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BCBE4344,00000000,00000000,?), ref: 6D85FC25

Part of subcall function 6D85D5FC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D85F660,?,00000000,-00000008), ref: 6D85D65D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D85FE77
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D85FEBD
GetLastError.KERNEL32 ref: 6D85FF60

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: f1281f76a18c0711b02822b760a8f91b713b8c04b6b8ba25b7e239c3ec3a83a0
Instruction ID: f8d88f4d22c30901a144bbda26f9af7b1c0c586c92078e4a4366fa5103bf5707
Opcode Fuzzy Hash: f1281f76a18c0711b02822b760a8f91b713b8c04b6b8ba25b7e239c3ec3a83a0
Instruction Fuzzy Hash: 64D19A75D04259AFCF01CFA8D888AADBBB5FF1A314F14492AE916EB341DB30A951CF50

Function 6D859633 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D8596FA
___AdjustPointer.LIBCMT ref: 6D85971D
___AdjustPointer.LIBCMT ref: 6D8597B9

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 92c0361b6072211ab99df49e14407b454272f53522200cfb61b0c85fc8f8dc50
Instruction ID: 999edcb102fdbe9dc19f0932f210e06afe0f02b87924eb51a24814907a51969a
Opcode Fuzzy Hash: 92c0361b6072211ab99df49e14407b454272f53522200cfb61b0c85fc8f8dc50
Instruction Fuzzy Hash: F751F0F5608607AFDB85AF58C888BBA73B8FF05714F114D2AE91947290E731E860CB90

Function 6D85C248 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D85D5FC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D85F660,?,00000000,-00000008), ref: 6D85D65D

GetLastError.KERNEL32 ref: 6D85C2AC
__dosmaperr.LIBCMT ref: 6D85C2B3
GetLastError.KERNEL32(?,?,?,?), ref: 6D85C2ED
__dosmaperr.LIBCMT ref: 6D85C2F4

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: a2fe546e33c23aad499325b82eca2e73f5307373b22c5a897e23afe4594ae17a
Instruction ID: b9182ba73055ebbdc697a6e381dfc2a9f2996d0ea19c67999771fa72de48c8cd
Opcode Fuzzy Hash: a2fe546e33c23aad499325b82eca2e73f5307373b22c5a897e23afe4594ae17a
Instruction Fuzzy Hash: A321D73260821AAFDB909FA9C88896AB7BDFF453687058D28F919D7101D730EC60CF90

Function 6D85D69F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D85D6A7

Part of subcall function 6D85D5FC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D85F660,?,00000000,-00000008), ref: 6D85D65D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D85D6DF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D85D6FF

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 0744af90c7704bd10091f570eaeea811fabfdbdeeaa56966e1d37a7103ceaf26
Instruction ID: a2d01769e16c7ddc2cfda236e41ff75cc3940af611340fdf102f97b5baf0c216
Opcode Fuzzy Hash: 0744af90c7704bd10091f570eaeea811fabfdbdeeaa56966e1d37a7103ceaf26
Instruction Fuzzy Hash: BA11C4F691951ABFAB41177D4CCCC7F2AACEEEA6A97110824FD01D5101FF60CD2286B1

Function 6D861536 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D860CF6,00000000,00000001,00000000,?,?,6D85FFB4,?,00000000,00000000), ref: 6D86154D
GetLastError.KERNEL32(?,6D860CF6,00000000,00000001,00000000,?,?,6D85FFB4,?,00000000,00000000,?,?,?,6D860557,00000000), ref: 6D861559

Part of subcall function 6D86151F: CloseHandle.KERNEL32(FFFFFFFE,6D861569,?,6D860CF6,00000000,00000001,00000000,?,?,6D85FFB4,?,00000000,00000000,?,?), ref: 6D86152F

___initconout.LIBCMT ref: 6D861569

Part of subcall function 6D8614E1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D861510,6D860CE3,?,?,6D85FFB4,?,00000000,00000000,?), ref: 6D8614F4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D860CF6,00000000,00000001,00000000,?,?,6D85FFB4,?,00000000,00000000,?), ref: 6D86157E

