Windows
Analysis Report
9JQ3JboYdz.exe
Overview
General Information
Sample name: | 9JQ3JboYdz.exerenamed because original name is a hash value |
Original sample name: | fb714d59bcb67c0910c8f4ee0c5f0e62.exe |
Analysis ID: | 1520443 |
MD5: | fb714d59bcb67c0910c8f4ee0c5f0e62 |
SHA1: | f22ffe25d693ccf771b5ae60b373f4c74551b317 |
SHA256: | 25ad9ca13dc1ee44d8c3a3d0fba9365d9e9fd65db1411a0f720dd036d11911f3 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 9JQ3JboYdz.exe (PID: 4364 cmdline:
"C:\Users\ user\Deskt op\9JQ3Jbo Ydz.exe" MD5: FB714D59BCB67C0910C8F4EE0C5F0E62) - cmd.exe (PID: 4568 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 1 && del /f/q "C:\U sers\user\ Desktop\9J Q3JboYdz.e xe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6264 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 2792 cmdline:
ping 127.0 .0.1 -n 1 MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 6208 cmdline:
C:\Windows \SysWOW64\ svchost.ex e -k "SySe " MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
- svchost.exe (PID: 7084 cmdline:
C:\Windows \SysWOW64\ svchost.ex e -k "SySe " MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - SySe.exe (PID: 1612 cmdline:
C:\Windows \system32\ SySe.exe " c:\program files (x8 6)\4293750 .dll",Main Thread MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Running RAT | NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RunningRAT | Yara detected RunningRAT | Joe Security | ||
GoldDragon_RunningRAT | Detects Running RAT from Gold Dragon report | Florian Roth |
| |
MALWARE_Win_RunningRAT | Detects RunningRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RunningRAT | Detects RunningRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RunningRAT | Yara detected RunningRAT | Joe Security | ||
JoeSecurity_RunningRAT | Yara detected RunningRAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RunningRAT | Detects RunningRAT | ditekSHen |
| |
MALWARE_Win_RunningRAT | Detects RunningRAT | ditekSHen |
| |
MALWARE_Win_RunningRAT | Detects RunningRAT | ditekSHen |
| |
MALWARE_Win_RunningRAT | Detects RunningRAT | ditekSHen |
| |
JoeSecurity_RunningRAT | Yara detected RunningRAT | Joe Security | ||
Click to see the 3 entries |
System Summary |
---|
Source: | Author: vburov: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:11:24.709461+0200 | 2814897 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49711 | 124.221.255.145 | 8506 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: |
Source: | Process created: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 3_2_1000152B |
Source: | DNS traffic detected: |
E-Banking Fraud |
---|
Source: | Code function: | 3_2_10002BC3 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 7_2_00B640B1 | |
Source: | Code function: | 7_2_00B65CF1 | |
Source: | Code function: | 7_2_00B64136 | |
Source: | Code function: | 7_2_00B65911 | |
Source: | Code function: | 7_2_00B65D6A |
Source: | Code function: | 3_2_10001F48 |
Source: | Code function: | 3_2_10001FBD |
Source: | Code function: | 3_2_100025A2 |
Source: | File created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 7_2_00B63C66 |
Source: | Code function: | 3_2_10001B5B |
Source: | Code function: | 0_2_00401794 |
Source: | Code function: | 7_2_00B6205A |
Source: | Code function: | 3_2_10001A43 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Command line argument: | 7_2_00B64136 | |
Source: | Command line argument: | 7_2_00B64136 |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00401B6B |
Source: | Static PE information: |
Source: | Code function: | 3_2_10004C86 | |
Source: | Code function: | 3_2_10004CCE | |
Source: | Code function: | 7_2_00B66896 | |
Source: | Code function: | 7_2_00B66840 |
Persistence and Installation Behavior |
---|
Source: | Executable created and started: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Registry key created: | Jump to behavior |
Source: | Code function: | 3_2_10001A43 |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00402400 |
Source: | Code function: | 3_2_1000265E |
Source: | Code function: | 3_2_10003E6B |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_0-373 |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Decision node followed by non-executed suspicious API: | graph_3-1603 |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 3_2_1000358C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_7-2033 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 7_2_00B65E4F |
Source: | Code function: | 7_2_00B625B2 |
Source: | Code function: | 0_2_00401B6B |
Source: | Code function: | 7_2_00B63F6B |
Source: | Code function: | 3_2_10003D5D |
Source: | Code function: | 7_2_00B661C0 | |
Source: | Code function: | 7_2_00B66510 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 3_2_1000304F |
Source: | Code function: | 3_2_1000336E |
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 11 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Obfuscated Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 Valid Accounts | 1 Valid Accounts | 1 Timestomp | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 12 Service Execution | 22 Windows Service | 1 Access Token Manipulation | 1 DLL Side-Loading | Security Account Manager | 4 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 22 Windows Service | 1 File Deletion | NTDS | 31 Security Software Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 12 Process Injection | 131 Masquerading | LSA Secrets | 1 Virtualization/Sandbox Evasion | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Valid Accounts | Cached Domain Credentials | 12 Process Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Virtualization/Sandbox Evasion | DCSync | 11 Application Window Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Access Token Manipulation | Proc Filesystem | 1 Remote System Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 12 Process Injection | /etc/passwd and /etc/shadow | 1 System Network Configuration Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 1 Indicator Removal | Network Sniffing | Network Service Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
95% | ReversingLabs | Win32.Backdoor.Venik | ||
100% | Avira | TR/AD.Farfli.qqkhu |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | BDS/Backdoor.Gen7 | ||
100% | Joe Sandbox ML | |||
0% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.sf2110.com | 124.221.255.145 | true | true | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
124.221.255.145 | www.sf2110.com | China | 45361 | JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR | true |
IP |
---|
127.0.0.1 |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1520443 |
Start date and time: | 2024-09-27 11:10:35 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 9JQ3JboYdz.exerenamed because original name is a hash value |
Original Sample Name: | fb714d59bcb67c0910c8f4ee0c5f0e62.exe |
Detection: | MAL |
Classification: | mal100.bank.troj.evad.winEXE@10/2@1/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: 9JQ3JboYdz.exe
Time | Type | Description |
---|---|---|
05:12:04 | API Interceptor | |
05:12:12 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Windows\SysWOW64\SySe.exe | Get hash | malicious | RunningRAT | Browse | ||
Get hash | malicious | RunningRAT | Browse | |||
Get hash | malicious | RunningRAT | Browse | |||
Get hash | malicious | RunningRAT | Browse | |||
Get hash | malicious | RunningRAT | Browse | |||
Get hash | malicious | Gh0stCringe, RunningRAT | Browse | |||
Get hash | malicious | Gh0stCringe, GhostRat, Mimikatz, RunningRAT, XRed | Browse | |||
Get hash | malicious | Gh0stCringe, GhostRat, Mimikatz, RunningRAT | Browse | |||
Get hash | malicious | Gh0stCringe, GhostRat, Mimikatz, RunningRAT | Browse | |||
Get hash | malicious | Gh0stCringe, GhostRat, Mimikatz, RunningRAT | Browse |
Process: | C:\Users\user\Desktop\9JQ3JboYdz.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26112 |
Entropy (8bit): | 6.0728598875843725 |
Encrypted: | false |
SSDEEP: | 384:8T9IWqIwt10zr6lXYhCRdkyurLmC2S1xJrQcWrH/RUAMO0MY0holUxHdlkq4tKDV:8ht+Izr6pqRrLuS1vzWpaGZHdqYDG |
MD5: | CB0426D467A62C8DC63180E84FE2FDD2 |
SHA1: | 15BF72ABB1C002DD3B67200BAC22310AAFAB6D9C |
SHA-256: | 73B2AC758264A2822AE0C61A414648F37FA1FEC0C2EF125C51D7B1AD975220C8 |
SHA-512: | 24199C817521D24441B86957D9860407D47DBD3B6D0FFEDF602A9D6D1039ACE784AB01E4491785861929D7BC4BF633B90FD06C77B7201E238C4368C1307AB980 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 61440 |
Entropy (8bit): | 6.199746098562656 |
Encrypted: | false |
SSDEEP: | 1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I |
MD5: | 889B99C52A60DD49227C5E485A016679 |
SHA1: | 8FA889E456AA646A4D0A4349977430CE5FA5E2D7 |
SHA-256: | 6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910 |
SHA-512: | 08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 5.246733903202193 |
TrID: |
|
File name: | 9JQ3JboYdz.exe |
File size: | 49'152 bytes |
MD5: | fb714d59bcb67c0910c8f4ee0c5f0e62 |
SHA1: | f22ffe25d693ccf771b5ae60b373f4c74551b317 |
SHA256: | 25ad9ca13dc1ee44d8c3a3d0fba9365d9e9fd65db1411a0f720dd036d11911f3 |
SHA512: | 24dac934a89ab30379331251749947af7817ed4c661a5b247a12177d1c3c04593da274eeea9ebfb7c6f7329916f03eb2c6c0a2d18b99358d8d14b6de48a33393 |
SSDEEP: | 768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67GhPC:Ub1MsHz3JDwhyWr+N95OTga69 |
TLSH: | 6E236D01730470A6D75693726AFB922F84593EB20BB824CBF7D44D0E19F49D5B93A42B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..tW..tW..tW..h[..tW..{...tW.DhY..tW..k]..tW..kS..tW..RS..tW..tV.[tW..R\..tW..rQ..tW.Rich.tW.........PE..L....w.T........... |
Icon Hash: | 71b018dccec77331 |
Entrypoint: | 0x4028d2 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x54FD77CC [Mon Mar 9 10:37:00 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 24ffff844f7eed74e1f1064cc9840ba9 |
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 0040A070h |
push 004028CCh |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 68h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
xor ebx, ebx |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [004031FCh] |
pop ecx |
or dword ptr [0040A298h], FFFFFFFFh |
or dword ptr [0040A29Ch], FFFFFFFFh |
call dword ptr [00403200h] |
mov ecx, dword ptr [0040A28Ch] |
mov dword ptr [eax], ecx |
call dword ptr [00403204h] |
mov ecx, dword ptr [0040A288h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [00403208h] |
mov eax, dword ptr [eax] |
mov dword ptr [0040A294h], eax |
call 00007F589CBCA83Bh |
cmp dword ptr [00409D60h], ebx |
jne 00007F589CBCA72Eh |
push 00402A54h |
call dword ptr [0040320Ch] |
pop ecx |
call 00007F589CBCA80Dh |
push 00403294h |
push 00403290h |
call 00007F589CBCA7F8h |
mov eax, dword ptr [0040A284h] |
mov dword ptr [ebp-6Ch], eax |
lea eax, dword ptr [ebp-6Ch] |
push eax |
push dword ptr [0040A280h] |
lea eax, dword ptr [ebp-64h] |
push eax |
lea eax, dword ptr [ebp-70h] |
push eax |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [00403214h] |
push 0040328Ch |
push 00403280h |
call 00007F589CBCA7C5h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa2a0 | 0x64 | .data |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb000 | 0xa98 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0x280 | .data |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1b83 | 0x2000 | af004437d972dc872368f31fffd6aaa6 | False | 0.4327392578125 | data | 5.330045711780258 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x78b6 | 0x8000 | 925d51730b9cce1ad4e9c44bb9cd6285 | False | 0.495697021484375 | data | 5.749651963507455 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xb000 | 0xa98 | 0x1000 | c41cc8dcf2debdfbcfbd52158b76ca73 | False | 0.26123046875 | data | 2.5169812284194717 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xb160 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | Chinese | China | 0.33064516129032256 |
RT_ICON | 0xb448 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | Chinese | China | 0.4391891891891892 |
RT_DIALOG | 0xb598 | 0x1c6 | data | Chinese | China | 0.5682819383259912 |
RT_GROUP_ICON | 0xb570 | 0x22 | data | Chinese | China | 1.0 |
RT_VERSION | 0xb760 | 0x338 | data | French | France | 0.45024271844660196 |
DLL | Import |
---|---|
MFC42.DLL | |
MSVCRT.dll | _controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, _except_handler3, memset, __p__pgmptr, sprintf, memcpy, _access, __CxxFrameHandler, strstr, _setmbcp, _mkdir |
KERNEL32.dll | CloseHandle, CreateFileA, FreeLibrary, GetTickCount, GetFileAttributesA, ExpandEnvironmentStringsA, GetLastError, GetProcAddress, LoadLibraryA, lstrcpyA, GetCommandLineA, Sleep, lstrcmpiA, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetModuleHandleA, GetStartupInfoA, WriteFile |
USER32.dll | SendMessageA, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, wsprintfA, DrawIcon |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
French | France |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:11:24.709461+0200 | 2814897 | ETPRO MALWARE W32.YoungLotus Checkin | 1 | 192.168.2.6 | 49711 | 124.221.255.145 | 8506 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 11:11:33.295403957 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Sep 27, 2024 11:11:33.300436974 CEST | 8506 | 49711 | 124.221.255.145 | 192.168.2.6 |
Sep 27, 2024 11:11:33.300549984 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Sep 27, 2024 11:11:34.042504072 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Sep 27, 2024 11:11:34.047379971 CEST | 8506 | 49711 | 124.221.255.145 | 192.168.2.6 |
Sep 27, 2024 11:11:48.026493073 CEST | 8506 | 49711 | 124.221.255.145 | 192.168.2.6 |
Sep 27, 2024 11:11:48.068775892 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Sep 27, 2024 11:12:48.895733118 CEST | 8506 | 49711 | 124.221.255.145 | 192.168.2.6 |
Sep 27, 2024 11:12:48.959527016 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Sep 27, 2024 11:13:49.696609974 CEST | 8506 | 49711 | 124.221.255.145 | 192.168.2.6 |
Sep 27, 2024 11:13:49.772106886 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Sep 27, 2024 11:14:50.545175076 CEST | 8506 | 49711 | 124.221.255.145 | 192.168.2.6 |
Sep 27, 2024 11:14:50.663079977 CEST | 49711 | 8506 | 192.168.2.6 | 124.221.255.145 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 11:11:32.741568089 CEST | 62537 | 53 | 192.168.2.6 | 1.1.1.1 |
Sep 27, 2024 11:11:33.288966894 CEST | 53 | 62537 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 27, 2024 11:11:32.741568089 CEST | 192.168.2.6 | 1.1.1.1 | 0xa90b | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 27, 2024 11:11:33.288966894 CEST | 1.1.1.1 | 192.168.2.6 | 0xa90b | No error (0) | 124.221.255.145 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:11:27 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\Desktop\9JQ3JboYdz.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 49'152 bytes |
MD5 hash: | FB714D59BCB67C0910C8F4EE0C5F0E62 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 05:11:27 |
Start date: | 27/09/2024 |
Path: | C:\Windows\SysWOW64\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x860000 |
File size: | 46'504 bytes |
MD5 hash: | 1ED18311E3DA35942DB37D15FA40CC5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 05:11:28 |
Start date: | 27/09/2024 |
Path: | C:\Windows\SysWOW64\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x860000 |
File size: | 46'504 bytes |
MD5 hash: | 1ED18311E3DA35942DB37D15FA40CC5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 4 |
Start time: | 05:11:30 |
Start date: | 27/09/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1c0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 05:11:30 |
Start date: | 27/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 05:11:30 |
Start date: | 27/09/2024 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa30000 |
File size: | 18'944 bytes |
MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 05:11:32 |
Start date: | 27/09/2024 |
Path: | C:\Windows\SysWOW64\SySe.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb60000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 28.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 7.3% |
Total number of Nodes: | 179 |
Total number of Limit Nodes: | 4 |
Graph
Callgraph
Function 00401794 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 67libraryloaderprocessCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401B6B Relevance: 24.5, APIs: 9, Strings: 5, Instructions: 48librarythreadloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401134 Relevance: 115.8, APIs: 42, Strings: 24, Instructions: 337sleeplibraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004028D2 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401000 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402A60 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402400 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040187B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 63libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C18 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 95libraryloaderstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004016EB Relevance: 7.6, APIs: 5, Instructions: 51COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401FC6 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 9.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 15.8% |
Total number of Nodes: | 641 |
Total number of Limit Nodes: | 4 |
Graph
Function 10003E6B Relevance: 248.8, APIs: 71, Strings: 71, Instructions: 296libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000336E Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 150stringsleepregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001FBD Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 98libraryprocessloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000318A Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000304F Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 85stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001B5B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 176serviceCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001A43 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 53servicesleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002BC3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77stringprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001F48 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47servicestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003D5D Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000152B Relevance: 4.6, APIs: 3, Instructions: 72networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100025A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004822 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 183libraryloaderstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100027BC Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 180stringprocessCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004529 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 115libraryloaderfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004666 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002D9E Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 136synchronizationsleepstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004A93 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 144libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100031D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004369 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 75libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100036BA Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 108stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001E37 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002F7B Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69sleepprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000473F Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100029B6 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003B9E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002C96 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 72stringprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004467 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100020C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000366A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100021FF Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 161memorysleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100012D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100013B6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38synchronizationnetworkCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000273D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33processCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000260E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26sleepmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001863 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100026DF Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 30stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000389D Relevance: 8.9, APIs: 7, Instructions: 117memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000389C Relevance: 8.9, APIs: 7, Instructions: 115memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100011FB Relevance: 7.6, APIs: 5, Instructions: 66memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001155 Relevance: 7.6, APIs: 5, Instructions: 65memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000219E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003629 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000315D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100035EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21stringnetworkCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100039BA Relevance: 5.1, APIs: 4, Instructions: 68memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 12.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 19.6% |
Total number of Nodes: | 678 |
Total number of Limit Nodes: | 13 |
Graph
Function 00B65911 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 258nativeCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B64136 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 193memorylibrarynativeCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65D6A Relevance: 10.6, APIs: 7, Instructions: 87nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65CF1 Relevance: 4.6, APIs: 3, Instructions: 53nativeCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B640B1 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65E4F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65F25 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65C6C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48registrywindowCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B63E5B Relevance: 6.1, APIs: 4, Instructions: 108memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65EF0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B625B2 Relevance: 4.7, APIs: 3, Instructions: 187threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B63F6B Relevance: 3.0, APIs: 2, Instructions: 39COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B6205A Relevance: 1.5, APIs: 1, Instructions: 33comCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B66510 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B62100 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B63B09 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107processsynchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B638F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B633F9 Relevance: 12.1, APIs: 8, Instructions: 129COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B62B5A Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B63D62 Relevance: 12.1, APIs: 8, Instructions: 98libraryloadermemoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B63A51 Relevance: 9.1, APIs: 6, Instructions: 68fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B624E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B63FE7 Relevance: 6.1, APIs: 4, Instructions: 55comCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B65E80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B64751 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118synchronizationCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B66B60 Relevance: 5.1, APIs: 4, Instructions: 74memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B648B7 Relevance: 5.1, APIs: 4, Instructions: 73memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00B62E62 Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|