Edit tour

Windows Analysis Report
xin.exe

Overview

General Information

Sample name:	xin.exe
Analysis ID:	1524235
MD5:	6cd2bc8e57214a9143084b8cad228c75
SHA1:	b71d3c77d96604c904702b45904b72b889808125
SHA256:	fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
Tags:	exeuser-aachum
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Reads the System eventlog

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables security privileges

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xin.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\xin.exe" MD5: 6CD2BC8E57214A9143084B8CAD228C75)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7728 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xin.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: xin.exe

Joe Sandbox ML: detected

Source: xin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: xin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: xin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: xin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: xin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: xin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xin.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: xin.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: xin.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: xin.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: xin.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: xin.exe	String found in binary or memory: http://www.digicert.com/CPS0

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Jump to behavior

System Summary

.NET source code contains very large array initializations

Source: xin.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 450048
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0515D608		3_2_0515D608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0515DF11		3_2_0515DF11

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Security

Jump to behavior

Source: xin.exe

Static PE information: invalid certificate

Source: xin.exe, 00000000.00000002.1439477835.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHederal.exe" vs xin.exe
Source: xin.exe, 00000000.00000002.1437001628.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs xin.exe

Source: xin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.xin.exe.3e35570.0.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, PBE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, TripleDes.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs

Base64 encoded string: 'Gg0hLjoEMyo4eS8eAzEzEzwmGi0UCz8aLiolAC9GBSc6DD9CGiU+GCQuWCshIVgjO1ozGTgmDi8hNVlU'

Source: classification engine

Classification label: mal84.evad.winEXE@4/2@0/0

Source: C:\Users\user\Desktop\xin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xin.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03

Source: xin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\xin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xin.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\xin.exe "C:\Users\user\Desktop\xin.exe"
Source: C:\Users\user\Desktop\xin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\xin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior

Source: xin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: xin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: xin.exe

Static PE information: real checksum: 0x78249 should be: 0x760f2

Source: C:\Users\user\Desktop\xin.exe	Code function: 0_2_02E32C09 pushad ; retn 0071h		0_2_02E32C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0515BE49 push C00508E7h; iretd		3_2_0515BE55

Source: xin.exe

Static PE information: section name: .text entropy: 7.996829369194556

Source: 0.2.xin.exe.3e35570.0.raw.unpack, AesFastEngine.cs	High entropy of concatenated method names: 'Shift', 'FFmulX', 'Inv_Mcol', 'SubWord', 'GenerateWorkingKey', 'Init', 'GetBlockSize', 'ProcessBlock', 'Reset', 'UnPackBlock'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, UserExt.cs	High entropy of concatenated method names: '_003CDomainExists_003Eb__2', 'GAInXb1qTgvQOvf8KJ4', 'LKEH8R1pMCS1a4IQ0dd', 'SZ2y2I1ZfeGKq7mXdOB', 'avIhFc1kGEBjtqdoevi', 'DomainExists', 'PreCheck', 'f1ZkOtF1Uy5DHm2EtRf', 'p7Ig5vF5JcTglN3OtHO', 'DrJymHFnAUFto8kDf38'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Tables8kGcmMultiplier.cs	High entropy of concatenated method names: 'Init', 'MultiplyH', 'LpmMGPiUXOMjht9aASa', 'iw0rwDiaiaHjyQ9ZQ4Z', 'Y3BN5DiLo28roh6cXwo', 'do8s0SiZnxJK7WVjmhK', 'ahvks6ikhVTptv8Rexb', 'v0n1agiCGjEiyswvwuC', 'bLZCF7irKcG06cvTDCw', 'X5QcSiiqGxGThEJmNu4'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, StringDecrypt.cs	High entropy of concatenated method names: 'Xor', 'FromBase64', 'BytesToStringConverted', 'Read', 'FHwCvVP4DxkintHJqdc', 'jEpDBlPRXXbQ59tSVh4', 'Wmp4ewPJ4SdFRPF9r9j', 'eNDMMoPSgrtheMynHN6', 'g6LDtRPEIy6t9hG9Usx', 'mW5XHrPOA6iqsYhCrGG'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Form1.cs	High entropy of concatenated method names: '_003CReadLine_003Eb__2_0', 'TEy5og170yM3gmDDaXM', 'zBrNyX1orS97yY5fGW5', 'b2ca251JSMtOgW2sWLx', 'GcrWd31S29oktkDp7fL', 'Form1_Load', 'ReadLine', 'Dispose', 'InitializeComponent', 'UdEF99FtYYTbhTTheLB'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot13.cs	High entropy of concatenated method names: '_003C_002Ecctor_003Eb__0', '_003C_002Ecctor_003Eb__1', 'ixF2do12oqmIg7jAddT', 'nEK3b51ckeHKSCYHf5f', 'whrBfI1vxQPCqg8x8gO', '_003CField23_003Eb__0', 'SrPOGf1P10iyfvNL3Jq', 'VeO4Rg1xHxheqhKdHsU', '_003CGetText_003Eb__0', 'oneMeR1K2QrZCsDY9JZ'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, AesGcm256.cs	High entropy of concatenated method names: 'Decrypt', 'Decrypt', 'cum62dPtu91Y0FF2taj', 'SyIwA6PWTEGq89mnepj', 'TYxaZwPGtaou3lId2SK', 'MdBBThPlxa65Ng1RpqU', 'yJuTwhPCAkEMPVlDm8Q', 'vIaUJlPrq2B97QmoBBv', 'yKNZHIPUQiAJYK4IeHb', 'FQcN2HPaPD5kHcM6e4A'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, PBKDF2.cs	High entropy of concatenated method names: 'GetBytes', 'Func', 'GetBytesFromInt', 'PAVIqwn0R7u5ClGPIj6', 'zYeEVfnHDgHkc2OaTWe', 'EQOiHVnwhCrt0O8Iy3l', 'adRXIinTyMXbKxUaoNB', 'GwEcTWny8rBW2ViwGOP', 's7FuGcnNGag66dj6t0J', 'I23sHNnYAffnE56Ms0r'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Asn1Der.cs	High entropy of concatenated method names: 'Parse', 'rKQdSQnUcWUwfLyRpLt', 'fmtcTSnaET38j2W0UXY', 'NRWJtSnLonJWn3EBcyZ', 'nHwS4JnZBsL51bnXuSA', 'iaJ39qnkq9y2HYjsr1C', 'LDVPYenq21VeH9373Bs', 'dLo8CXnC5K8Zw3VSpju', 'iXNEBknryPsl0gmccG1'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot25.cs	High entropy of concatenated method names: 'Field2', 'Field3', 'sPBGU3v0GHQxbPZbG6p', 'EbGcMbvHihImJQVNVkn', 'Qq9qSFvyP604TgYldu9', 'mJvwUqvNr6o3TR0R8oY', 'FJJc4LvYnQdCL88ZPP9', 'IZdvDQv9qjMTBOaYP2e', 'ToKrjovD4V3GhgIXOcE', 'yh31Tov3nqFVEfBCKL0'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot20.cs	High entropy of concatenated method names: 'Field1', 'Field5', 'Field2', 'Field3', 'Field4', 'Key4Database', 'Key3Database', 'aRyZexcVQZI3JbYoBK3', 'y03y7ecWFKREB905SPO', 'mYuOjscGoBE9TWhPw5S'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs	High entropy of concatenated method names: 'Dispose', 'Ot7kSbnFcl5ebkWV7OD', 'oR3ub1nhZwcoK97Sdrb', 'SRXiUGnilrDy1g5hMRG', 'm4MHqqnPDfkeMPgcqAv', 'uJ9JTrn2mQy08CKH1sA', 'zn8H3rnM3UHBDjFYPrU', 'd2ykmAnxgCYA9wo4QUu', 'a8A3SIndc80ZVGH7sYB'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRootReaderSql.cs	High entropy of concatenated method names: '_003C_002Ector_003Eb__9_0', 'dMyv5O1arIGQRsu18mx', 'q2cbFd1r5AUWvLmMX5w', 'kKnHi61UZ5nW5Jgk9LE', 'GatherValue', 'ReadMasterOfContext', 'ReadContextTable', 'GetOffset', 'ReadContextValue', 'ConvertToULong'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Extembus.cs	High entropy of concatenated method names: 'ExpandEnvironmentVariable', 'RF', 'RFAT', 't64agdMJweLt6NEKvTw', 'qUsqHlMS7whMl7n9e8P', 'mFSuRYM7N1BoHpEuET4', 't4jHngMoZx3pAHYKwTf', 'xnPBWMMu19OuGDuTdbs', 'QprdIwMm1irLO61gVIO', 'AUHwO4MskFeGERBK8xr'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, GcmBlockCipher.cs	High entropy of concatenated method names: 'GetBlockSize', 'Init', 'GetMac', 'GetOutputSize', 'GetUpdateOutputSize', 'ProcessByte', 'ProcessBytes', 'Process', 'DoFinal', 'Reset'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Strings.cs	High entropy of concatenated method names: 'Init', 'Decrypt', 'Get', 'jUiOmTdGb0DiEdHq2J8', 'A1c5lXdtZc3wYJmhX5R', 'iXxrn3dlc0ZRLVjZjX3', 'IHcZoFdVEqHS1ZtYBji', 'Si3OOudWk86RdLVhaV7', 'Qn8ayydC6R6itq10A4i', 'yIcnOSdr342yV4MPlpZ'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, ComInvoker.cs	High entropy