Memory Dump Source

Source File: 00000000.00000002.1249955717.000000006D841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D840000, based on PE: true

Associated: 00000000.00000002.1249928556.000000006D840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250012730.000000006D864000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250040094.000000006D86B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250193109.000000006D8E5000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1250226545.000000006D8EF000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d840000_Gxm6KI51wl.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f9efdd93d4f1f0469fbfba188caf844b59d574dc51c38cb6f25b86eb05840760
Instruction ID: 1aa8b116234c0008f8da5e98fa0fcbe58f62f36ccf458f5305e982ecf27bc992
Opcode Fuzzy Hash: f9efdd93d4f1f0469fbfba188caf844b59d574dc51c38cb6f25b86eb05840760
Instruction Fuzzy Hash: E2F0F8360041A5BBCF921FD9DC0CA9D7E76EB8D7B0B014420FB1D85121D7328920DBE1

Analysis Process: MSBuild.exePID: 2684, Parent PID: 4908COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	203
Total number of Limit Nodes:	10

Executed Functions

Function 00F89E10 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F8A066

Memory Dump Source

Source File: 00000003.00000002.1242790840.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20fbf67e1e807377e6fa1df6fdc8c254b33476979afb36d027dd48b04e3aa7f4
Instruction ID: d15fb0ae4a374bea0b2b686c7c2a70556236d82f79778cc1e933181ae1f4fb6c
Opcode Fuzzy Hash: 20fbf67e1e807377e6fa1df6fdc8c254b33476979afb36d027dd48b04e3aa7f4
Instruction Fuzzy Hash: 18818970A00B058FE724EF2AD4457AABBF1FF88314F04892DD086D7A50D7B5E849CB91

Function 04DD08CC Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DD09EA

Memory Dump Source

Source File: 00000003.00000002.1243394692.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dd0000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 75b4faeba1d3ebf037ee602d8f33059af08bbb0cf11bb7584416d0fa17797d9f
Instruction ID: 64ce77c67a348367499189a3389d034e5d1a88c5cf92478817f95e67ad9886e4
Opcode Fuzzy Hash: 75b4faeba1d3ebf037ee602d8f33059af08bbb0cf11bb7584416d0fa17797d9f
Instruction Fuzzy Hash: AA51C1B1D003099FDB15CF9AC884ADEBBB5BF88314F24812AE519AB210D775A945CF90

Function 04DD08D8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DD09EA

Memory Dump Source

Source File: 00000003.00000002.1243394692.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dd0000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: adf25d4e3c5e298aafd5a05ad4b185c01524d456af7415917976279995a79e2c
Instruction ID: 012be8b4a29eadf93bbcd181b956c9d3ba0af37d37a09e26d941a4444efcfcdc
Opcode Fuzzy Hash: adf25d4e3c5e298aafd5a05ad4b185c01524d456af7415917976279995a79e2c
Instruction Fuzzy Hash: C241A2B1D00309DFDB15CF9AC884ADEBBF5BF88314F24812AE919AB210D775A945CF90

Function 00F8A280 Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8A0E1,00000800,00000000,00000000), ref: 00F8A2F2

Memory Dump Source

Source File: 00000003.00000002.1242790840.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1ce8269c75b5ec471911345015f54a871f53cf134f7b5cd9ecef4e6ee9ad4f68
Instruction ID: ce28dd9eb02d564fee185dcdc5bf537bba4e3442efca2261fb156353345594af
Opcode Fuzzy Hash: 1ce8269c75b5ec471911345015f54a871f53cf134f7b5cd9ecef4e6ee9ad4f68
Instruction Fuzzy Hash: F94145B2C05348CFEB20EF99D444BDEBBF0EB59324F20815AD429A7251C37A5845CF62

Function 04DD2EA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04DD2F61

Memory Dump Source

Source File: 00000003.00000002.1243394692.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dd0000_MSBuild.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e2aadf067f2c28578356d6197757a816b71896fc5314682ecbfef0b49834eed2
Instruction ID: 85e788784da469ab52c4aaac7e30467eb7e1437583437db9bac12ba309f67439
Opcode Fuzzy Hash: e2aadf067f2c28578356d6197757a816b71896fc5314682ecbfef0b49834eed2
Instruction Fuzzy Hash: 254118B89003099FDB14DF96C449AAAFBF5FB88314F24C499E519AB321D775A841CFA0

Function 00F8B980 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8C2A6,?,?,?,?,?), ref: 00F8C367

Memory Dump Source

Source File: 00000003.00000002.1242790840.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ce550ebd711ea726e2e74f85a6f720c3fcd8083eb6fade5b12978a504e8e0f17
Instruction ID: 12c539ccd1c419dac3f07c4ae90aa920558ab67f116fad6d84a534b03350db3c
Opcode Fuzzy Hash: ce550ebd711ea726e2e74f85a6f720c3fcd8083eb6fade5b12978a504e8e0f17
Instruction Fuzzy Hash: D02103B5D003089FDB10DFAAD884ADEBBF8EB48320F20801AE914A3350C775A951DFA4

Function 00F8C2D8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8C2A6,?,?,?,?,?), ref: 00F8C367

Memory Dump Source

Source File: 00000003.00000002.1242790840.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0e0ce48f8a5845e00a4af6ffafc9615e521602e148bb8e922a86ad8d977420d
Instruction ID: 37b55ef1f6903b6b75b78175265f72012737fdb58a516937d50dabbc13b4a2f4
Opcode Fuzzy Hash: e0e0ce48f8a5845e00a4af6ffafc9615e521602e148bb8e922a86ad8d977420d
Instruction Fuzzy Hash: 832105B5D003489FDB10DFAAD884ADEBFF4EB48320F14801AE958A3350D7749941DFA0

Function 00F89850 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8A0E1,00000800,00000000,00000000), ref: 00F8A2F2

Memory Dump Source

Source File: 00000003.00000002.1242790840.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 759817bc36595685dbc8b84506c1cca1ced1de26d93a9dc14d17b5714d40ff36
Instruction ID: a0409973ba4c7152729d9830ce330b80409d648f15a236f49fb253af8399dbcf
Opcode Fuzzy Hash: 759817bc36595685dbc8b84506c1cca1ced1de26d93a9dc14d17b5714d40ff36
Instruction Fuzzy Hash: 061114B6D003499FDB20DF9AC444BDEFBF4EB48320F10842AE919A7200C779A945CFA5

Function 00F8A000 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F8A066

Memory Dump Source

Source File: 00000003.00000002.1242790840.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e514be6edaf4ee860da93b712dd11dd7b7f287622e397893573c2886b654521f
Instruction ID: f5b9bbc31a25c0116e47e5b6d77590f29a200cfd47e29e41b96d844f6751b4ef
Opcode Fuzzy Hash: e514be6edaf4ee860da93b712dd11dd7b7f287622e397893573c2886b654521f
Instruction Fuzzy Hash: AC11D2B5C003498FDB20DF9AC444ADEFBF4EB48324F10841AD529B7210D379A949CFA1

Function 04DD0B19 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04DD0B7D

Memory Dump Source

Source File: 00000003.00000002.1243394692.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dd0000_MSBuild.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c27984881c41bbf7876ee30afca117443e97e33d1e209a9ae07867c962aaa363
Instruction ID: af3d791b9796a4c1de526fbb69b2c2279cc9bf8d8828bf14fe94c2d7a43bd0a0
Opcode Fuzzy Hash: c27984881c41bbf7876ee30afca117443e97e33d1e209a9ae07867c962aaa363
Instruction Fuzzy Hash: DF1115B58003498FDB20DF9AD485BDEFBF4EB88324F20841AD959A7340C379A945CFA1

Function 04DD0B20 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04DD0B7D

Memory Dump Source

Source File: 00000003.00000002.1243394692.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4dd0000_MSBuild.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 830dd724be2468928cc0d7b1b90de60f0ac3ac0dbb09db4c61c93c8f98ad1d24
Instruction ID: b0d28c23a531572ee14fbf470c6218ab6b8b4f296ea0abf5da5c315a7208c758
Opcode Fuzzy Hash: 830dd724be2468928cc0d7b1b90de60f0ac3ac0dbb09db4c61c93c8f98ad1d24
Instruction Fuzzy Hash: BA11E2B58003499FDB20DF9AD585BDEFBF8EB88324F20841AD959A7340C375A944CFA5

Function 00B4D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242554087.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b4d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc93dff36d6b68ab0b69e78432f5e195d6a49f2420c03816e48a67f45515b3c
Instruction ID: 2d819fd01341e34ceffcca3fb80bdd44630fe10d383b7790cb53997394cdd511
Opcode Fuzzy Hash: 0cc93dff36d6b68ab0b69e78432f5e195d6a49f2420c03816e48a67f45515b3c
Instruction Fuzzy Hash: 37212575604204DFDB15DF14D9C0B16BBA5FB98324F20C6ADE8090F356C33AE956EBA2

Function 00B4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242554087.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b4d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f399a58db75b0253982dcb91e92c941da549b01c23670cf3bfaf0bec064026e1
Instruction ID: 4ce47a957714d1121e94918e73ecff7a0e12e94569a88a11fbe32de6bf00cd04
Opcode Fuzzy Hash: f399a58db75b0253982dcb91e92c941da549b01c23670cf3bfaf0bec064026e1
Instruction Fuzzy Hash: 5E212871604240DFDB15DF14D9C0B26BFA5FBA4318F20C5A9E8090B256C736D956EBA2

Function 00B5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242582108.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f191a632418e02b440a1183d34cfea7bce248787787a02a9d8efb73e6b15998
Instruction ID: a2c118000b663a37e2fc6543dc712dfcd59484c6f2f1b644c76921395ac2943f
Opcode Fuzzy Hash: 5f191a632418e02b440a1183d34cfea7bce248787787a02a9d8efb73e6b15998
Instruction Fuzzy Hash: 2D21D3716043009FDB25DF10D9C0B15BBA5FB84315F20C6EDDC494B292C377D84ACA61

Function 00B5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242582108.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5384e09063aa15b1d78e07062c81fa653753df7efb91df101a332630c3bfd62
Instruction ID: f2ddfca519b6493c7b74ebf041a79f4c9187301debec53f8b86911a4995cddbd
Opcode Fuzzy Hash: f5384e09063aa15b1d78e07062c81fa653753df7efb91df101a332630c3bfd62
Instruction Fuzzy Hash: 05210371604200DFDB24DF10D9D4B16BBA1EB84315F28C6EDDC094B296C336D80BCA62

Function 00B5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242582108.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c5ca5e0868b265c9a4ce90f0990f34a43e14e43aef3160da183ee46bae6c88
Instruction ID: e78b6ba9d875bb659af9eccacc3574f6f95486aabe81b9d18ad85a648b0c5c2b
Opcode Fuzzy Hash: d9c5ca5e0868b265c9a4ce90f0990f34a43e14e43aef3160da183ee46bae6c88
Instruction Fuzzy Hash: 122187755093C08FDB16CF24D594715BF71EB45314F28C6DAD8498B697C33A980BCB62

Function 00B4D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242554087.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b4d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: be6bd3c8d9dd62cf325f0c4dc3cf817488457f46f7f71b71bccc194b6387aa2b
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: D111DF76504240CFCB05CF10D5C0B16BFB2FB94324F24C2A9D8490B356C33AE956DBA1

Function 00B4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242554087.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b4d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: cfbd7adf2ea99597be9d75f809ecc1161da0a88970c1d2072c12d2eb7e6f2c63
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: E8110376504280CFCB05CF14D5C0B16BFB2FB94324F24C6E9D8490B256C336D956DBA1

Function 00B5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1242582108.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: c58f015953d03c79a9429f5eb1a2199f340468aecaabeeda658b497f2e7c7aab
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: C6117975604280DFCB15DF14D5C4B15BBA2FB84325F24C6EDDC494B696C33AD84ACB61

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gxm6KI51wl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gxm6KI51wl.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Roaming\d3d9x.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Gxm6KI51wl.exe

Function 6D848DA0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 482
nativeCOMMON

Function 00F89E10 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 04DD08CC Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Function 04DD08D8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00F8A280 Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Function 04DD2EA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 00F8B980 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00F8C2D8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON