Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522738
MD5:	fcf03d6280f63f40a60e98d06605ab9d
SHA1:	420755bdc0da94be9a8213df4db439fac11475a8
SHA256:	bf18826310f2337edd96b0d183c47bb82b8f5da9a64ee7dd0a5d077385c8c38e
Tags:	AZORultexeuser-jstrosch
Infos:

Detection

Azorult

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to read the PEB

Found potential string decryption / allocating functions

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 2920 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FCF03D6280F63F40A60E98D06605AB9D)

WerFault.exe (PID: 2220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Azorult	AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.	The Gorgon Group	http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://asec.ahnlab.com/en/26517/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/	https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
file.exe	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
file.exe	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
file.exe	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 2920	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: file.exe PID: 2920	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.710000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.0.file.exe.710000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.0.file.exe.710000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
0.0.file.exe.710000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.file.exe.710000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.file.exe.710000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.file.exe.710000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
0.2.file.exe.710000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: file.exe	String found in binary or memory: http://ip-api.com/json
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: https://dotbit.me/a/

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: file.exe, type: SAMPLE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.0.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.0.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00716EFC appears 68 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00714590 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007147F4 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00713C0C appears 32 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007140E4 appears 32 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224

Source: file.exe

Static PE information: No import functions for PE file found

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: file.exe, type: SAMPLE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: file.exe, type: SAMPLE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.0.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.0.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload

Source: classification engine

Classification label: mal92.spyw.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2920

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\fa82bc48-a540-4797-90cc-4790347bb01e

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224

Source: C:\Users\user\Desktop\file.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071C020 push 0071B44Ch; ret	0_2_0071C044
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00728024 push 00727450h; ret	0_2_00728048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00724810 push 00723C3Ch; ret	0_2_00724834
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071581C push 00714C6Dh; ret	0_2_00715865
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00721950 push 00720D7Ch; ret	0_2_00721974
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071D930 push 0071CD5Ch; ret	0_2_0071D954
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071D92C push 0071CD5Ch; ret	0_2_0071D954
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00723104 push 00722530h; ret	0_2_00723128
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071F1F8 push 0071E624h; ret	0_2_0071F21C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071B1D4 push 0071A604h; ret	0_2_0071B1FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007159D8 push 00714E04h; ret	0_2_007159FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071B1D8 push 0071A604h; ret	0_2_0071B1FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007161C4 push 00715626h; ret	0_2_0071621E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007259B0 push 00724DDCh; ret	0_2_007259D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007161BC push 00715626h; ret	0_2_0071621E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007159A0 push 00714DCCh; ret	0_2_007159C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072799C push 00726DC8h; ret	0_2_007279C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071B278 push 0071A6A8h; ret	0_2_0071B2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071B27C push 0071A6A8h; ret	0_2_0071B2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00727A7C push 00726EA8h; ret	0_2_00727AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CA57 push 0071BE84h; ret	0_2_0071CA7C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CA58 push 0071BE84h; ret	0_2_0071CA7C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00716230 push 0071565Ch; ret	0_2_00716254
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071F230 push 0071E68Fh; ret	0_2_0071F287
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00716229 push 0071565Ch; ret	0_2_00716254
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00726214 push 00725640h; ret	0_2_00726238
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00719A00 push 007194D4h; ret	0_2_0071A0CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00719A08 push 007194D4h; ret	0_2_0071A0CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071EA0C push 0071DE38h; ret	0_2_0071EA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00715B64 push 00714F90h; ret	0_2_00715B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00716B18 push 00715F44h; ret	0_2_00716B3C

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007186F0 mov eax, dword ptr fs:[00000030h]

0_2_007186F0

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Azorult

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: file.exe PID: 2920, type: MEMORYSTR

Yara detected Azorult Info Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: file.exe PID: 2920, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: \electrum.dat
Source: file.exe	String found in binary or memory: ta%\Electrum\wallets\
Source: file.exe	String found in binary or memory: TA%\Jaxx\Local Storage\
Source: file.exe	String found in binary or memory: TA%\Exodus\
Source: file.exe	String found in binary or memory: TA%\Jaxx\Local Storage\
Source: file.exe	String found in binary or memory: TA%\Ethereum\keystore\
Source: file.exe	String found in binary or memory: TA%\Exodus\
Source: file.exe	String found in binary or memory: TA%\Ethereum\keystore\
Source: file.exe	String found in binary or memory: TA%\Ethereum\keystore\
Source: file.exe	String found in binary or memory: ppdata%\Electrum-LTC\wallets\

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
file.exe	84%	ReversingLabs	Win32.Infostealer.CoinStealer
file.exe	100%	Avira	TR/Patched.Ren.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://ip-api.com/json	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http://ip-api.com/json	file.exe	false	URL Reputation: safe	unknown
https://dotbit.me/a/	file.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522738
Start date and time:	2024-09-30 16:17:41 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal92.spyw.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): client.wns.windows.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 2920 because there are no executed function
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:18:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b7ec1b37f5bdf9de2faad2aaaca2b15765533cd8_02bbd8d5_5f6ab712-a5ae-4c3e-8d69-92f3de4241c6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6242818047794745
Encrypted:	false
SSDEEP:	192:qgqvWQuav9QP/0NXfcE3jEzuiFnZ24IO8ThB:yEk6kNXffjEzuiFnY4IO8r
MD5:	316F4FE2A70A366E97467EB3F839E852
SHA1:	61C528818ADF9C10F195B5E75817DB8E5F91DA38
SHA-256:	A4DE82424BA8B0C6F1ECE9735FC539C454C4FCE7A51869EADC97B25DCC94BD12
SHA-512:	47D119A038C3DEFF7D69CE996B5417A84D9AFC80AA64F55997AF449BCD0B3F0215287B6A6A22A5D2C3E4C1F3E4DDCECA725204F06B4C8E61C65C1B1C41CCF038
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.9.5.3.3.0.7.3.0.4.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.7.9.5.3.3.3.6.9.9.1.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.6.a.b.7.1.2.-.a.5.a.e.-.4.c.3.e.-.8.d.6.9.-.9.2.f.3.d.e.4.2.4.1.c.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.e.4.f.2.1.a.-.5.8.b.a.-.4.0.9.0.-.a.d.b.2.-.4.b.7.5.f.8.b.8.9.f.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.6.8.-.0.0.0.1.-.0.0.1.4.-.6.6.e.9.-.3.3.a.d.4.3.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.4.2.0.7.5.5.b.d.c.0.d.a.9.4.b.e.9.a.8.2.1.3.d.f.4.d.b.4.3.9.f.a.c.1.1.4.7.5.a.8.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.9.2././.0.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB203.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 30 14:18:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	19428
Entropy (8bit):	2.0147615125548044
Encrypted:	false
SSDEEP:	96:5r8By8DVvVvFFti7nhHG4lZDFI6WInWIOKGZsl8O7:K79tO8pJslJ7
MD5:	BD82D86C191B335B62E1970AED655A91
SHA1:	EF0FD351DBC0D4DAD8FF58C7065C9A312CBA4F60
SHA-256:	EF3DEF8E370188289DCA940A59925D746BFF6944E260BBFC78F778521FFD1A77
SHA-512:	CD77C7B2595450893A3BE54DA8580D10474578C9692D7EAF4A2E1A42D46630AC5077B88B01A10C51369D95A5F222E386917D540097CAED23F7A41A538A2E440F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......M..f............4...............<.......T...............T.......8...........T...........H....B......................................................................................................eJ......L.......GenuineIntel............T.......h...L..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB232.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8264
Entropy (8bit):	3.6900660199956583
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCN6jm56YEIjSU9iZmgmfBNJPWOEpx+89bmOsfgim:R6lXJM6S56YE8SU9imgmfrJPWOkmNfU
MD5:	E4930FB74780D47D2E1BFF49B261C813
SHA1:	991B63EA88786E808C0E3924E0D0B37E6A96F57B
SHA-256:	75D9DF2E99EBE7660BF5AFA19D22A13EF1EA6A0736DA6F940EB1707F4353BEBA
SHA-512:	B9D4026FC5D934F953645A17FBEEC1F169104016965505F672EC61B83D7EFC16BAA0241B4B31E1DAA7B48E49E822FF6FF4A5D6120987859C8E675F734441DFF4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB262.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4555
Entropy (8bit):	4.429437549882719
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg77aI91/SWpW8VYsYm8M4J+KFO+q82oNKFpd:uIjfLI7n77VEJ02NKFpd
MD5:	64D41A18D6AE90BCCA4FF3C9D4674019
SHA1:	24BA99CF833144A65D9A00509EB6AD2959C04F34
SHA-256:	F588B9C8367CCF8DA5C393688763FB12145164EA466B4ECB984C7C7565B244FE
SHA-512:	BF520A6AA49B1C26DADDDDE34A6861952EC10FDCC842C5FC2F0306A5425A07BC243E70E7369CAE751686DF8B08EE5F7CE38886B2F237287D9C7C8E4FD6E0CE69
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="523041" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421311151117267
Encrypted:	false
SSDEEP:	6144:BSvfpi6ceLP/9skLmb0OTLWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:YvloTLW+EZMM6DFy403w
MD5:	CB8C5875BE6EC7E3AE62ED2132095D06
SHA1:	ACDD35B5BF4F4761085FE44A891203F10AC72EC2
SHA-256:	1FBB8D27C82D6BCC7D3DD6869B4125B56CCD4D50FFD246CABD2F0B10F0A90745
SHA-512:	CCBA092045D151F0CF8C39E66CDE5AB59FB831BE32459979CC99F1A920BE86FA60CC2ED913D75DBBACBCC43B7EAE2EAFC37BC034CA63537D6AD500C601E98D17
Malicious:	false
Reputation:	low
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..e.C...............................................................................................................................................................................................................................................................................................................................................k.r.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.871157788525567
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	131'072 bytes
MD5:	fcf03d6280f63f40a60e98d06605ab9d
SHA1:	420755bdc0da94be9a8213df4db439fac11475a8
SHA256:	bf18826310f2337edd96b0d183c47bb82b8f5da9a64ee7dd0a5d077385c8c38e
SHA512:	82646967165dc19a09440aa76c0eb2b562e336977d75ccf6f9dbf0f7ecc83c34445a21957c6ad8b590aea9252ec60ce74aa676ab94ba09da37ff7b1e7292103b
SSDEEP:	3072:PaUnVBiag8BuInCuXHDwpDEsu7jByqC4hmRA+Sxg/:C0iaghIBHDwpDSBn7+S
TLSH:	F7D32A3AF7809732D02A08BCCD5A917A503B35303D3C2596B6D90BCCA5B96C66F2D387
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x72a1f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x710000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
test eax, ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d000	0x79e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0x1a58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x19224	0x19400	a5edb40c1d96a16a0ed64f6ba8009957	False	0.49132696472772275	data	6.17582866396262	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x1b000	0x494	0x600	4a1e4b0c49c5fea81d27b9b7c29bae2e	False	0.427734375	data	3.899277125016968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x1c000	0xb5d	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1d000	0x79e	0x800	0dcd5d3b995388711ea7420e302ea477	False	0.31591796875	Matlab v4 mat-file (little endian) s\, text, rows 43, columns 4294967295, imaginary	3.0423285420689927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e000	0x1a58	0x1c00	9e6315184acd1b70da2ff0981006a0cc	False	0.09946986607142858	data	1.1048646891314555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 16:19:13.253596067 CEST	53	57216	1.1.1.1	192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 2920, Parent PID: 1028

General

Target ID:	0
Start time:	10:18:52
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x710000
File size:	131'072 bytes
MD5 hash:	FCF03D6280F63F40A60E98D06605AB9D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2220, Parent PID: 2920

General

Target ID:	3
Start time:	10:18:52
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 2920, Parent PID: 1028COMMON

Non-executed Functions

Function 007186F0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0071B808 Relevance: 15.3, Strings: 12, Instructions: 313COMMON

Download Yara Rule

Strings

%\Ethereum\keystore\, xrefs: 0071BCCB
PasswordsList.txt, xrefs: 0071BA84
um\wallets\, xrefs: 0071B902
Coins\Jaxx\Local Storage\, xrefs: 0071BC75
%\Jaxx\Local Storage\, xrefs: 0071BCA0
trum-LTC\wallets\, xrefs: 0071BC4A
on,*.seco, xrefs: 0071BBF4
.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071BA34
%APPDATA%\Exodus\, xrefs: 0071B8F2
Coins\Electrum, xrefs: 0071B98A
Electrum-LTC, xrefs: 0071BAF2
Coins\Exodus, xrefs: 0071BA9C

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: %APPDATA%\Exodus\$%\Ethereum\keystore\$%\Jaxx\Local Storage\$.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$Coins\Electrum$Coins\Exodus$Coins\Jaxx\Local Storage\$Electrum-LTC$PasswordsList.txt$on,*.seco$trum-LTC\wallets\$um\wallets\
API String ID: 0-1819263949
Opcode ID: 6e607ffdb23863d28ead6df4723b73d6c09a3b687221e8485a38d242c5df639c
Instruction ID: c86ee16a0f000d034d80b6c0bbe178c807fccde50e094fba977fc930eb214143
Opcode Fuzzy Hash: 6e607ffdb23863d28ead6df4723b73d6c09a3b687221e8485a38d242c5df639c
Instruction Fuzzy Hash: 59F14538A00259CFCB20EF58D895E9DB7B2FB49300F548695E8146B365DB38BD9ACF44

Function 0071A25C Relevance: 12.7, Strings: 10, Instructions: 234COMMON

Download Yara Rule

Strings

Storage\, xrefs: 0071A329
%\Electrum\wallets\, xrefs: 0071A3C0
TA%\Ethereum\keystore\, xrefs: 0071A490
ins\MultiBitHD, xrefs: 0071A45C
odus\, xrefs: 0071A372
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071A38C
%APPDATA%\Jaxx\Local Storage\, xrefs: 0071A2CE, 0071A347
Ethereum, xrefs: 0071A442
ins\Exodus, xrefs: 0071A40E
ts\, xrefs: 0071A3F4

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Storage\$%APPDATA%\Jaxx\Local Storage\$%\Electrum\wallets\$Ethereum$TA%\Ethereum\keystore\$ins\Exodus$ins\MultiBitHD$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$odus\$ts\
API String ID: 0-4215018947
Opcode ID: a71f945931d033076a96129f1515efa35a83afa45252762e891eb1811caed541
Instruction ID: 65f9a638fa76f2620835ed182bbc863be2cb6e68d04940a6295f0d4bd57d3a5b
Opcode Fuzzy Hash: a71f945931d033076a96129f1515efa35a83afa45252762e891eb1811caed541
Instruction Fuzzy Hash: B99106B0600615DFC721EB6CDC8AB9937F9AF59700F108565F404DB2A2DB3CAD85CB5A

Function 0071A268 Relevance: 12.7, Strings: 10, Instructions: 228COMMON

Download Yara Rule

Strings

Storage\, xrefs: 0071A329
%\Electrum\wallets\, xrefs: 0071A3C0
TA%\Ethereum\keystore\, xrefs: 0071A490
ins\MultiBitHD, xrefs: 0071A45C
odus\, xrefs: 0071A372
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071A38C
%APPDATA%\Jaxx\Local Storage\, xrefs: 0071A2CE, 0071A347
Ethereum, xrefs: 0071A442
ins\Exodus, xrefs: 0071A40E
ts\, xrefs: 0071A3F4

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Storage\$%APPDATA%\Jaxx\Local Storage\$%\Electrum\wallets\$Ethereum$TA%\Ethereum\keystore\$ins\Exodus$ins\MultiBitHD$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$odus\$ts\
API String ID: 0-4215018947
Opcode ID: 734679d4fd8e36945040d4816f35cfbae1d9c00b8479084167c5989d72996469
Instruction ID: a5991e2ea7914a4f551ce8d58c0900cf2bf05b714dcbf73948eff85e956c47bb
Opcode Fuzzy Hash: 734679d4fd8e36945040d4816f35cfbae1d9c00b8479084167c5989d72996469
Instruction Fuzzy Hash: A89106B0600615DFC725EB6CDC8AB9933F9AF59700F108565F404DB2A1EB3CAD85CB5A

Function 0071F554 Relevance: 10.3, Strings: 8, Instructions: 297COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 0071F894
tocol>, xrefs: 0071F593
ins\Electrum, xrefs: 0071F574
s,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071F68C
DATA%\.purple\accounts.xml, xrefs: 0071F5EA
exit, xrefs: 0071F66E
al Storage\, xrefs: 0071F8C6
UTC*, xrefs: 0071F69D

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: DATA%\.purple\accounts.xml$UTC*$al Storage\$data%\Electrum\wallets\$exit$ins\Electrum$s,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$tocol>
API String ID: 0-4109314875
Opcode ID: 4a72194fdfa3b2e9d3b9c666080698cdc6a721b76cbc1074f63bc257667127ac
Instruction ID: ffc6198b7e07c125523aad6972271f5282301c16513f9b42b3dba0d5e20dc749
Opcode Fuzzy Hash: 4a72194fdfa3b2e9d3b9c666080698cdc6a721b76cbc1074f63bc257667127ac
Instruction Fuzzy Hash: 5DB1E575A00109DFDB10EBACDC86ADEB7F9AF49700F504561F814E72A1DB39AE868B50

Function 00721ED0 Relevance: 10.2, Strings: 8, Instructions: 234COMMON

Download Yara Rule

Strings

ins\Jaxx\Local Storage\, xrefs: 00721FFB
data%\Electrum\wallets\, xrefs: 00722112
,mbhd.spvchain,mbhd.yaml, xrefs: 00722104
ins\Electrum, xrefs: 0072203E, 0072206F, 00722093, 007220B7
ltiBitHD, xrefs: 0072202B
exit, xrefs: 00721FDD
ins, xrefs: 007220E2
UTC*, xrefs: 0072200C

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ,mbhd.spvchain,mbhd.yaml$UTC*$data%\Electrum\wallets\$exit$ins$ins\Electrum$ins\Jaxx\Local Storage\$ltiBitHD
API String ID: 0-134230748
Opcode ID: aa5f2340544c4bd006ef1c21781b9f6da95f07bcf756f15992ce52adca07ac08
Instruction ID: e55b7bbaa400ccc038883a1d68a23e58fbb33db9b12302a23e7d251b687fdbd0
Opcode Fuzzy Hash: aa5f2340544c4bd006ef1c21781b9f6da95f07bcf756f15992ce52adca07ac08
Instruction Fuzzy Hash: 95810871A00119EFCB00EB98DC86EDEB7F8FF59300F508461F514E72A1DB38AA568B60

Function 0071B2F0 Relevance: 10.2, Strings: 8, Instructions: 221COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 0071B51A
ins\Electrum, xrefs: 0071B464, 0071B48B, 0071B4BE
ltiBitHD, xrefs: 0071B451
exit, xrefs: 0071B403
al Storage\, xrefs: 0071B538
json,*.seco, xrefs: 0071B421
mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071B3BC
UTC*, xrefs: 0071B432

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: UTC*$al Storage\$data%\Electrum\wallets\$exit$ins\Electrum$json,*.seco$ltiBitHD$mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
API String ID: 0-2381275743
Opcode ID: 0376d8dde2bbc28d66b0755c1fc8ad842716c9cf47ccecce4c41fd87f5ae756d
Instruction ID: 9fed666dcb4cfd162d65f11f26d6e4c8bfe1155f5d7795ce4405cd7fe0d53e53
Opcode Fuzzy Hash: 0376d8dde2bbc28d66b0755c1fc8ad842716c9cf47ccecce4c41fd87f5ae756d
Instruction Fuzzy Hash: C881A675A00109DFCB00EB9CDC86EDEB7F8AF49310F508165F514E72A1DB38AE868B55

Function 0071F9A8 Relevance: 9.1, Strings: 7, Instructions: 371COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 0071FDC3
ins\Electrum, xrefs: 0071FB58, 0071FB73, 0071FBC0, 0071FC0A, 0071FC26, 0071FC78, 0071FC94
ltiBitHD, xrefs: 0071FB45
exit, xrefs: 0071FABC
al Storage\, xrefs: 0071FDF5
let.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071FB05
UTC*, xrefs: 0071FAEB, 0071FB16

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: UTC*$al Storage\$data%\Electrum\wallets\$exit$ins\Electrum$let.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$ltiBitHD
API String ID: 0-2897062502
Opcode ID: dcff6dbeda6a567a35cef899cb56ff580d4010e8b865d22ca00773835da90c26
Instruction ID: ad6bf2f9749b8996497e71a7aab56a6202ab80092676b00be91c8a88e180ae8c
Opcode Fuzzy Hash: dcff6dbeda6a567a35cef899cb56ff580d4010e8b865d22ca00773835da90c26
Instruction Fuzzy Hash: A6E1C775A00109DFCB10EBA8DC86ADEB7F9BF49300F508171F514E72A1DB39AE968B51

Function 0071FF00 Relevance: 9.1, Strings: 7, Instructions: 318COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 00720283
ins\Electrum, xrefs: 00720072, 0072009E, 007200E8, 00720104, 00720156, 00720172
exit, xrefs: 00720014
al Storage\, xrefs: 007202B5
TC\wallets\, xrefs: 00720032
mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071FFC4
UTC*, xrefs: 00720043

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: TC\wallets\$UTC*$al Storage\$data%\Electrum\wallets\$exit$ins\Electrum$mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
API String ID: 0-2435788680
Opcode ID: 4a432d900b96fb8120c57b8bffc03b6c2259594c12c190cc215b7d172ac8cd11
Instruction ID: f013460f315d7b43ceb4d9e02934f9357bc437cc2db2595ccbbd234bad902b32
Opcode Fuzzy Hash: 4a432d900b96fb8120c57b8bffc03b6c2259594c12c190cc215b7d172ac8cd11
Instruction Fuzzy Hash: ADC1E775A0011DDFCB10EBA8DC86ADEB7F9BF49300F508161F414E72A1DB39AE968B50

Function 0071D624 Relevance: 9.0, Strings: 7, Instructions: 224COMMON

Download Yara Rule

Strings

\keystore\, xrefs: 0071D75D
ckpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071D696
MultiBitHD, xrefs: 0071D749
ectrum-LTC\wallets\, xrefs: 0071D715
</n>, xrefs: 0071D879
ppdata%\Electrum\wallets\, xrefs: 0071D659
ectrum, xrefs: 0071D682

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: </n>$MultiBitHD$\keystore\$ckpoints,mbhd.spvchain,mbhd.yaml$ectrum$ectrum-LTC\wallets\$ppdata%\Electrum\wallets\
API String ID: 0-1457266973
Opcode ID: bde0b800e80c051613755d89657252b0bbf55e8a6886e93ba8be6647d3e9992f
Instruction ID: b4305a1ed6e9992a6f9410ec775b2262129d9390fab29783c9658bbf45988818
Opcode Fuzzy Hash: bde0b800e80c051613755d89657252b0bbf55e8a6886e93ba8be6647d3e9992f
Instruction Fuzzy Hash: 35918A75A0020DDBCB10EB98D8859DEB7B9FF49310F608165E410AB395DB39BD868B90

Function 0071AAE8 Relevance: 7.8, Strings: 6, Instructions: 335COMMON

Download Yara Rule

Strings

allet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071ABA5, 0071ABFE
eco, xrefs: 0071ABC8
rage\, xrefs: 0071AD23, 0071ADCC
s\Ethereum, xrefs: 0071AC98
DATA%\Ethereum\keystore\, xrefs: 0071AE63, 0071AECD, 0071AEE5
Coins\MultiBitHD, xrefs: 0071ACB6

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Coins\MultiBitHD$DATA%\Ethereum\keystore\$allet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$eco$rage\$s\Ethereum
API String ID: 0-3044315891
Opcode ID: 45bb0ea7ae44b44115a7df4452b4e36856596969ceaf7859f2f521e2d2ebe6e8
Instruction ID: a06025dba29eaf46f7909a4d92f84c02cfd06d2263bbb793f78bd44a292bd855
Opcode Fuzzy Hash: 45bb0ea7ae44b44115a7df4452b4e36856596969ceaf7859f2f521e2d2ebe6e8
Instruction Fuzzy Hash: 32D11975A00209EFDB11EB98D885ADEB7F9FF49300F5041A5E504E72A1DB38AE85CF51

Function 0071AAF0 Relevance: 7.8, Strings: 6, Instructions: 333COMMON

Download Yara Rule

Strings

allet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071ABA5, 0071ABFE
eco, xrefs: 0071ABC8
rage\, xrefs: 0071AD23, 0071ADCC
s\Ethereum, xrefs: 0071AC98
DATA%\Ethereum\keystore\, xrefs: 0071AE63, 0071AECD, 0071AEE5
Coins\MultiBitHD, xrefs: 0071ACB6

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Coins\MultiBitHD$DATA%\Ethereum\keystore\$allet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$eco$rage\$s\Ethereum
API String ID: 0-3044315891
Opcode ID: 4531bc4f08df85c15779a2c7324e425fa4bfcb13fde8e4e93058696cdc44db98
Instruction ID: eb8dceeef7d2453351153dc65e405e2ca1ae46c1766b1a2c3cd060e5e7651e86
Opcode Fuzzy Hash: 4531bc4f08df85c15779a2c7324e425fa4bfcb13fde8e4e93058696cdc44db98
Instruction Fuzzy Hash: 70D11775A00209EFCB11EB98D885ADEB7F9FF49300F5041A5E504E72A1DB38AE85CF51

Function 00721988 Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 00721B52
,mbhd.spvchain,mbhd.yaml, xrefs: 00721B44
ins\Electrum, xrefs: 00721ADE, 00721B02
exit, xrefs: 00721A94
sList.txt, xrefs: 00721AB2
UTC*, xrefs: 00721AC3

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ,mbhd.spvchain,mbhd.yaml$UTC*$data%\Electrum\wallets\$exit$ins\Electrum$sList.txt
API String ID: 0-2323501612
Opcode ID: 1999741bbe827fd3395e1506158d338f5b6ddca122604c79b0a00f8a596a9c42
Instruction ID: 07a3ad40d4300f9eef220487871b9353d5e810e8c40ec79096e27e2800444db3
Opcode Fuzzy Hash: 1999741bbe827fd3395e1506158d338f5b6ddca122604c79b0a00f8a596a9c42
Instruction Fuzzy Hash: F061EA75A00119DFCB10EB98EC86ADEB7F8FF49310F514461F514E72A1DB38AA568B60

Function 00721C34 Relevance: 7.7, Strings: 6, Instructions: 191COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 00721DFE
,mbhd.spvchain,mbhd.yaml, xrefs: 00721DF0
ins\Electrum, xrefs: 00721D8A, 00721DAE
exit, xrefs: 00721D40
Exodus, xrefs: 00721D5E
UTC*, xrefs: 00721D6F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ,mbhd.spvchain,mbhd.yaml$Exodus$UTC*$data%\Electrum\wallets\$exit$ins\Electrum
API String ID: 0-690556046
Opcode ID: 5873eb55c2e2e872ceab74e2eab54535c35fd10706b756ce95416634a567dc37
Instruction ID: 1d7257047c1bcff6a95f1405b1c721e778302bad21375bc4e32d6c3b609f8bc6
Opcode Fuzzy Hash: 5873eb55c2e2e872ceab74e2eab54535c35fd10706b756ce95416634a567dc37
Instruction Fuzzy Hash: 4C610A75A00119DFDB00EB98EC86ADEB7F8FF59710F518461F414E72A1DB38AE468B60

Function 0071AF94 Relevance: 7.7, Strings: 6, Instructions: 155COMMON

Download Yara Rule

Strings

PATH, xrefs: 0071B123
fda\, xrefs: 0071AFA6
ppdata%\Electrum-LTC\wallets\, xrefs: 0071AFDE
ta%\Electrum\wallets\, xrefs: 0071B08C
hd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071B079
PPDATA%\Ethereum\keystore\, xrefs: 0071B018

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: PATH$PPDATA%\Ethereum\keystore\$fda\$hd.checkpoints,mbhd.spvchain,mbhd.yaml$ppdata%\Electrum-LTC\wallets\$ta%\Electrum\wallets\
API String ID: 0-289230334
Opcode ID: 92cfacadfb0497472008180ad6ccc0fd7f4fdfd5523936e36d305f61d3e64743
Instruction ID: 75ebf8551eb977cce3f5f4326380fbbac5ce59212f9e7dfd472885e60c917b48
Opcode Fuzzy Hash: 92cfacadfb0497472008180ad6ccc0fd7f4fdfd5523936e36d305f61d3e64743
Instruction Fuzzy Hash: 1A51EE7561120CEFCB00EB98D885DDEB7B9FF49310F508162F400A72A5DB78AE99CB55

Function 0071CE08 Relevance: 6.7, Strings: 5, Instructions: 430COMMON

Download Yara Rule

Strings

Jaxx\Local Storage\, xrefs: 0071D2D7
t.txt, xrefs: 0071CE75
d.spvchain,mbhd.yaml, xrefs: 0071CEA7, 0071CF5C, 0071CFD0
s\Electrum-LTC, xrefs: 0071CEF8, 0071D3FA
eystore\, xrefs: 0071CE4F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Jaxx\Local Storage\$d.spvchain,mbhd.yaml$eystore\$s\Electrum-LTC$t.txt
API String ID: 0-3607622169
Opcode ID: 9356433cf268f4d39cc4ae2a2ea6352c0f8df85a333eae87e40847b34882fcbc
Instruction ID: 4df6dd4fe2ffac7d3fe0e0d4abc47e15811a8f19f07f43f916259adbc44546b8
Opcode Fuzzy Hash: 9356433cf268f4d39cc4ae2a2ea6352c0f8df85a333eae87e40847b34882fcbc
Instruction Fuzzy Hash: 08021875A4015DEBDB11EB98CC81EDEB3B9EF48300F5080A5E548A72A5DB78AEC5CF50

Function 0072313C Relevance: 6.5, Strings: 5, Instructions: 222COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 0072336B
,mbhd.spvchain,mbhd.yaml, xrefs: 0072335D
ins\Electrum, xrefs: 007232A6, 007232C2, 007232DE
exit, xrefs: 00723248
UTC*, xrefs: 0072326F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ,mbhd.spvchain,mbhd.yaml$UTC*$data%\Electrum\wallets\$exit$ins\Electrum
API String ID: 0-1978866652
Opcode ID: b1d7b3f8a5da9693828ff077676246cf63916bea90a5198def4265da0d788dc0
Instruction ID: f109a66acff788062fe421b31fee4cdb5ca69a64170ff4c0680c5294a9d824f6
Opcode Fuzzy Hash: b1d7b3f8a5da9693828ff077676246cf63916bea90a5198def4265da0d788dc0
Instruction Fuzzy Hash: 0181E975A00119EFDB00EB98EC86ADEB7F9EF49710F508421F514F72A1DB38AA568B50

Function 00723574 Relevance: 6.5, Strings: 5, Instructions: 222COMMON

Download Yara Rule

Strings

data%\Electrum\wallets\, xrefs: 007237A3
,mbhd.spvchain,mbhd.yaml, xrefs: 00723795
ins\Electrum, xrefs: 007236DE, 007236FA, 00723716
exit, xrefs: 00723680
UTC*, xrefs: 007236A7

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ,mbhd.spvchain,mbhd.yaml$UTC*$data%\Electrum\wallets\$exit$ins\Electrum
API String ID: 0-1978866652
Opcode ID: 4b73bdaec99fbd168e17efccccca8668c3d052e65660b274ecdcb70e1f41b310
Instruction ID: cee621c0dd3ff109b2633983ed1edda67f3fe5581ab13acba59b7cfe48946584
Opcode Fuzzy Hash: 4b73bdaec99fbd168e17efccccca8668c3d052e65660b274ecdcb70e1f41b310
Instruction Fuzzy Hash: 6681FB71A00119EFDB00EBE8DC869DEB7F9EF49300F508461F514E72A1DB38AA568B50

Function 00726A3C Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

\wallet.dat, xrefs: 00726ACA, 00726B11
trum.dat, xrefs: 00726B2F
DATA%\, xrefs: 00726A88
ctrum.dat, xrefs: 00726B52
.wallet, xrefs: 00726AA4

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: .wallet$DATA%\$\wallet.dat$ctrum.dat$trum.dat
API String ID: 0-3830553732
Opcode ID: d980aec7b0a03860465097cd3ae5d5107f4e10b07f7d3e09bbcb48c4d60bb40d
Instruction ID: cd68541f55466c713f2642ab596887d44f8b514f25ccde9184952dd88a22b334
Opcode Fuzzy Hash: d980aec7b0a03860465097cd3ae5d5107f4e10b07f7d3e09bbcb48c4d60bb40d
Instruction Fuzzy Hash: 6B410D74A1011CDBCF01EBE8E886ECDB7B9EF49700F508136F500BB295D678A94A9B55

Function 00726A44 Relevance: 6.4, Strings: 5, Instructions: 114COMMON

Download Yara Rule

Strings

\wallet.dat, xrefs: 00726ACA, 00726B11
trum.dat, xrefs: 00726B2F
DATA%\, xrefs: 00726A88
ctrum.dat, xrefs: 00726B52
.wallet, xrefs: 00726AA4

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: .wallet$DATA%\$\wallet.dat$ctrum.dat$trum.dat
API String ID: 0-3830553732
Opcode ID: 2e4dc49cab49a537e2df4e759f966711864a2333f51b134e7de13c2114a0ac05
Instruction ID: a138484d63333a982ca48acd351935311f26204494c2513cc095cfc366dd98da
Opcode Fuzzy Hash: 2e4dc49cab49a537e2df4e759f966711864a2333f51b134e7de13c2114a0ac05
Instruction Fuzzy Hash: F0411B74A1011CDBCF00EBE8E886ECDB7B9EF49700F508136F500B7295DB78A94A8B55

Function 0071CABA Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

s\MultiBitHD, xrefs: 0071CAEA
hd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071CB37
TA%\Exodus\, xrefs: 0071CB6B
al Storage\, xrefs: 0071CB4F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: TA%\Exodus\$al Storage\$hd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$s\MultiBitHD
API String ID: 0-3699915224
Opcode ID: 62e0272f5f876a28340e439fdea8b8e6aaa01a403c39651f9aa25b48455577ea
Instruction ID: fd415803c8d4c3d2740daa117481da932d9eb6137b6182f8a8630a1b35825baa
Opcode Fuzzy Hash: 62e0272f5f876a28340e439fdea8b8e6aaa01a403c39651f9aa25b48455577ea
Instruction Fuzzy Hash: D561DBB5A40209DFDB10EFA8CC85EDEB7B9BF48700F504565E904E7291E738ED858BA4

Function 0071CABC Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

s\MultiBitHD, xrefs: 0071CAEA
hd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071CB37
TA%\Exodus\, xrefs: 0071CB6B
al Storage\, xrefs: 0071CB4F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: TA%\Exodus\$al Storage\$hd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$s\MultiBitHD
API String ID: 0-3699915224
Opcode ID: 610a593135404ba5af211002659c3153a17410b9efee0089040be2ab2a5da6f0
Instruction ID: 99d3e9d3805ba9f5235edff57a455a943da03875b5e80f2363127f9e40408153
Opcode Fuzzy Hash: 610a593135404ba5af211002659c3153a17410b9efee0089040be2ab2a5da6f0
Instruction Fuzzy Hash: 0C61ECB5A40209DFDB10EFA8CC85EDEB7B9BF48700F504565E904E7291E738ED858BA4

Function 0071A828 Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

Coins, xrefs: 0071A926
DATA%\Jaxx\Local Storage\, xrefs: 0071A847
ins\Ethereum, xrefs: 0071A84D
.seco, xrefs: 0071A94F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: .seco$Coins$DATA%\Jaxx\Local Storage\$ins\Ethereum
API String ID: 0-1625577034
Opcode ID: 6ed4c799c54a57a29a14737595b1cfbd898c4cf70045a1530effe916b5dc2030
Instruction ID: b9460524c9d6c59b618cb55f5b012f1a66b1abf6d58e56935d924021e7d8931d
Opcode Fuzzy Hash: 6ed4c799c54a57a29a14737595b1cfbd898c4cf70045a1530effe916b5dc2030
Instruction Fuzzy Hash: 4361FA75A0010DDFCB00EB9CD895ADEB3B5EF88300F608165E910A72D5DB79EE9A8B51

Function 0071C058 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

\Local Storage\, xrefs: 0071C15A
torage\, xrefs: 0071C169
%\Electrum-LTC\wallets\, xrefs: 0071C0BD
in,mbhd.yaml, xrefs: 0071C145

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: %\Electrum-LTC\wallets\$\Local Storage\$in,mbhd.yaml$torage\
API String ID: 0-3118673763
Opcode ID: eaf9120c493ea99052ca7bd34383c6ba3a330bcf82d25a6f87945bab5a843c68
Instruction ID: ccfe07244cb7b384a7a469f4aafbc5ca743c6d1d751c05652895ffab33c9ff6d
Opcode Fuzzy Hash: eaf9120c493ea99052ca7bd34383c6ba3a330bcf82d25a6f87945bab5a843c68
Instruction Fuzzy Hash: 3A515F74A44248AFDB01DBACCC81BDEB7F8EF49300F5140A6F510E7291DB78AA45CB65

Function 0071CE01 Relevance: 5.2, Strings: 4, Instructions: 152COMMON

Download Yara Rule

Strings

t.txt, xrefs: 0071CE75
d.spvchain,mbhd.yaml, xrefs: 0071CEA7, 0071CF5C
s\Electrum-LTC, xrefs: 0071CEF8, 0071D3FA
eystore\, xrefs: 0071CE4F

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: d.spvchain,mbhd.yaml$eystore\$s\Electrum-LTC$t.txt
API String ID: 0-1904069603
Opcode ID: 525d33380a5b65fd9562302a0286466969b885d7c556c5dcd3a8506e632f04e7
Instruction ID: f2bf34abdaf5d904fad3069983f4266a5ed47965683a7a4f098c9cbd578558d2
Opcode Fuzzy Hash: 525d33380a5b65fd9562302a0286466969b885d7c556c5dcd3a8506e632f04e7
Instruction Fuzzy Hash: 40512C74600149DFDB11EB98DC81ADAB3F9FB49300F5080A2E914E72A1DB78EE89CF50

Function 0071C07C Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

\Local Storage\, xrefs: 0071C15A
torage\, xrefs: 0071C169
%\Electrum-LTC\wallets\, xrefs: 0071C0BD
in,mbhd.yaml, xrefs: 0071C145

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: %\Electrum-LTC\wallets\$\Local Storage\$in,mbhd.yaml$torage\
API String ID: 0-3118673763
Opcode ID: 7a0632cb3a6baa776019c600cb9a4e8a52406ae4fdb57cceb19197da54869e2f
Instruction ID: f5ae1165c07b557cd4fe7a0f37b7d4d4fe88dbd2a17112df447aacce4a1bfbdc
Opcode Fuzzy Hash: 7a0632cb3a6baa776019c600cb9a4e8a52406ae4fdb57cceb19197da54869e2f
Instruction Fuzzy Hash: 67510975A40209AFDB11DBACDC81BEEB7F8EB48300F504065F914E7291DB78EE458B69

Function 0071F54D Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

tocol>, xrefs: 0071F593
ins\Electrum, xrefs: 0071F574
DATA%\.purple\accounts.xml, xrefs: 0071F5EA
mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 0071F61E

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: DATA%\.purple\accounts.xml$ins\Electrum$mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$tocol>
API String ID: 0-2942295163
Opcode ID: aae3af4dfd6985d4375a90b8e14ba1fb40ea47475fc912c4ec96161ed906e7de
Instruction ID: 80b444a53499dee784e499bae4cc8867942d2f7ecdcee2c26b0b9fb9e09a155c
Opcode Fuzzy Hash: aae3af4dfd6985d4375a90b8e14ba1fb40ea47475fc912c4ec96161ed906e7de
Instruction Fuzzy Hash: 2F413C30A0010CDFDB00EB98DC46ADEB7B9EF49700F518431F814A76E5DB38AE9A8A50

Function 00717E28 Relevance: 5.1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

eco, xrefs: 00717E6D, 00717E98
PPDATA%\Jaxx\Local Storage\, xrefs: 00717E83, 00717EAE
bhd.spvchain,mbhd.yaml, xrefs: 00717EFF
wordsList.txt, xrefs: 00717F19

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: PPDATA%\Jaxx\Local Storage\$bhd.spvchain,mbhd.yaml$eco$wordsList.txt
API String ID: 0-3548171622
Opcode ID: 4a8171a6575cc5a4c997b204da59f834ca37514da0b0cf06cb80e6631647df48
Instruction ID: 93fb2000529905fad29f21b159cfd10d2cf683ab59946be4a8f03ad353b58c78
Opcode Fuzzy Hash: 4a8171a6575cc5a4c997b204da59f834ca37514da0b0cf06cb80e6631647df48
Instruction Fuzzy Hash: 8331E375A04208EFDB10DBA8DC92FAEB7F8EB49710F504065F614E72A0DB34AE45CB65

Function 00717510 Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

seKey, xrefs: 00717550
PPDATA%\Jaxx\Local Storage\, xrefs: 0071753B
wordsList.txt, xrefs: 00717580
egOpenKeyExW, xrefs: 00717577

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: PPDATA%\Jaxx\Local Storage\$egOpenKeyExW$seKey$wordsList.txt
API String ID: 0-3490427872
Opcode ID: 1b07d0babfa285a713f1dab987cf574027772886e20d2653806d018c23c60002
Instruction ID: c3ef3b065815916ec39c56a69ebbea59e9f188e648150f175da6dd553463fae3
Opcode Fuzzy Hash: 1b07d0babfa285a713f1dab987cf574027772886e20d2653806d018c23c60002
Instruction Fuzzy Hash: 37110C71A44308AFD710DB9CDC92F89B7F8EB49714F2081A4F518E72D0D7756A508B54

Function 0071750C Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

seKey, xrefs: 00717550
PPDATA%\Jaxx\Local Storage\, xrefs: 0071753B
wordsList.txt, xrefs: 00717580
egOpenKeyExW, xrefs: 00717577

Memory Dump Source

Source File: 00000000.00000002.3479928360.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.3479914014.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479948472.000000000072B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479963671.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3479978858.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: PPDATA%\Jaxx\Local Storage\$egOpenKeyExW$seKey$wordsList.txt
API String ID: 0-3490427872
Opcode ID: 90ebcd33a91d7c4f3a1f56f093e93d76b4bf3b62df1a542858866db0a1e3aefd
Instruction ID: 6fd32f4ec9b39a7e2ba6eb4d9cae57ca6dde4afaa87c4d80cb3d2fcccdfb0cf4
Opcode Fuzzy Hash: 90ebcd33a91d7c4f3a1f56f093e93d76b4bf3b62df1a542858866db0a1e3aefd
Instruction Fuzzy Hash: 40011AB1A44304AFD760CFACDC92F8AB7F8EB49710F1081A4F524E72E0D778AA048B14

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b7ec1b37f5bdf9de2faad2aaaca2b15765533cd8_02bbd8d5_5f6ab712-a5ae-4c3e-8d69-92f3de4241c6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB203.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB232.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB262.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
file.exe