of concatenated method names: 'Failed', 'g3yWUc1mxK92aLsy0K8', 'VCjRhh1sVymJrS0V7AN', 'RunRecoveryCRXElevated', 'EncryptData', 'DecryptData', 'DecryptData', 'ByteArrayToBSTR', 'BSTRToByteArray', 'SysAllocStringByteLen'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, SystemInfoHelper.cs	High entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'JvPPjn59wLg68wJxUIl', 'P6ckLo5NNqfOI9gqmL3', 'gvCIKi5Yvafq7Nj9tjp', '_003CCloseBrowser_003Eb__1_0', '_003CFindProc_003Eb__9_0', '_003CListOfPrograms_003Eb__10_0', '_003CAvailableLanguages_003Eb__11_0', 'RlRtaO584BFatgNEbc3', 'egOQii5BgYehFDVI8C1'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot27.cs	High entropy of concatenated method names: '_003CField4_003Eb__0', 'WNASsS6BKWnk0ElrakQ', 'U4QtWC6zyA0CJbE6gcs', 'LIJvaE6bdL39J80O3Tu', 'ns9VeG683qLiiBtSAeh', 'Field2', 'Field3', 'Field4', 'G5M06t229LsMWPZXrJY', 'YAZLU52MMHD89GQwyuc'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot23.cs	High entropy of concatenated method names: 'Field2', 'Field3', 'IdY8AIvpUskxRW3xf8l', 'lSrghJvEMqIQ3BbYDo0', 'tdpZksvOiSOiB5QF2Xl', 'q891niv4WTkN6YldDF5', 'o5OGoKvR7Le93njGkS4', 'JsZJY4vkUt4ESh6KOWM', 'c4aCjRvqrmj8uGXS9Ja'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, DeviceMonitor.cs	High entropy of concatenated method names: 'CaptureScreen', 'CaptureWindow', 'MonitorSize', 'GetImageBase', 'ConvertToBytes', 'dPL4rex2KOUa09N230h', 'OCGhmNxMPCmWsnFuBRX', 'AGh8VHxFFBZhHfGVpH6', 'JF6WGwxhMHC2J46Fej5', 'mAj84YxivgH6X2XpW4R'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, Auhi.cs	High entropy of concatenated method names: 'I\u04341', 'I\u04342', 'I\u04343', 'I\u04344', 'fu81OQc0OZNbGrjnpSD', 'CXxCWJcw2vwreErUldI', 'niP0NCcTejbSCxyQLTs', 'UtTfVBcH83pLiLPTqUW', 'aqXwiXcyal7J2LsIsJr', 'jA5NoCcNWbAhLNBlY3l'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, API.cs	High entropy of concatenated method names: 'Func', 'm1', 'm2', 'm3', 'm4', 'm7', 'm8', 'm9', 'm10', 'm11'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, WinApiFile.cs	High entropy of concatenated method names: 'Open', 'Open', 'Open', 'Close', 'MoveFilePointer', 'MoveFilePointer', 'Read', 'Dispose', 'Dispose', 'ThrowLastWin32Err'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FileHelper.cs	High entropy of concatenated method names: 'Search', 'ChromeGetName', 'ChrRm', 'ChrLm', 'Y5wFwgdxvVxewA9i9UN', 'HDRIEFddsFCrMnxLMMm', 'JsygwidiPaagmIVwHhh', 'wpfux4dPfXiEPxuybYN', 'o8SYcTdQBHdFtCybK70', 'c5jKKqdnUyv2hAESfAF'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, ContextSwitcher.cs	High entropy of concatenated method names: 'EnableAllTokenPrivileges', 'EnableAllTokenPrivileges', 'EnableTokenPrivileges', 'EnableTokenPrivileges', 'GetSystemProcessHandle', 'Lgp3M310uqcfcmQhlGQ', 'YSZC6Z1wE84x1mDL0Mx', 'GlZwYn1TG8k2Mdt6Vbn', 'CompareIgnoreCase', 'GetTokenPrivileges'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRootRoot.cs	High entropy of concatenated method names: 'Field1', 'GR17OtvKdbtcEmLoCKr', 'FWL4NEvgXRcZHw7mkrU', 'WcPLyNvefxorrEpUU1D', 'hcLvsfvV1lEX2dkL3Ei', 'cYwVBlvW983O0vHRrIZ', 'HlaTlSvGcLrq0brJ03S', 'wVjCqOvtROeva0BLBnc', 'U43NwAv1W6L7eA1v9C7', 'SKg1VJv5u9SWpVkraBk'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, FieldRoot19.cs	High entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'b1VMnpbjUuu288qkNK', 'cNpy0a8M8qjL7sGhVN', 'DwTZDKB0WwTa5wSgAZ', 'umFMDCzleup0Jxm0SV', 'x0V5VNcj3q9HcunemBu', 'NWYh75ccX5wlKPgwUv6', 'arTOYgcvm5IZFXK5IlF'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, CryptoHelper.cs	High entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'Encrypt', 'cryptUnprotectData', 'GetMd5Hash', 'GetHexString', 'kSkNVQhkNKIUdsZ6Ts6', 'wwW9PBhq1jxHJI9Mb92', 'dPDDINhpg5OLCEkUQKV', 'ksW4YXhEHHiBpl4nTTk'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, EnvCheck.cs	High entropy of concatenated method names: 'IsTimeFastForwarded', 'IsFirstEventLogLessThanDayOld', 'H1u14txBnNG9n7ZcLUw', 'KQZ32gxzD2V2fGyQbkX', 'vr1njIdjA6JHlu1NImF', 'QUN3YqdcnQ5tG07WXey', 'X5VC4QdvXV7yN2xudWY', 'hxBXT7d2A61ba4TVCcp', 'W9UDhBdM3AbfCpy4UPO', 'ddEd7ldFXgK8H1nuNEs'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, BerkeleyDB.cs	High entropy of concatenated method names: 'Extract', 'Hs6mhFh6JM0B0iMl9X5', 'hBEQ41h1NNCFrb3qddY', 'yuJ9Ieh5EZbSL1C33Zr', 'KUmGXRhKaELRUGJAF2i', 'ae3qTShgHxCY166nuNg', 'xCAIFbheCoSNxLLYxaL', 'JtwR3ihVFkCS5cYFIa1', 'FUqbFBhWWTsTT3le8xo', 'yqJV9hhGrKEpDD9GRuc'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, StringExt.cs	High entropy of concatenated method names: 'ChangeType', 'StripQuotes', 'HexToBytes', 'hgEjetFiO4AqwDI0VZw', 'aIf5fTFFaIaB1wvM4y2', 'JhoZBEFhxKGNOaDYwnk', 'LTaxu9FPRJHIFdX0o98', 'oEUb0lFxa6cnao1y1bg', 'SBtsKEFdpuosxR6Xsii'
Source: 0.2.xin.exe.3e35570.0.raw.unpack, TripleDes.cs	High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'becuyGPAKITmgVVvOYT', 'y4YMaxPfuZxhY94kcej', 'gjsuVePw3EYP0eAJE0U', 'LqAQ32PT67mYas8OyTN', 'sxX8AvP0QBWk07yQp8c', 'qwJivkPHuwmZum3mKo4'

Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\xin.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Memory allocated: 4E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4AD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\xin.exe TID: 7708	Thread sleep count: 294 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe TID: 7708	Thread sleep count: 197 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe TID: 7656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\xin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\xin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: xin.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: xin.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: xin.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: 0.2.xin.exe.3e35570.0.raw.unpack, ContextSwitcher.cs	Reference to suspicious API methods: NativeMethods.OpenProcess(processAccessMask, bInheritHandle: false, process.Id)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\xin.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\xin.exe

Code function: 0_2_02E32125 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02E32125

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\xin.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\xin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 472000	Jump to behavior
Source: C:\Users\user\Desktop\xin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9D3008	Jump to behavior

Source: C:\Users\user\Desktop\xin.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\xin.exe	Queries volume information: C:\Users\user\Desktop\xin.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	31 Virtualization/Sandbox Evasion	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	411 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xin.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.RedlineStealer
xin.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524235
Start date and time:	2024-10-02 17:18:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xin.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@4/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: xin.exe

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xin.exe.log

Download File

Process:	C:\Users\user\Desktop\xin.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.992368290949023
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xin.exe
File size:	470'904 bytes
MD5:	6cd2bc8e57214a9143084b8cad228c75
SHA1:	b71d3c77d96604c904702b45904b72b889808125
SHA256:	fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
SHA512:	1caa477c8535b145f00b6e05fa523692aae65ba7d5fe5c646a53024312cf922562ffef7394ce385876d2a297f71bc022a8135aaa0d2e949d0e5e2c1622752db6
SSDEEP:	6144:FRc5LRY9bXsJtSWtTcfgzwOl1YzzDeqiGOXs1fknwgBxwtZ4Z/AHqF8sfmqilXXn:Di2CrfNcaYrwOcVxwtydF0X4xidZ
TLSH:	67A42353494869F9F27E4A7632B0C869EF21E3532495F704A31FD60796A33D0372A6F4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`......I.....`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x471cee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FCD984 [Wed Oct 2 05:26:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/09/2022 01:00:00 20/10/2023 00:59:59
Subject Chain	CN=Spotify AB, O=Spotify AB, L=Stockholm, C=SE, SERIALNUMBER=5567037485, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
Version:	3
Thumbprint MD5:	EF8873EED657F2DFE432077ADBAB8AFB
Thumbprint SHA-1:	3F76C6CC576963831FF44303BFCB98113C51C95E
Thumbprint SHA-256:	890C79F427B0C07DEF096FF66A402E9337F0F2D80DACA1256A7F572F7720DBAA
Serial:	04C530703A210EC1D6F83CB4FE1118C5

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71c98	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x72000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x70600	0x2978
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x71b60	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6fcf4	0x6fe00	ed0aea1baa5e24643eb7cf509f3e40ef	False	0.9948891410614525	data	7.996829369194556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x72000	0x242	0x400	b52e89138cd238a327e786702e47c81a	False	0.3017578125	data	3.519498852464578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0xc	0x200	4a72eef8b41e304299dc764c7e1d1082	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x72058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\xin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xin.exe"
Imagebase:	0xaa0000
File size:	470'904 bytes
MD5 hash:	6CD2BC8E57214A9143084B8CAD228C75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:19:22
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:19:24
Start date:	02/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 02E32125 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E32097,02E32087), ref: 02E32294
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02E322A7
Wow64GetThreadContext.KERNEL32(000003A4,00000000), ref: 02E322C5
ReadProcessMemory.KERNELBASE(000003A8,?,02E320DB,00000004,00000000), ref: 02E322E9
VirtualAllocEx.KERNELBASE(000003A8,?,?,00003000,00000040), ref: 02E32314
WriteProcessMemory.KERNELBASE(000003A8,00000000,?,?,00000000,?), ref: 02E3236C
WriteProcessMemory.KERNELBASE(000003A8,00400000,?,?,00000000,?,00000028), ref: 02E323B7
WriteProcessMemory.KERNELBASE(000003A8,?,?,00000004,00000000), ref: 02E323F5
Wow64SetThreadContext.KERNEL32(000003A4,02DF0000), ref: 02E32431
ResumeThread.KERNELBASE(000003A4), ref: 02E32440

