Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 6600 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 54E50CC52A1D35CDD951D475E0FB7AA9) - BitLockerToGo.exe (PID: 2716 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["vozmeatillu.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "fragnantbui.shop", "gutterydhowi.shop", "drawzhotdog.shop", "reinforcenh.shop", "pianoswimen.shop", "stogeneratmns.shop"], "Build id": "tLYMe5--2"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T20:30:12.194811+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:13.401073+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T20:30:12.194811+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T20:30:13.401073+0200 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T20:30:12.005161+0200 | 2056165 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:12.891286+0200 | 2056165 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T20:30:11.421106+0200 | 2056164 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 58380 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_0040D060 | |
Source: | Code function: | 1_2_0040D060 | |
Source: | Code function: | 1_2_0040F4B0 | |
Source: | Code function: | 1_2_0040F4B0 | |
Source: | Code function: | 1_2_0040EC00 | |
Source: | Code function: | 1_2_00407000 | |
Source: | Code function: | 1_2_004490D0 | |
Source: | Code function: | 1_2_00432080 | |
Source: | Code function: | 1_2_0040915E | |
Source: | Code function: | 1_2_0042C170 | |
Source: | Code function: | 1_2_0042C170 | |
Source: | Code function: | 1_2_00431110 | |
Source: | Code function: | 1_2_00429251 | |
Source: | Code function: | 1_2_004452C0 | |
Source: | Code function: | 1_2_004452C0 | |
Source: | Code function: | 1_2_004452C0 | |
Source: | Code function: | 1_2_004452C0 | |
Source: | Code function: | 1_2_00433FB3 | |
Source: | Code function: | 1_2_00433FB3 | |
Source: | Code function: | 1_2_004012BF | |
Source: | Code function: | 1_2_0042E3C2 | |
Source: | Code function: | 1_2_0044B3C0 | |
Source: | Code function: | 1_2_0044B3C0 | |
Source: | Code function: | 1_2_004443D4 | |
Source: | Code function: | 1_2_0041445A | |
Source: | Code function: | 1_2_0044440C | |
Source: | Code function: | 1_2_00442420 | |
Source: | Code function: | 1_2_0044B550 | |
Source: | Code function: | 1_2_0044B550 | |
Source: | Code function: | 1_2_004335DA | |
Source: | Code function: | 1_2_0042F64F | |
Source: | Code function: | 1_2_0044B6D0 | |
Source: | Code function: | 1_2_0044B6D0 | |
Source: | Code function: | 1_2_00430740 | |
Source: | Code function: | 1_2_00444740 | |
Source: | Code function: | 1_2_00428710 | |
Source: | Code function: | 1_2_0041A780 | |
Source: | Code function: | 1_2_00420780 | |
Source: | Code function: | 1_2_00420832 | |
Source: | Code function: | 1_2_00449950 | |
Source: | Code function: | 1_2_0044A996 | |
Source: | Code function: | 1_2_00427ADF | |
Source: | Code function: | 1_2_00432AB3 | |
Source: | Code function: | 1_2_00432AB3 | |
Source: | Code function: | 1_2_00413B52 | |
Source: | Code function: | 1_2_0040FB7C | |
Source: | Code function: | 1_2_00404B00 | |
Source: | Code function: | 1_2_0043BBD0 | |
Source: | Code function: | 1_2_00444B80 | |
Source: | Code function: | 1_2_00405B90 | |
Source: | Code function: | 1_2_00410BAE | |
Source: | Code function: | 1_2_00430C40 | |
Source: | Code function: | 1_2_0043FC70 | |
Source: | Code function: | 1_2_00445CE0 | |
Source: | Code function: | 1_2_00426C80 | |
Source: | Code function: | 1_2_00426C80 | |
Source: | Code function: | 1_2_00413D32 | |
Source: | Code function: | 1_2_0044BDC0 | |
Source: | Code function: | 1_2_00428DF0 | |
Source: | Code function: | 1_2_0041DE74 | |
Source: | Code function: | 1_2_0041DE06 | |
Source: | Code function: | 1_2_0041DE06 | |
Source: | Code function: | 1_2_00448ED0 | |
Source: | Code function: | 1_2_00426EF0 | |
Source: | Code function: | 1_2_00445F60 | |
Source: | Code function: | 1_2_00433FB3 | |
Source: | Code function: | 1_2_00433FB3 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 1_2_00438F30 |
Source: | Code function: | 1_2_00438F30 |
Source: | Code function: | 1_2_0043A2E5 |
System Summary |
---|
Source: | Matched rule: |
Source: | Code function: | 1_2_004403D0 | |
Source: | Code function: | 1_2_00447A52 | |
Source: | Code function: | 1_2_00401000 | |
Source: | Code function: | 1_2_00437020 | |
Source: | Code function: | 1_2_0040915E | |
Source: | Code function: | 1_2_0044A130 | |
Source: | Code function: | 1_2_0044A19B | |
Source: | Code function: | 1_2_00429251 | |
Source: | Code function: | 1_2_004052C0 | |
Source: | Code function: | 1_2_004452C0 | |
Source: | Code function: | 1_2_00449FC0 | |
Source: | Code function: | 1_2_0040B2E0 | |
Source: | Code function: | 1_2_0042D2E2 | |
Source: | Code function: | 1_2_0040A2F0 | |
Source: | Code function: | 1_2_0040E290 | |
Source: | Code function: | 1_2_004012BF | |
Source: | Code function: | 1_2_00407340 | |
Source: | Code function: | 1_2_0040136B | |
Source: | Code function: | 1_2_0044A320 | |
Source: | Code function: | 1_2_0041445A | |
Source: | Code function: | 1_2_0043F4C0 | |
Source: | Code function: | 1_2_00449480 | |
Source: | Code function: | 1_2_0042D578 | |
Source: | Code function: | 1_2_004155DC | |
Source: | Code function: | 1_2_004405A4 | |
Source: | Code function: | 1_2_004405A4 | |
Source: | Code function: | 1_2_0040166E | |
Source: | Code function: | 1_2_00423672 | |
Source: | Code function: | 1_2_004036F0 | |
Source: | Code function: | 1_2_0042B810 | |
Source: | Code function: | 1_2_00449950 | |
Source: | Code function: | 1_2_0044A9A2 | |
Source: | Code function: | 1_2_00438A50 | |
Source: | Code function: | 1_2_00427ADF | |
Source: | Code function: | 1_2_0044BAF0 | |
Source: | Code function: | 1_2_00413B52 | |
Source: | Code function: | 1_2_0042DB06 | |
Source: | Code function: | 1_2_00433B19 | |
Source: | Code function: | 1_2_00410BAE | |
Source: | Code function: | 1_2_00407D40 | |
Source: | Code function: | 1_2_00409D09 | |
Source: | Code function: | 1_2_0040BDF0 | |
Source: | Code function: | 1_2_00436DB0 | |
Source: | Code function: | 1_2_0040AE50 | |
Source: | Code function: | 1_2_0041DE06 | |
Source: | Code function: | 1_2_00449FC0 | |
Source: | Code function: | 1_2_00410FD0 |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 1_2_00437420 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_1-20360 |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 1_2_004478C0 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 2 Virtualization/Sandbox Evasion | OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Screen Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 22 System Information Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Win32.Trojan.Generic |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
gutterydhowi.shop | 172.67.132.32 | true | true | unknown | |
pianoswimen.shop | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.132.32 | gutterydhowi.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1521515 |
Start date and time: | 2024-09-28 20:29:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 46s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@3/0@2/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 6600 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: file.exe
Time | Type | Description |
---|---|---|
14:30:10 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
172.67.132.32 | Get hash | malicious | FormBook | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
gutterydhowi.shop | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | PayPal Phisher | Browse |
| |
Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC, Stealc, Vidar | Browse |
| |
Get hash | malicious | LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Go Injector, LummaC Stealer | Browse |
|
File type: | |
Entropy (8bit): | 5.81406347451965 |
TrID: |
|
File name: | file.exe |
File size: | 12'859'392 bytes |
MD5: | 54e50cc52a1d35cdd951d475e0fb7aa9 |
SHA1: | b5f83428a5b8c07dbd239beed5605282f73e5dbd |
SHA256: | d3bdd83b9fe90afaead22c1e6bfc2051e6cfa6e885986cc4c87708415d0484f8 |
SHA512: | b3744afebaed35b0c5da88a7ab79c5ffa7accec3d3e2f5265e188766be622731f520f34d0f0879639f409adbbe84d6310f604d168d6b5af2f0b14c35ab58ee9e |
SSDEEP: | 98304:uTquv2ul6fIjXwFbO6XsYOechIZnebzL2Ud+R:0STb/OegmX |
TLSH: | 66D62840FA8B48F6DE43847690AB726F13349D018B39CB9BEB147F69E8772911C37649 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................\S..L.......8.......`....@.......................................@................................ |
Icon Hash: | 2d2e3797b32b2b99 |
Entrypoint: | 0x4738d0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 1aae8bf580c846f39c71c05898e57e88 |
Instruction |
---|
jmp 00007FBCC8C716D0h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
sub esp, 28h |
mov dword ptr [esp+1Ch], ebx |
mov dword ptr [esp+10h], ebp |
mov dword ptr [esp+14h], esi |
mov dword ptr [esp+18h], edi |
mov dword ptr [esp], eax |
mov dword ptr [esp+04h], ecx |
call 00007FBCC8C4CDF6h |
mov eax, dword ptr [esp+08h] |
mov edi, dword ptr [esp+18h] |
mov esi, dword ptr [esp+14h] |
mov ebp, dword ptr [esp+10h] |
mov ebx, dword ptr [esp+1Ch] |
add esp, 28h |
retn 0004h |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
sub esp, 08h |
mov ecx, dword ptr [esp+0Ch] |
mov edx, dword ptr [ecx] |
mov eax, esp |
mov dword ptr [edx+04h], eax |
sub eax, 00010000h |
mov dword ptr [edx], eax |
add eax, 00000BA0h |
mov dword ptr [edx+08h], eax |
mov dword ptr [edx+0Ch], eax |
lea edi, dword ptr [ecx+34h] |
mov dword ptr [edx+18h], ecx |
mov dword ptr [edi], edx |
mov dword ptr [esp+04h], edi |
call 00007FBCC8C73B34h |
cld |
call 00007FBCC8C72BBEh |
call 00007FBCC8C717F9h |
add esp, 08h |
ret |
jmp 00007FBCC8C739E0h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ebx, dword ptr [esp+04h] |
mov ebp, esp |
mov dword ptr fs:[00000034h], 00000000h |
mov ecx, dword ptr [ebx+04h] |
cmp ecx, 00000000h |
je 00007FBCC8C739E1h |
mov eax, ecx |
shl eax, 02h |
sub esp, eax |
mov edi, esp |
mov esi, dword ptr [ebx+08h] |
cld |
rep movsd |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc23000 | 0x44c | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc6f000 | 0x1f54 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc24000 | 0x49778 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xb97520 | 0xb4 | .data |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x535b88 | 0x535c00 | 820d7e43a48e1902e82cf6256d3cab04 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x537000 | 0x65ea44 | 0x65ec00 | 78fd4b9fd1ac3fc10f80fb57ad96a886 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xb96000 | 0x8ca00 | 0x62c00 | 02a12f2e9333e830f7cab85db93ae977 | False | 0.3113726265822785 | data | 5.639409639051764 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc23000 | 0x44c | 0x600 | 6144f23690c86a380ed0e0d9b64a332c | False | 0.3567708333333333 | OpenPGP Public Key | 3.859585944521697 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0xc24000 | 0x49778 | 0x49800 | 3998a519133b90d03927a767bdf3aa69 | False | 0.5691133875425171 | data | 6.672005572396596 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.symtab | 0xc6e000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0xc6f000 | 0x1f54 | 0x2000 | 7f6e034c89ac12cac140ecbca0eb41b9 | False | 0.3316650390625 | data | 4.680708178865982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc6f1d4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.5675675675675675 |
RT_ICON | 0xc6f2fc | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.4486994219653179 |
RT_ICON | 0xc6f864 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.4637096774193548 |
RT_ICON | 0xc6fb4c | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.3935018050541516 |
RT_GROUP_ICON | 0xc703f4 | 0x3e | data | English | United States | 0.8387096774193549 |
RT_VERSION | 0xc70434 | 0x4f4 | data | English | United States | 0.27208201892744477 |
RT_MANIFEST | 0xc70928 | 0x62c | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4240506329113924 |
DLL | Import |
---|---|
kernel32.dll | WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T20:30:11.421106+0200 | 2056164 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) | 1 | 192.168.2.4 | 58380 | 1.1.1.1 | 53 | UDP |
2024-09-28T20:30:12.005161+0200 | 2056165 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) | 1 | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:12.194811+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:12.194811+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:12.891286+0200 | 2056165 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) | 1 | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:13.401073+0200 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | TCP |
2024-09-28T20:30:13.401073+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2024 20:30:11.453541040 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:11.453584909 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:11.453672886 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:11.456805944 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:11.456825972 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.004889011 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.005161047 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.009429932 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.009445906 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.009934902 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.059969902 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.067627907 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.067687988 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.067800999 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.194825888 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.194864988 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.194919109 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.194936037 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.202212095 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.202275038 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.202282906 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.202394009 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.202454090 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.203418016 CEST | 49730 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.203435898 CEST | 443 | 49730 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.312257051 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.312308073 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.312386990 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.312819004 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.312836885 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.891145945 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.891285896 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.900542021 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.900561094 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.901016951 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:12.904277086 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.904297113 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:12.904380083 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:13.401125908 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:13.401361942 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:13.401443958 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:13.401554108 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:13.401597023 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Sep 28, 2024 20:30:13.401627064 CEST | 49731 | 443 | 192.168.2.4 | 172.67.132.32 |
Sep 28, 2024 20:30:13.401642084 CEST | 443 | 49731 | 172.67.132.32 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2024 20:30:11.391705990 CEST | 65091 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 28, 2024 20:30:11.419092894 CEST | 53 | 65091 | 1.1.1.1 | 192.168.2.4 |
Sep 28, 2024 20:30:11.421106100 CEST | 58380 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 28, 2024 20:30:11.446846008 CEST | 53 | 58380 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 28, 2024 20:30:11.391705990 CEST | 192.168.2.4 | 1.1.1.1 | 0xe7f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 28, 2024 20:30:11.421106100 CEST | 192.168.2.4 | 1.1.1.1 | 0xdfab | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 28, 2024 20:30:11.419092894 CEST | 1.1.1.1 | 192.168.2.4 | 0xe7f | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Sep 28, 2024 20:30:11.446846008 CEST | 1.1.1.1 | 192.168.2.4 | 0xdfab | No error (0) | 172.67.132.32 | A (IP address) | IN (0x0001) | false | ||
Sep 28, 2024 20:30:11.446846008 CEST | 1.1.1.1 | 192.168.2.4 | 0xdfab | No error (0) | 104.21.4.136 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 172.67.132.32 | 443 | 2716 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-28 18:30:12 UTC | 264 | OUT | |
2024-09-28 18:30:12 UTC | 8 | OUT | |
2024-09-28 18:30:12 UTC | 549 | IN | |
2024-09-28 18:30:12 UTC | 820 | IN | |
2024-09-28 18:30:12 UTC | 1369 | IN | |
2024-09-28 18:30:12 UTC | 1369 | IN | |
2024-09-28 18:30:12 UTC | 847 | IN | |
2024-09-28 18:30:12 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 172.67.132.32 | 443 | 2716 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-28 18:30:12 UTC | 354 | OUT | |
2024-09-28 18:30:12 UTC | 75 | OUT | |
2024-09-28 18:30:13 UTC | 774 | IN | |
2024-09-28 18:30:13 UTC | 15 | IN | |
2024-09-28 18:30:13 UTC | 5 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 14:29:58 |
Start date: | 28/09/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe90000 |
File size: | 12'859'392 bytes |
MD5 hash: | 54E50CC52A1D35CDD951D475E0FB7AA9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 14:30:07 |
Start date: | 28/09/2024 |
Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xaa0000 |
File size: | 231'736 bytes |
MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage: | 1.8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 56.4% |
Total number of Nodes: | 94 |
Total number of Limit Nodes: | 19 |
Graph
Function 0040EC00 Relevance: 28.5, APIs: 1, Strings: 15, Instructions: 491libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040D060 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166threadCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F4B0 Relevance: 5.4, Strings: 4, Instructions: 401COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004478C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00447A52 Relevance: 3.2, Strings: 2, Instructions: 665COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00446B78 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004402D8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00411DA5 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444476 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00411D80 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00429251 Relevance: 42.3, Strings: 33, Instructions: 1008COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041DE06 Relevance: 41.3, Strings: 32, Instructions: 1283COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00438F30 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 119clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00423672 Relevance: 14.2, Strings: 11, Instructions: 458COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042B810 Relevance: 13.0, Strings: 10, Instructions: 486COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00427ADF Relevance: 10.9, Strings: 8, Instructions: 908COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042D2E2 Relevance: 10.8, Strings: 8, Instructions: 754COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00420832 Relevance: 10.7, Strings: 8, Instructions: 723COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00420780 Relevance: 10.7, Strings: 8, Instructions: 720COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042D578 Relevance: 10.7, Strings: 8, Instructions: 679COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401000 Relevance: 10.6, Strings: 7, Instructions: 1879COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00433FB3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 470libraryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040FB7C Relevance: 9.0, Strings: 7, Instructions: 257COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00437420 Relevance: 8.8, Strings: 7, Instructions: 89COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040166E Relevance: 7.9, Strings: 6, Instructions: 402COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040136B Relevance: 7.8, Strings: 6, Instructions: 320COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00428DF0 Relevance: 7.7, Strings: 6, Instructions: 159COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004012BF Relevance: 7.1, Strings: 5, Instructions: 853COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00410BAE Relevance: 5.3, Strings: 4, Instructions: 330COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004490D0 Relevance: 4.0, Strings: 3, Instructions: 288COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413B52 Relevance: 3.3, Strings: 2, Instructions: 765COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041445A Relevance: 3.2, Strings: 2, Instructions: 675COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413D32 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042F64F Relevance: 3.0, Strings: 2, Instructions: 468COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00426EF0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004036F0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00449950 Relevance: 2.9, Strings: 2, Instructions: 378COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042C170 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004335DA Relevance: 2.9, Strings: 2, Instructions: 367COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00448ED0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B6D0 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004452C0 Relevance: 1.8, Strings: 1, Instructions: 569COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004052C0 Relevance: 1.8, Strings: 1, Instructions: 551COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042E3C2 Relevance: 1.7, Strings: 1, Instructions: 497COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00426C80 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00430C40 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044BDC0 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041DE74 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044BAF0 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00438A50 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00431110 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00436DB0 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004405A4 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B3C0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B550 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00433B19 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044440C Relevance: 1.3, Strings: 1, Instructions: 43COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004443D4 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BDF0 Relevance: .9, Instructions: 857COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040915E Relevance: .8, Instructions: 806COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B2E0 Relevance: .7, Instructions: 670COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407340 Relevance: .7, Instructions: 657COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00449FC0 Relevance: .6, Instructions: 628COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407D40 Relevance: .6, Instructions: 592COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044A130 Relevance: .5, Instructions: 529COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044A19B Relevance: .5, Instructions: 495COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004155DC Relevance: .4, Instructions: 416COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044A320 Relevance: .4, Instructions: 414COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A2F0 Relevance: .4, Instructions: 399COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00437020 Relevance: .4, Instructions: 359COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00449480 Relevance: .3, Instructions: 331COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AE50 Relevance: .3, Instructions: 305COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409D09 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044A9A2 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042DB06 Relevance: .2, Instructions: 220COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00445CE0 Relevance: .2, Instructions: 212COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E290 Relevance: .2, Instructions: 197COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043F4C0 Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444B80 Relevance: .2, Instructions: 167COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00405B90 Relevance: .2, Instructions: 163COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00410FD0 Relevance: .1, Instructions: 122COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043FC70 Relevance: .1, Instructions: 101COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444740 Relevance: .1, Instructions: 97COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404B00 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043BBD0 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00430740 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00445F60 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407000 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041A780 Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00442420 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044A996 Relevance: .0, Instructions: 6COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004386C1 Relevance: 87.6, APIs: 1, Strings: 49, Instructions: 147memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004379CF Relevance: 87.6, APIs: 1, Strings: 49, Instructions: 147memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00435931 Relevance: 82.4, APIs: 1, Strings: 46, Instructions: 158memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|