Strings

TerminateProcess, xrefs: 02E32323
ResumeThread, xrefs: 02E32261
VirtualAlloc, xrefs: 02E321EC
CreateProcessA, xrefs: 02E321D9
aryA, xrefs: 02E3216B
SetThreadContext, xrefs: 02E3224B
GetP, xrefs: 02E321A7
ReadProcessMemory, xrefs: 02E32212
VirtualAllocEx, xrefs: 02E32225
ress, xrefs: 02E321AF
WriteProcessMemory, xrefs: 02E32238
GetThreadContext, xrefs: 02E321FF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02E32293
Load, xrefs: 02E32163

Memory Dump Source

Source File: 00000000.00000002.1438320076.0000000002E31000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e31000_xin.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 24094bb1c95811ecc82e57a2620303fa5def09e70e034d0ca77f847ca85b1c34
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 37B1E67264024AAFDB60CF68CC80BDA77A5FF88714F158124EA0CAB341D774FA41CB94

Function 014D14E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 014D1568

Strings

>Y]@, xrefs: 014D1507

Memory Dump Source

Source File: 00000000.00000002.1438095957.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_xin.jbxd

Similarity

API ID: ProtectVirtual
String ID: >Y]@
API String ID: 544645111-722741048
Opcode ID: d3595b677c4efca7f9678f1b4dfc100c847583dd51e6034b6e5b4520eebefc3d
Instruction ID: 9e9a0f13a4cbe5de503949309482ecc52237b2542f14d75c62f1446bae248135
Opcode Fuzzy Hash: d3595b677c4efca7f9678f1b4dfc100c847583dd51e6034b6e5b4520eebefc3d
Instruction Fuzzy Hash: 2021FEB5C00249DFDB10DFAAD881AEEBBF0FF48310F54842AE959A7250C7799901CFA1

Function 014D14E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 014D1568

Strings

>Y]@, xrefs: 014D1507

Memory Dump Source

Source File: 00000000.00000002.1438095957.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14d0000_xin.jbxd

Similarity

API ID: ProtectVirtual
String ID: >Y]@
API String ID: 544645111-722741048
Opcode ID: 9874edce13e0514cc0f476c5eb8da7c5e278f1ee01235b8d066cb5b25043ef3b
Instruction ID: 46013786c6f2d9b9af81f9e7d4b2cc4889fa53dbad9765b3181d7ead6135a209
Opcode Fuzzy Hash: 9874edce13e0514cc0f476c5eb8da7c5e278f1ee01235b8d066cb5b25043ef3b
Instruction Fuzzy Hash: 2B21E3B5900249DFDB10DFAAD881ADEFBF4FF48310F54842AE959A7250C779A904CFA1

Function 012DD01D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1437776787.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12dd000_xin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710016e9a5054149fd0e3672609aaa4a17e716e0285451a2fe8faa4e19af704f
Instruction ID: 71837d7bb8698c6ac4aede7d0fbc7f9e5ee1e0707000be6726dbd99f19da86c6
Opcode Fuzzy Hash: 710016e9a5054149fd0e3672609aaa4a17e716e0285451a2fe8faa4e19af704f
Instruction Fuzzy Hash: 1901F731414B489BF7105E59CC80B67BF98DF813A1F08C01AEE484A2C2C6799801C6B2

Function 012DD006 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1437776787.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12dd000_xin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f7dff293231c8331c8c77dc6e38b3cf2abf73a316c3062e84003515e49ce1c
Instruction ID: f387f81e74590dae03707381ebbc0dbf7d5b6313f7ca813045a97aad52e270a6
Opcode Fuzzy Hash: 41f7dff293231c8331c8c77dc6e38b3cf2abf73a316c3062e84003515e49ce1c
Instruction Fuzzy Hash: F6015E7240E7C49FE7128B258994B52BFA4DF42225F19C1DBD9888F2E3C2699844C772

Analysis Process: RegAsm.exePID: 7728, Parent PID: 7568COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	155
Total number of Limit Nodes:	15

Executed Functions

Function 0515D608 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b4160cd8fcff235597f66202fbd7e1478310c75141c4a178cbe0538cec0d89
Instruction ID: 769ee72a2b02bc1b3275f2614214c74d2972d8766cf65b87f8fac440592d129e
Opcode Fuzzy Hash: 47b4160cd8fcff235597f66202fbd7e1478310c75141c4a178cbe0538cec0d89
Instruction Fuzzy Hash: C3428F30E00218CFDB54DFA9C8547AEBBB6FF88310F1481A9D819AB345DB749E85CB95

Function 0515DF11 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f8fe1502956faf8ceac3b8f7350882b9168cee8bac39cffb61d580c4258a68
Instruction ID: c7ed5438d2669f528578ade5c4b15fe12390febe96356077c0dd0d5494272b37
Opcode Fuzzy Hash: 85f8fe1502956faf8ceac3b8f7350882b9168cee8bac39cffb61d580c4258a68
Instruction Fuzzy Hash: 7BC17F31E00214DFDF15DFA5C880B9DBBB6BF88320F14C2A9D859AB255DB749A85CF50

Function 00FFBF80 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FFC1E6

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3b1aecdb3220c1bfde7dbbf91da4f4fb1b0075fb59c2188aa578af5b7c83c87f
Instruction ID: 9b8c2e98ceecd54c372b3137d90e662d8d2afe42f7e1884377f744fe21e58c68
Opcode Fuzzy Hash: 3b1aecdb3220c1bfde7dbbf91da4f4fb1b0075fb59c2188aa578af5b7c83c87f
Instruction Fuzzy Hash: 838165B0A00B098FD724DF29D54576ABBF1BF88310F00892DD186D7A60DB79E946DB90

Function 00FF6CE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FF6DA1

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6ffe395a9879675494c996975b0664d7df8a7e6c8f6666d2e2ad8447e2135c7d
Instruction ID: df9de30efa9ba1067d40ac72d154506b9912743648794e1a12a0e60c923cc9e1
Opcode Fuzzy Hash: 6ffe395a9879675494c996975b0664d7df8a7e6c8f6666d2e2ad8447e2135c7d
Instruction Fuzzy Hash: D841CFB1C00719CFEB24CFA9C84479EFBB2BF49304F20846AD408AB265DB756946CF50

Function 00FF54A8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FF6DA1

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dcf6ac5e6a203f25e9cef0d9332982883b40079bc262a89cb9ab7cc84252e008
Instruction ID: 49915e415891b0c7b17641c9341ae4dcf2ce126ad97d19d1a3f7caab406a1454
Opcode Fuzzy Hash: dcf6ac5e6a203f25e9cef0d9332982883b40079bc262a89cb9ab7cc84252e008
Instruction Fuzzy Hash: 3B41CFB1C0071DCBEB24CFA9C844B9EFBB5BF49704F20806AD508AB255DB756945CF94

Function 05153D64 Relevance: 1.6, APIs: 1, Instructions: 83
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 0515EAA5

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: aba56344187d81d7fd2f13899cfd43b7a854144499c2e6344f9e8ff5ec7a406a
Instruction ID: d07dfbd82dad4847ec44e76e0c714d1e9a14ca2a07d0dd5a54cf977783954790
Opcode Fuzzy Hash: aba56344187d81d7fd2f13899cfd43b7a854144499c2e6344f9e8ff5ec7a406a
Instruction Fuzzy Hash: 1C317CB1904349DFDB10DFAAD884B9EBBF8FF48320F148859E419A7350D774A984CBA5

Function 00FFDB20 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FFE426,?,?,?,?,?), ref: 00FFE4E7

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9ce79a6e18fd8cd75f5ea40217a97982499543f834d6335b7d7c015980d631f2
Instruction ID: 2e757c3e75c70c14b4f2c45db44306eb2ff8751490566180aeb2829d9f94668a
Opcode Fuzzy Hash: 9ce79a6e18fd8cd75f5ea40217a97982499543f834d6335b7d7c015980d631f2
Instruction Fuzzy Hash: 0821E3B590424DDFDB10CF9AD984AEEBBF4EB48320F14845AE954A3360D378A954CFA4

Function 0515F4C0 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32(?,00000000), ref: 0515F53C

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 5a972a83a12d39da3f3c209bc978e954d337b8bcb2632f04782755a09ed8fd93
Instruction ID: 3a8b8a18b2e7ae68828174079c36432f35090102aad5ccdbb3d807ce20ff065c
Opcode Fuzzy Hash: 5a972a83a12d39da3f3c209bc978e954d337b8bcb2632f04782755a09ed8fd93
Instruction Fuzzy Hash: 5421F0B2901649DFDB10CF9AD884B9EFBF4BB48220F14842AE859A3340D378A945CB64

Function 0515F4B8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32(?,00000000), ref: 0515F53C

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 1a699c0f687a0409ae8fde62e84370583731cbaea2cafc62386e0901697d0137
Instruction ID: 9d81db1f99bd33a819d09f237c241a186c27f1fa40a5e2d6eef4635fde6c5972
Opcode Fuzzy Hash: 1a699c0f687a0409ae8fde62e84370583731cbaea2cafc62386e0901697d0137
Instruction Fuzzy Hash: 692125B5D01609CFDB10CF9AD984B9EBBB4BB48220F14842AE859A3240D3389945CB64

Function 0515BBC0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 0515BC32

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 4ed054b045d93233babe57a148fc3402d390225243abde95bdcbe7580a939152
Instruction ID: f1eaaf8614fc1877bbe5ef9467e4d3b512996f4f788f2166ff56183d5addb485
Opcode Fuzzy Hash: 4ed054b045d93233babe57a148fc3402d390225243abde95bdcbe7580a939152
Instruction Fuzzy Hash: 741147B6804249CFDB14CF9AD544BDEFBF4EB48320F14842AD869A3340D738A545CFA5

Function 00FF5344 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,-00000001,00000006,00000000,00000000,?,?,?,?), ref: 00FF565F

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 63798d0726dd345c1e7064f8d23ca4d67ed2538d48519842e02b6b1f874ae4e2
Instruction ID: bc8e88c7d66abef463b919a7ea074898fa9df752cb87cb117c450fa83d3c39d3
Opcode Fuzzy Hash: 63798d0726dd345c1e7064f8d23ca4d67ed2538d48519842e02b6b1f874ae4e2
Instruction Fuzzy Hash: 9D212272800649EFCB10CF8AD844AEEBBF4EF48310F148419EA18A7220C375A950CFA0

Function 0515BBC8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 0515BC32

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 382d67e21672457b81a2632bbe252315db13deac07aff1d05c629dbea4175a5c
Instruction ID: 5b4cbc97052b863bcc93c2e1f3e19f1878887618a26f60c565e205ee5ac29b3a
Opcode Fuzzy Hash: 382d67e21672457b81a2632bbe252315db13deac07aff1d05c629dbea4175a5c
Instruction Fuzzy Hash: D51114B6804649CFDB14CF9AC544BDEFBF4EB48320F14842AD869A3240D778A545CFA5

Function 00FF55E0 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,-00000001,00000006,00000000,00000000,?,?,?,?), ref: 00FF565F

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 82233e3ec970a01d400680464e1310b04f43f9082d69fcc5fef13542576a23de
Instruction ID: 70989186a54f160adfbc408f3bd86bced5a9329c5bc09b49bfd9ca00f302f02f
Opcode Fuzzy Hash: 82233e3ec970a01d400680464e1310b04f43f9082d69fcc5fef13542576a23de
Instruction Fuzzy Hash: 6E2103B6800649DFCB11CF99D944BEEBBF4FF48314F24841AEA68A7220C335A554DFA1

Function 05159794 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 0515D29D

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0e93adc787857257eb1bc7fecfa26ffd6ac54f3454201d60c9a326afdd7c1876
Instruction ID: 1384532b831ba2d564f9297a6bf9a2517d7bc266630032e7c0755ddcbbdbbd2b
Opcode Fuzzy Hash: 0e93adc787857257eb1bc7fecfa26ffd6ac54f3454201d60c9a326afdd7c1876
Instruction Fuzzy Hash: 6111F5B5804749DFDB10CF9AD984BDEBBF4EB48320F10841AE958A7340D374A984CFA5

Function 0515D238 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 0515D29D

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3a4d9389394a40d46c831bd8f045e2d6e10d03a41fe34575c9b7dee7e671d2d4
Instruction ID: 117e3df64c7f7f6f99a86bb31f6396b7eb70a8887aa7b12e88cee0e111243fa9
Opcode Fuzzy Hash: 3a4d9389394a40d46c831bd8f045e2d6e10d03a41fe34575c9b7dee7e671d2d4
Instruction Fuzzy Hash: F31113B5804348DFDB10CF9AD985BDEBBF4EB48324F14881AE854A7200C378A544CFA1

Function 00FFC180 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FFC1E6

Memory Dump Source

Source File: 00000003.00000002.1442719425.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ff0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0e69d8bd746bdab69cac802b92805819644387353bdce54a33571c82d3aa52b6
Instruction ID: 2c999cf103bb797fd0f0ce8bb21587abc211773fd5c6a151dae5df4ab6951167
Opcode Fuzzy Hash: 0e69d8bd746bdab69cac802b92805819644387353bdce54a33571c82d3aa52b6
Instruction Fuzzy Hash: 5A110FB6C006498FDB10CF9AD944ADEFBF4AF88320F14842AD518B7211C378A545CFA1

Function 05156FD0 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 05157030

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 95b898f4282a580efbcfc6e8dbbe9f034c4d988cbab1accedfd1d9e58f043320
Instruction ID: bc2a693cf668efa553379fabceff2323dfa98221f621b57a0266062634704702
Opcode Fuzzy Hash: 95b898f4282a580efbcfc6e8dbbe9f034c4d988cbab1accedfd1d9e58f043320
Instruction Fuzzy Hash: 5C1125B6800249CFDB10CF9AD545BDEBBF4EB48320F14841AD968B7340D778A944CFA5

Function 05156FD8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 05157030

Memory Dump Source

Source File: 00000003.00000002.1444371421.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5150000_RegAsm.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d8b3073a4751d5b97600f318aae078177a09ce6956671b8be81e354a30053849
Instruction ID: 622fd3da5678b1d25fa98f38bfa0d5780c436fcea064dc78429ee7e6644fcc9e
Opcode Fuzzy Hash: d8b3073a4751d5b97600f318aae078177a09ce6956671b8be81e354a30053849
Instruction Fuzzy Hash: 981145B5800349CFDB20CF9AD545BDEBBF4EB48320F24842AD968A7340D378A544CFA5

Function 00C8D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441701607.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f285299a905bbeb2d2c393738927f6c913ea45082c4e8afd5c74b5ca73f427
Instruction ID: 5132f7cc0614aa58996a3bb734f0530645958ab2a58e38b804902494592858d4
Opcode Fuzzy Hash: 89f285299a905bbeb2d2c393738927f6c913ea45082c4e8afd5c74b5ca73f427
Instruction Fuzzy Hash: B02125B1500240DFDB05EF10D9C0F26BF65FB8431CF24C56AE80A4B286C336D956CBA6

Function 00C8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441701607.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b9da6758deff6da7bcf9126936bc247c9f664bfcd14e402d81713f54e79fc2
Instruction ID: 30a9f28595aa1ede6892751bbe80cf74dd43521be31a44808cc947fefbf5087a
Opcode Fuzzy Hash: 75b9da6758deff6da7bcf9126936bc247c9f664bfcd14e402d81713f54e79fc2
Instruction Fuzzy Hash: A121F571504344EFDB05EF10D9C0B26BB65FBD4328F24C569E90A4B296C336E856CBA6

Function 00CAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441806091.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3d22ab727a42a555fc3282cb4638a991635f8e5332d209429324b415e629ad
Instruction ID: 783b81f87851def5a56ffa8614bff590cd08860bc781b27facb30aecc18c2bdb
Opcode Fuzzy Hash: da3d22ab727a42a555fc3282cb4638a991635f8e5332d209429324b415e629ad
Instruction Fuzzy Hash: 8721F271604345DFDB14DF20D9C0B26BB65EB85318F24C5A9D80B4B686C736D847CA62

Function 00CAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441806091.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2858cbab8860d84b8d6dc2c482e9e096e33081ae9807ea461a39bc7c9e34853
Instruction ID: 56927f135c21cd2fce61adaad5cb861fe9442067b594f8763734aedc43afd2ba
Opcode Fuzzy Hash: a2858cbab8860d84b8d6dc2c482e9e096e33081ae9807ea461a39bc7c9e34853
Instruction Fuzzy Hash: 8B210471504345EFDB05DF10D9C4B2ABBA5FB85318F24C6ADE80B4B692C736DC46CA61

Function 00CAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441806091.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4145234f28dc009532db47aae292444c425c728d20ffa67c5730407a73568c
Instruction ID: f6d4c97a1324c56869b02bda50106789c301b002451e78a81c212374a82ba336
Opcode Fuzzy Hash: 4d4145234f28dc009532db47aae292444c425c728d20ffa67c5730407a73568c
Instruction Fuzzy Hash: 432153755093C08FCB12CF24D994715BF71EB46318F28C5DAD84A8F6A7C33A994ACB62

Function 00C8D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441701607.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction ID: e50447e6ce5808775503f302d2ee5d6744530b562ab2de235b5b3a33389ea626
Opcode Fuzzy Hash: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction Fuzzy Hash: 941126B2404280CFCF01DF10D9C0B16BF71FB84318F28C6AAD8090B656C336D956CBA1

Function 00C8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441701607.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction ID: 7cd2fb31b88deac2b44468123aa0c102f1bdbd019f5a0b5f32695afb5e017242
Opcode Fuzzy Hash: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction Fuzzy Hash: 11110372404280DFCB01DF00D9C0B16BF71FB94328F28C6A9D80A0B656C33AE95ACBA1

Function 00CAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1441806091.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fc8320e9ffd4f8ec94d9e167b65ccdea872c3a8bd4eb18a3b2cc6050ea0561
Instruction ID: b3c4c897ed427b11120f30594a0a83ced7148ff429b92371f7b5ec782c8f140a
Opcode Fuzzy Hash: d7fc8320e9ffd4f8ec94d9e167b65ccdea872c3a8bd4eb18a3b2cc6050ea0561
Instruction Fuzzy Hash: A511DD75504284DFCB01CF10C5C4B15FBA1FB85318F28C6AED84A4BAA6C33AD84ACB61

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xin.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: xin.exePID: 7568, Parent PID: 3504

General

Chronological Activities

Analysis Process: conhost.exePID: 7576, Parent PID: 7568

General

Windows Analysis Report
xin.exe

Function 02E32125 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 014D14E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Function 014D14E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Function 012DD01D Relevance: .0, Instructions: 45
COMMON

Function 012DD006 Relevance: .0, Instructions: 43
COMMON

Function 00FFBF80 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 00FF6CE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00FF54A8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 05153D64 Relevance: 1.6, APIs: 1, Instructions: 83
windowCOMMON

Function 00FFDB20 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0515F4C0 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 0515F4B8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 0515BBC0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 00FF5344 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 0515BBC8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00FF55E0 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 05159794 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 0515D238 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 00FFC180 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON