Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:	loader.exe
Analysis ID:	1525820
MD5:	b750903ba5abb6ee7528aad139ec6404
SHA1:	9a6107f86b044d6783a202c3f16310d2ca60f149
SHA256:	11f98be1f2418783aec952a9814bbe8c26010554c2662671ab4b18f7e425b4b6
Tags:	exeuser-aachum
Infos:

Detection

RedLine

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Enables security privileges

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loader.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: B750903BA5ABB6EE7528AAD139EC6404)

conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
loader.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0B 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: loader.exe PID: 4928	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.loader.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0B 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.0.loader.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0B 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: loader.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: loader.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: loader.exe

Joe Sandbox ML: detected

Source: loader.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:

Binary string: _.pdb source: loader.exe, 00000000.00000003.1486292327.000000000081B000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000002.1506599549.0000000002370000.00000004.08000000.00040000.00000000.sdmp, loader.exe, 00000000.00000002.1506666108.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000002.1509937450.0000000003991000.00000004.00000800.00020000.00000000.sdmp

Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Source: loader.exe, 00000000.00000002.1507826756.0000000002C05000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_b8ae76c6-a

System Summary

Malicious sample detected (through community Yara rule)

Source: loader.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.loader.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.loader.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.3.loader.exe.81b900.0.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Large array initialization: R3D7rEdzqGVdFfcfcJ6: array initializer size 6160
Source: 0.2.loader.exe.2730000.5.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Large array initialization: R3D7rEdzqGVdFfcfcJ6: array initializer size 6160
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Large array initialization: R3D7rEdzqGVdFfcfcJ6: array initializer size 6160
Source: 0.2.loader.exe.3996458.6.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Large array initialization: R3D7rEdzqGVdFfcfcJ6: array initializer size 6160
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Large array initialization: R3D7rEdzqGVdFfcfcJ6: array initializer size 6160
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Large array initialization: R3D7rEdzqGVdFfcfcJ6: array initializer size 6160

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_022EE17C	0_2_022EE17C
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_027B01D8	0_2_027B01D8
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_027B01C8	0_2_027B01C8
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0291D3B0	0_2_0291D3B0
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0291CE88	0_2_0291CE88
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_069E04D0	0_2_069E04D0
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_069E6C23	0_2_069E6C23

Source: C:\Users\user\Desktop\loader.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Code function: String function: 0040E1D8 appears 43 times

Source: loader.exe, 00000000.00000003.1486292327.000000000081B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000003.1486292327.000000000081B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs loader.exe
Source: loader.exe, 00000000.00000002.1506599549.0000000002370000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000002.1506599549.0000000002370000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs loader.exe
Source: loader.exe, 00000000.00000003.1486292327.00000000008AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000002.1506666108.00000000023E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000002.1506666108.00000000023E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs loader.exe
Source: loader.exe, 00000000.00000003.1485913497.000000000089C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs loader.exe
Source: loader.exe, 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000002.1507423486.0000000002730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000003.1485860221.000000000088D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs loader.exe
Source: loader.exe, 00000000.00000002.1509937450.0000000003991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe
Source: loader.exe, 00000000.00000002.1509937450.0000000003991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs loader.exe
Source: loader.exe	Binary or memory string: OriginalFilenameSunroom.exe" vs loader.exe

Source: loader.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: loader.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.loader.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.loader.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: loader.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9936445223112128

Source: 0.3.loader.exe.81b900.0.raw.unpack, rcfyuyTzwAVvRrBPRJL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.loader.exe.81b900.0.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.2730000.5.raw.unpack, rcfyuyTzwAVvRrBPRJL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.loader.exe.2730000.5.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, rcfyuyTzwAVvRrBPRJL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.3996458.6.raw.unpack, rcfyuyTzwAVvRrBPRJL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.loader.exe.3996458.6.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, rcfyuyTzwAVvRrBPRJL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, rcfyuyTzwAVvRrBPRJL.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.loader.exe.81b900.0.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Base64 encoded string: 'NQQ5Cy4TBwAnFDw2FjQBJSEwSjsYXUY4Iz4LGiIvJCshJz9nOysfTBk4HxkgATkJIT4OOyUkDTsNCUNE'
Source: 0.2.loader.exe.2730000.5.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Base64 encoded string: 'NQQ5Cy4TBwAnFDw2FjQBJSEwSjsYXUY4Iz4LGiIvJCshJz9nOysfTBk4HxkgATkJIT4OOyUkDTsNCUNE'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Base64 encoded string: 'NQQ5Cy4TBwAnFDw2FjQBJSEwSjsYXUY4Iz4LGiIvJCshJz9nOysfTBk4HxkgATkJIT4OOyUkDTsNCUNE'
Source: 0.2.loader.exe.3996458.6.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Base64 encoded string: 'NQQ5Cy4TBwAnFDw2FjQBJSEwSjsYXUY4Iz4LGiIvJCshJz9nOysfTBk4HxkgATkJIT4OOyUkDTsNCUNE'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Base64 encoded string: 'NQQ5Cy4TBwAnFDw2FjQBJSEwSjsYXUY4Iz4LGiIvJCshJz9nOysfTBk4HxkgATkJIT4OOyUkDTsNCUNE'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, R3D7rEdzqGVdFfcfcJ6.cs	Base64 encoded string: 'NQQ5Cy4TBwAnFDw2FjQBJSEwSjsYXUY4Iz4LGiIvJCshJz9nOysfTBk4HxkgATkJIT4OOyUkDTsNCUNE'

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\loader.exe

0_2_004019F0

Source: C:\Users\user\Desktop\loader.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\loader.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03

Source: C:\Users\user\Desktop\loader.exe

Command line argument: 08A

0_2_00413780

Source: loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: loader.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"
Source: C:\Users\user\Desktop\loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Users\user\Desktop\loader.exe

0_2_004019F0

Source: loader.exe

Static PE information: real checksum: 0x23bfb should be: 0x5e6f5

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_027B9A60 push esp; iretd	0_2_027B9A61
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_069E900D push FFFFFF8Bh; iretd	0_2_069E900F

Source: 0.3.loader.exe.81b900.0.raw.unpack, pV6W58JtYEixu9F3IDb.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'G7Hn8sA5yr', 'mdCJcYCmWJ', 'lxKJgTVIr9', 'TmeJQCwAIf', 'wNsJvuMlem', 'JdjJ0yfWaK', 'HTWOMU5HZG', 'ChUn3VFYXt', 'Y1rn7CeXec'
Source: 0.3.loader.exe.81b900.0.raw.unpack, sjGxSN2D3DSb9ZRckQw.cs	High entropy of concatenated method names: 'ShowMessage', 'Yfp26y1pZ3', 'U5q2ZcjaFm', 'Ae12PWjUH0', 'gpT2KgrniZ', 'sXL2M1QRIf', 'Vhq2j06REx', 'zIu2zqwkQv', 'qQR83p3aHE', 'wZ48Wmh9Kf'
Source: 0.3.loader.exe.81b900.0.raw.unpack, uvKl4jd2pdrDKv5i801.cs	High entropy of concatenated method names: 'mGgd7gOw5e', 'ISwd55nMya', 'VnrdT5iOGo', 'ctGd1h4D41', 'LQtdxnO6bt', 'jGAdpMLYLa', 'vpndCOuAlZ', 'N3kdX97FHp', 'iJSdOgxSZL', 'J7jdnZEpUl'
Source: 0.3.loader.exe.81b900.0.raw.unpack, qYt2UGWxomMCcArni6L.cs	High entropy of concatenated method names: 'ABHWU0Q5M7', 'subWt2bppy', 'G8pWckTVZR', 'D5GWge2ebs', 'CMTWCfyMjj', 'CfTWXYoR3u', 'V63WOENucu', 'y8RWng56rs', 'dUWWb7psyB', 'tJjWN5IVnM'
Source: 0.3.loader.exe.81b900.0.raw.unpack, ImLCtHJpB7Y34H2qdnG.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'ChUn3VFYXt', 'HTWOMU5HZG', 'bRUnWXH8lY', 'olQnLg4V9M', 'ojUni3EWO6', 'F5gnJo62vD', 'YS1nql2bUi', 'YBiJXVq2wc', 'w39ndGQkM9'
Source: 0.2.loader.exe.2730000.5.raw.unpack, pV6W58JtYEixu9F3IDb.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'G7Hn8sA5yr', 'mdCJcYCmWJ', 'lxKJgTVIr9', 'TmeJQCwAIf', 'wNsJvuMlem', 'JdjJ0yfWaK', 'HTWOMU5HZG', 'ChUn3VFYXt', 'Y1rn7CeXec'
Source: 0.2.loader.exe.2730000.5.raw.unpack, sjGxSN2D3DSb9ZRckQw.cs	High entropy of concatenated method names: 'ShowMessage', 'Yfp26y1pZ3', 'U5q2ZcjaFm', 'Ae12PWjUH0', 'gpT2KgrniZ', 'sXL2M1QRIf', 'Vhq2j06REx', 'zIu2zqwkQv', 'qQR83p3aHE', 'wZ48Wmh9Kf'
Source: 0.2.loader.exe.2730000.5.raw.unpack, uvKl4jd2pdrDKv5i801.cs	High entropy of concatenated method names: 'mGgd7gOw5e', 'ISwd55nMya', 'VnrdT5iOGo', 'ctGd1h4D41', 'LQtdxnO6bt', 'jGAdpMLYLa', 'vpndCOuAlZ', 'N3kdX97FHp', 'iJSdOgxSZL', 'J7jdnZEpUl'
Source: 0.2.loader.exe.2730000.5.raw.unpack, qYt2UGWxomMCcArni6L.cs	High entropy of concatenated method names: 'ABHWU0Q5M7', 'subWt2bppy', 'G8pWckTVZR', 'D5GWge2ebs', 'CMTWCfyMjj', 'CfTWXYoR3u', 'V63WOENucu', 'y8RWng56rs', 'dUWWb7psyB', 'tJjWN5IVnM'
Source: 0.2.loader.exe.2730000.5.raw.unpack, ImLCtHJpB7Y34H2qdnG.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'ChUn3VFYXt', 'HTWOMU5HZG', 'bRUnWXH8lY', 'olQnLg4V9M', 'ojUni3EWO6', 'F5gnJo62vD', 'YS1nql2bUi', 'YBiJXVq2wc', 'w39ndGQkM9'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, pV6W58JtYEixu9F3IDb.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'G7Hn8sA5yr', 'mdCJcYCmWJ', 'lxKJgTVIr9', 'TmeJQCwAIf', 'wNsJvuMlem', 'JdjJ0yfWaK', 'HTWOMU5HZG', 'ChUn3VFYXt', 'Y1rn7CeXec'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, sjGxSN2D3DSb9ZRckQw.cs	High entropy of concatenated method names: 'ShowMessage', 'Yfp26y1pZ3', 'U5q2ZcjaFm', 'Ae12PWjUH0', 'gpT2KgrniZ', 'sXL2M1QRIf', 'Vhq2j06REx', 'zIu2zqwkQv', 'qQR83p3aHE', 'wZ48Wmh9Kf'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, uvKl4jd2pdrDKv5i801.cs	High entropy of concatenated method names: 'mGgd7gOw5e', 'ISwd55nMya', 'VnrdT5iOGo', 'ctGd1h4D41', 'LQtdxnO6bt', 'jGAdpMLYLa', 'vpndCOuAlZ', 'N3kdX97FHp', 'iJSdOgxSZL', 'J7jdnZEpUl'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, qYt2UGWxomMCcArni6L.cs	High entropy of concatenated method names: 'ABHWU0Q5M7', 'subWt2bppy', 'G8pWckTVZR', 'D5GWge2ebs', 'CMTWCfyMjj', 'CfTWXYoR3u', 'V63WOENucu', 'y8RWng56rs', 'dUWWb7psyB', 'tJjWN5IVnM'
Source: 0.2.loader.exe.2370ee8.2.raw.unpack, ImLCtHJpB7Y34H2qdnG.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'ChUn3VFYXt', 'HTWOMU5HZG', 'bRUnWXH8lY', 'olQnLg4V9M', 'ojUni3EWO6', 'F5gnJo62vD', 'YS1nql2bUi', 'YBiJXVq2wc', 'w39ndGQkM9'
Source: 0.2.loader.exe.3996458.6.raw.unpack, pV6W58JtYEixu9F3IDb.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'G7Hn8sA5yr', 'mdCJcYCmWJ', 'lxKJgTVIr9', 'TmeJQCwAIf', 'wNsJvuMlem', 'JdjJ0yfWaK', 'HTWOMU5HZG', 'ChUn3VFYXt', 'Y1rn7CeXec'
Source: 0.2.loader.exe.3996458.6.raw.unpack, sjGxSN2D3DSb9ZRckQw.cs	High entropy of concatenated method names: 'ShowMessage', 'Yfp26y1pZ3', 'U5q2ZcjaFm', 'Ae12PWjUH0', 'gpT2KgrniZ', 'sXL2M1QRIf', 'Vhq2j06REx', 'zIu2zqwkQv', 'qQR83p3aHE', 'wZ48Wmh9Kf'
Source: 0.2.loader.exe.3996458.6.raw.unpack, uvKl4jd2pdrDKv5i801.cs	High entropy of concatenated method names: 'mGgd7gOw5e', 'ISwd55nMya', 'VnrdT5iOGo', 'ctGd1h4D41', 'LQtdxnO6bt', 'jGAdpMLYLa', 'vpndCOuAlZ', 'N3kdX97FHp', 'iJSdOgxSZL', 'J7jdnZEpUl'
Source: 0.2.loader.exe.3996458.6.raw.unpack, qYt2UGWxomMCcArni6L.cs	High entropy of concatenated method names: 'ABHWU0Q5M7', 'subWt2bppy', 'G8pWckTVZR', 'D5GWge2ebs', 'CMTWCfyMjj', 'CfTWXYoR3u', 'V63WOENucu', 'y8RWng56rs', 'dUWWb7psyB', 'tJjWN5IVnM'
Source: 0.2.loader.exe.3996458.6.raw.unpack, ImLCtHJpB7Y34H2qdnG.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'ChUn3VFYXt', 'HTWOMU5HZG', 'bRUnWXH8lY', 'olQnLg4V9M', 'ojUni3EWO6', 'F5gnJo62vD', 'YS1nql2bUi', 'YBiJXVq2wc', 'w39ndGQkM9'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, pV6W58JtYEixu9F3IDb.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'G7Hn8sA5yr', 'mdCJcYCmWJ', 'lxKJgTVIr9', 'TmeJQCwAIf', 'wNsJvuMlem', 'JdjJ0yfWaK', 'HTWOMU5HZG', 'ChUn3VFYXt', 'Y1rn7CeXec'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, sjGxSN2D3DSb9ZRckQw.cs	High entropy of concatenated method names: 'ShowMessage', 'Yfp26y1pZ3', 'U5q2ZcjaFm', 'Ae12PWjUH0', 'gpT2KgrniZ', 'sXL2M1QRIf', 'Vhq2j06REx', 'zIu2zqwkQv', 'qQR83p3aHE', 'wZ48Wmh9Kf'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, uvKl4jd2pdrDKv5i801.cs	High entropy of concatenated method names: 'mGgd7gOw5e', 'ISwd55nMya', 'VnrdT5iOGo', 'ctGd1h4D41', 'LQtdxnO6bt', 'jGAdpMLYLa', 'vpndCOuAlZ', 'N3kdX97FHp', 'iJSdOgxSZL', 'J7jdnZEpUl'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, qYt2UGWxomMCcArni6L.cs	High entropy of concatenated method names: 'ABHWU0Q5M7', 'subWt2bppy', 'G8pWckTVZR', 'D5GWge2ebs', 'CMTWCfyMjj', 'CfTWXYoR3u', 'V63WOENucu', 'y8RWng56rs', 'dUWWb7psyB', 'tJjWN5IVnM'
Source: 0.2.loader.exe.39d2d90.8.raw.unpack, ImLCtHJpB7Y34H2qdnG.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'ChUn3VFYXt', 'HTWOMU5HZG', 'bRUnWXH8lY', 'olQnLg4V9M', 'ojUni3EWO6', 'F5gnJo62vD', 'YS1nql2bUi', 'YBiJXVq2wc', 'w39ndGQkM9'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, pV6W58JtYEixu9F3IDb.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'G7Hn8sA5yr', 'mdCJcYCmWJ', 'lxKJgTVIr9', 'TmeJQCwAIf', 'wNsJvuMlem', 'JdjJ0yfWaK', 'HTWOMU5HZG', 'ChUn3VFYXt', 'Y1rn7CeXec'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, sjGxSN2D3DSb9ZRckQw.cs	High entropy of concatenated method names: 'ShowMessage', 'Yfp26y1pZ3', 'U5q2ZcjaFm', 'Ae12PWjUH0', 'gpT2KgrniZ', 'sXL2M1QRIf', 'Vhq2j06REx', 'zIu2zqwkQv', 'qQR83p3aHE', 'wZ48Wmh9Kf'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, uvKl4jd2pdrDKv5i801.cs	High entropy of concatenated method names: 'mGgd7gOw5e', 'ISwd55nMya', 'VnrdT5iOGo', 'ctGd1h4D41', 'LQtdxnO6bt', 'jGAdpMLYLa', 'vpndCOuAlZ', 'N3kdX97FHp', 'iJSdOgxSZL', 'J7jdnZEpUl'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, qYt2UGWxomMCcArni6L.cs	High entropy of concatenated method names: 'ABHWU0Q5M7', 'subWt2bppy', 'G8pWckTVZR', 'D5GWge2ebs', 'CMTWCfyMjj', 'CfTWXYoR3u', 'V63WOENucu', 'y8RWng56rs', 'dUWWb7psyB', 'tJjWN5IVnM'
Source: 0.2.loader.exe.2427ee6.3.raw.unpack, ImLCtHJpB7Y34H2qdnG.cs	High entropy of concatenated method names: 'QnAOzlNEKs', 'ChUn3VFYXt', 'HTWOMU5HZG', 'bRUnWXH8lY', 'olQnLg4V9M', 'ojUni3EWO6', 'F5gnJo62vD', 'YS1nql2bUi', 'YBiJXVq2wc', 'w39ndGQkM9'

Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\

Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 22A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

0_2_004019F0

Source: C:\Users\user\Desktop\loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-54305

Source: C:\Users\user\Desktop\loader.exe TID: 6668

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\

Source: C:\Users\user\Desktop\loader.exe

API call chain: ExitProcess graph end node

graph_0-54540

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CE09

Source: C:\Users\user\Desktop\loader.exe

0_2_004019F0

Source: C:\Users\user\Desktop\loader.exe

0_2_004019F0

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

0_2_0040ADB0

Source: C:\Users\user\Desktop\loader.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1

Source: C:\Users\user\Desktop\loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: loader.exe, 00000000.00000002.1507826756.0000000002C05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: loader.exe, 00000000.00000002.1507826756.0000000002C05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\loader.exe

Code function: GetLocaleInfoA,

0_2_00417A20

Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00412A15

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: loader.exe PID: 4928, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: loader.exe PID: 4928, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
loader.exe	68%	ReversingLabs	Win32.Spyware.RedLine
loader.exe	100%	Avira	TR/Spy.RedLine.urvkn
loader.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	loader.exe, 00000000.00000002.1507826756.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://discord.com/api/v9/users/	loader.exe, 00000000.00000002.1507826756.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525820
Start date and time:	2024-10-04 15:15:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	loader.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: loader.exe

Process:	C:\Users\user\Desktop\loader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.7058622467844184
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	loader.exe
File size:	363'008 bytes
MD5:	b750903ba5abb6ee7528aad139ec6404
SHA1:	9a6107f86b044d6783a202c3f16310d2ca60f149
SHA256:	11f98be1f2418783aec952a9814bbe8c26010554c2662671ab4b18f7e425b4b6
SHA512:	1dccfd19559ce3e96c96b85befccd5237baf057bc7e64e1eefc29f01bd4832fe36c602c74eec430d05be9d2a6dc443441a455af748340c7499944df15d128015
SSDEEP:	6144:aDKW1Lgbdl0TBBvjc/uw7pv5tBsT8/z5vAULpkrVsDv1PPFMmDLze8UD5:ch1Lk70TnvjcWSJ5tGwr5vAULir6r1Hs
TLSH:	CD74E12175C1C2B3C4BA113444EACBBA5A3A30714776D5D7BBED2BB65F212E0A3351CA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~........................PE..L...t..P..........#........

File Icon


Icon Hash:	f8da8e868e8e9200

Static PE Info

General

Entrypoint:	0x40cd2f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf5a4aa99e5b160f8521cadd6bfe73b8

Entrypoint Preview

Instruction
call 00007F91DD1B0886h
jmp 00007F91DD1AAA49h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0041F058h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F91DD1AABAEh
test byte ptr [eax], 00000008h
je 00007F91DD1AABA9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0041B000h]
leave
retn 0008h
ret
mov eax, 00413563h
mov dword ptr [004228E4h], eax
mov dword ptr [004228E8h], 00412C4Ah
mov dword ptr [004228ECh], 00412BFEh
mov dword ptr [004228F0h], 00412C37h
mov dword ptr [004228F4h], 00412BA0h
mov dword ptr [004228F8h], eax
mov dword ptr [004228FCh], 004134DBh
mov dword ptr [00422900h], 00412BBCh
mov dword ptr [00422904h], 00412B1Eh
mov dword ptr [00422908h], 00412AABh
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F91DD1AAB3Bh
call 00007F91DD1B13C0h
cmp dword ptr [ebp+00h], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x215b4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x368d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b1c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20da0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19718	0x19800	ecbabfdf66cefaa7393d1b46f933edc4	False	0.5789483762254902	data	6.748549779726586	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x6db4	0x6e00	5826801f33fc1b607aa8e942aa92e9fa	False	0.5467329545454546	data	6.442956247632331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c0	0x1600	2fe51a72ede820cd7cf55a77ba59b1f4	False	0.3126775568181818	data	3.2625868398009703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x368d4	0x36a00	05c6368bb687350e8592913e7db6b4b4	False	0.9936445223112128	data	7.9945096700687674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x261b4	0xf279	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934109838416059
RT_RCDATA	0x35430	0x26f6f	data	1.0003508793914748
RT_RCDATA	0x5c3a0	0x20	Non-ISO extended-ASCII text, with no line terminators, with escape sequences	1.34375
RT_GROUP_ICON	0x5c3c0	0x14	data	1.05
RT_VERSION	0x5c3d4	0x312	data	0.45165394402035625
RT_MANIFEST	0x5c6e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
KERNEL32.dll	RaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
ole32.dll	OleInitialize
OLEAUT32.dll	SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

Target ID:	0
Start time:	09:16:17
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\loader.exe"
Imagebase:	0x400000
File size:	363'008 bytes
MD5 hash:	B750903BA5ABB6EE7528AAD139EC6404
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:16:17
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	74.2%
Signature Coverage:	5.6%
Total number of Nodes:	858
Total number of Limit Nodes:	66

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

U, xrefs: 004020F5
h, xrefs: 00401A6F
., xrefs: 0040201F
[, xrefs: 00401B37
x, xrefs: 00402088
v, xrefs: 0040212C
', xrefs: 00402006
x, xrefs: 0040214A
), xrefs: 0040202E
x, xrefs: 00401B78
6, xrefs: 004020C5
v, xrefs: 0040206A
_._, xrefs: 00402257
!, xrefs: 00401B1E
D, xrefs: 00401DFB
:, xrefs: 00401B28
", xrefs: 00401B0F
4, xrefs: 00402074
V, xrefs: 00402038
*, xrefs: 004020E1
W, xrefs: 00402033
o, xrefs: 00401B8D
{, xrefs: 0040205B
!, xrefs: 004020CF
v, xrefs: 00401B5A
%, xrefs: 004020FA
{, xrefs: 00401E3C
x, xrefs: 00401E69
8, xrefs: 00401BA9
*, xrefs: 00401A1F
5, xrefs: 00402109
W, xrefs: 004020E6
E, xrefs: 00401E0F
4, xrefs: 00402136
!, xrefs: 0040201A
o, xrefs: 00402097
___, xrefs: 0040227D
0, xrefs: 00401BBD
4, xrefs: 00401B64
', xrefs: 00401AF6
v, xrefs: 00401E4B
[, xrefs: 00402047
W, xrefs: 00401B14
o, xrefs: 00402159
W, xrefs: 00401B23
., xrefs: 00401B0A
{, xrefs: 00401B4B
V, xrefs: 00401E19
{, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 069E04D0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1510866762.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69e0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048dabc711bfacf2bdfccc9ba1538021bcdccf0a3cb8097c044955a77ab97971
Instruction ID: b2cf4d11d85b41c7a0bfd7b79e302a536a34e2069ce2601484e3b91ea04ab987
Opcode Fuzzy Hash: 048dabc711bfacf2bdfccc9ba1538021bcdccf0a3cb8097c044955a77ab97971
Instruction Fuzzy Hash: 54A102B4D00218CFEB54DFA9C8487ADBBF6BF89300F209569D409A7291DB799A85CF50

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 022ED5F0 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022ED67E
GetCurrentThread.KERNEL32 ref: 022ED6BB
GetCurrentProcess.KERNEL32 ref: 022ED6F8
GetCurrentThreadId.KERNEL32 ref: 022ED751

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bafd65c14440de1b572f00573a6037224863b9fac02cd8b3cd9e85ddc2daeeb7
Instruction ID: edd99ca86f753a94c855f51e4537012c3766990a76ef975c8684b79bb605f9e0
Opcode Fuzzy Hash: bafd65c14440de1b572f00573a6037224863b9fac02cd8b3cd9e85ddc2daeeb7
Instruction Fuzzy Hash: 5D5154B0D0034A8FDB14DFAAD649BEEBBF1EB88314F208459E419A72A0DB745845CF65

Function 022ED600 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022ED67E
GetCurrentThread.KERNEL32 ref: 022ED6BB
GetCurrentProcess.KERNEL32 ref: 022ED6F8
GetCurrentThreadId.KERNEL32 ref: 022ED751

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 01cf2fd6b8355ecff6640c30261f3fa60f7ed46a9f4296b6cc1c765725f7dc47
Instruction ID: 9a64659e4a019e6975c901a21d08ab376b3bd3cadd8cb17184f63e3c2073493e
Opcode Fuzzy Hash: 01cf2fd6b8355ecff6640c30261f3fa60f7ed46a9f4296b6cc1c765725f7dc47
Instruction Fuzzy Hash: 4F5175B0D0030A8FDB14DFAAD648BDEBBF1EB88314F208459E419A73A0DB345845CF69

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 027B1D30 Relevance: 1.7, APIs: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027B1FA2

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e3e193a90f4b2d8886b05d845024b72f137f0b54798179b07c897378d772690a
Instruction ID: c289683cf454d85b3c1164ada5010651443cd0f64e096c4f6e9a3472faeee00e
Opcode Fuzzy Hash: e3e193a90f4b2d8886b05d845024b72f137f0b54798179b07c897378d772690a
Instruction Fuzzy Hash: 56916E7180D3C89FCB03CFA5C8A0ADDBFB1AF4A214F1981DAE884AB163D7355915CB51

Function 022EB358 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022EB5BE

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 958d327a1eb28822ed5530c86aeeb3387083d3887045dfb28e627842b228688d
Instruction ID: 2d2e71b30191603065ad7438052a424d7c7c1c71a4e8a58620e51dc649625290
Opcode Fuzzy Hash: 958d327a1eb28822ed5530c86aeeb3387083d3887045dfb28e627842b228688d
Instruction Fuzzy Hash: 78814770A10B058FDB24DF69D45179ABBF1FF88304F408A2DD48AD7A54D774E85ACB90

Function 027B1E85 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027B1FA2

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 90157a513a54b890a6a18cf94688f47b30288420f5720ad581a5b8335288212a
Instruction ID: 9b4a402d8467c873f352345830d330d4c07f6fb657999356a5d193bc0ecc7d45
Opcode Fuzzy Hash: 90157a513a54b890a6a18cf94688f47b30288420f5720ad581a5b8335288212a
Instruction Fuzzy Hash: 7451CCB1D013499FDB15CFAAC994ADEBBB5FF89310F64812AE819AB210D7709845CF90

Function 027B1E90 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027B1FA2

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6a53fc2074891adfee438a82624533225fa62c87685403608434ab5d5dbdfdef
Instruction ID: 89031e3bc3aea2a9cccf58a94e21b9bd8d9b5fafbabfd181c8e5f19ec21709f9
Opcode Fuzzy Hash: 6a53fc2074891adfee438a82624533225fa62c87685403608434ab5d5dbdfdef
Instruction Fuzzy Hash: 1941DDB1D003089FDB15CF9AC894ADEBBB5FF88314F64812AE819AB210D774A841CF90

Function 027B1424 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 027B4521

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 12d0b08aca764ea682134c8520f5827706ebbb7f117f11c53f8b95be6e1fb579
Instruction ID: 477469ec3567e6599841fd5a229e96ca4cf5e1012a3a39d6a2b21b0849498835
Opcode Fuzzy Hash: 12d0b08aca764ea682134c8520f5827706ebbb7f117f11c53f8b95be6e1fb579
Instruction Fuzzy Hash: 164149B9A003099FCB15CF89C458BAABBF5FF88314F24C499D519AB321D734A845CFA4

Function 022E5E75 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022E5F31

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2cece6db1e7bf3ec95048d922c7b80590060855f880374579619b375f79b4f1a
Instruction ID: d5c0369fc6bc1f0b4192709cd4eb372963d959a84b6fe6bbae90008ae20c69b2
Opcode Fuzzy Hash: 2cece6db1e7bf3ec95048d922c7b80590060855f880374579619b375f79b4f1a
Instruction Fuzzy Hash: FC41F0B0C10719CBEB24CFA9C844BDEBBB5BF49304F60816AE409AB254DB756946CF51

Function 022E4998 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022E5F31

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cbc179c8504a28b8cf295620f614ee9c90c0b713ec7f845872b39d174b2a48bb
Instruction ID: e122e220d171c7ff43c2135ab02614973fe5bd986d17740018811d136c7532cd
Opcode Fuzzy Hash: cbc179c8504a28b8cf295620f614ee9c90c0b713ec7f845872b39d174b2a48bb
Instruction Fuzzy Hash: F14102B0C10719CBEB24DFA9C844B9EBBF1BF49304F60816AE409AB254DB756946CF91

Function 02913204 Relevance: 1.6, APIs: 1, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 0291DF45

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3d61801dac8e316ddecf8f792c28f18812db48dadd19d21fa80ff142e0e9d0ea
Instruction ID: 9300958dbb359e5cda4b936f21b1fb15524e5d3e988f14b6a82726be83e20464
Opcode Fuzzy Hash: 3d61801dac8e316ddecf8f792c28f18812db48dadd19d21fa80ff142e0e9d0ea
Instruction Fuzzy Hash: 53316DB1A00348DFDB24DFAAD484B9EBFF8EB89310F108459E419A7350C775A944CFA5

Function 022ED840 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022ED8CF

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18478543d1142c3865f2f954a21698e9488a06dd1b309b07606adc68ece6a5b6
Instruction ID: d386f20663552d372b94ceb2fc686ca44c88244118e9135338ba169782767bf8
Opcode Fuzzy Hash: 18478543d1142c3865f2f954a21698e9488a06dd1b309b07606adc68ece6a5b6
Instruction Fuzzy Hash: 8F2103B5D00248AFDB10CFAAD984AEEBBF8EF48310F14805AE955A3350D374A951CFA0

Function 0291E948 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 0291E9CC

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: f49ce18228aee565f8c5771f44540ea34716c50a0477b7af69080ca53a1c5b06
Instruction ID: 3ecd7384c01cc3f713f99c03629cc7a45df52b2d8fbe739482f03457083e722f
Opcode Fuzzy Hash: f49ce18228aee565f8c5771f44540ea34716c50a0477b7af69080ca53a1c5b06
Instruction Fuzzy Hash: 272114B6D016499FDB10DF9AD884BDEFBF8BF48214F14802AE859A3240D338A904CB64

Function 022ED848 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022ED8CF

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3dc5ad37360f314ac8094d548ae3a2e2a049ff02218826e3e4d437d9bd2d231f
Instruction ID: 9b1d5bcac58bcb7eecb69f06017949c13e31fc7f48058f6a8d7acbf396edeadd
Opcode Fuzzy Hash: 3dc5ad37360f314ac8094d548ae3a2e2a049ff02218826e3e4d437d9bd2d231f
Instruction Fuzzy Hash: 7021E4B5D002499FDB10CFAAD984ADEBBF8EB48310F54801AE915A3350D374A941CFA0

Function 0291E950 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 0291E9CC

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: e008f7c0a42fe8510a15bbef9097ce677bb05f794e01aa527d87fa48dcb781fe
Instruction ID: 19c8cb8c70e51cbaaa895905e015ca74d6462a3a7bd387860289e1e0ef7f8069
Opcode Fuzzy Hash: e008f7c0a42fe8510a15bbef9097ce677bb05f794e01aa527d87fa48dcb781fe
Instruction Fuzzy Hash: 322113B5D017098FDB10DF9AD984BDEFBF8FB48324F14842AE859A3240D378A904CB65

Function 0291B061 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0291B0D2

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: d1bfe9120e559d2be6071778e068b1b325e02d325062d03456f06445e8d102a4
Instruction ID: d9c778aa6545a9a75c553ea9dfa6529615fb87a43e2f5b9ae8859623b92d67c2
Opcode Fuzzy Hash: d1bfe9120e559d2be6071778e068b1b325e02d325062d03456f06445e8d102a4
Instruction Fuzzy Hash: CB2136B6D002498FDB24CF9AD545BEEFBF5EB88324F14C02AD468A3240C739A545CFA1

Function 0291B068 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0291B0D2

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 452fbcd480e30c1647e4d16a91bbdf17b837ccb50954ddfda4de53c253ee6faa
Instruction ID: efd9f8aeec69390b03153c1c0a8d2d1f23a23a28ce4d7bfefd60402f49b1b24e
Opcode Fuzzy Hash: 452fbcd480e30c1647e4d16a91bbdf17b837ccb50954ddfda4de53c253ee6faa
Instruction Fuzzy Hash: 831114B6D002498FDB14CF9AC944BDEFBF5EB88324F10C02AD868A3240D739A545CFA1

Function 069E74A8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 069E750F

Memory Dump Source

Source File: 00000000.00000002.1510866762.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69e0000_loader.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: b821106b530e060e5c9930cdf1ee7d6be9d672c422140decc8e5f43aecc1d9a4
Instruction ID: a6223cff369e0b169852b0ce486280746e9e40d972e3cd73453b0c19a256d7d4
Opcode Fuzzy Hash: b821106b530e060e5c9930cdf1ee7d6be9d672c422140decc8e5f43aecc1d9a4
Instruction Fuzzy Hash: FA113A71D003498FDB24DFAAD8457DEBBF5EF48324F248819D419A7640CB399941CF91

Function 0291C6D8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 0291C73D

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d2e8e6a810f2a15aacb1a2f87021fb9029fcf0dee9ab16c1a897ccdd3672a34
Instruction ID: bc25f4fe9fa84aada306f3c1a9e5bb79c3831b1145532d5da071340dd45bf3ae
Opcode Fuzzy Hash: 2d2e8e6a810f2a15aacb1a2f87021fb9029fcf0dee9ab16c1a897ccdd3672a34
Instruction Fuzzy Hash: 9811F5B5800349DFDB10DF9AD945BDEBBF8EB48324F10845AD554A7210C375A945CFA1

Function 069E74B0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 069E750F

Memory Dump Source

Source File: 00000000.00000002.1510866762.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69e0000_loader.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 1b97f314d6b1aec5bbe7d7cd4e3a1b7892247b991af94773370d2d7049175812
Instruction ID: 730c86a9ec5e054e228f70d7af84f25be1dac5faa93ddd4b81323445eb92924b
Opcode Fuzzy Hash: 1b97f314d6b1aec5bbe7d7cd4e3a1b7892247b991af94773370d2d7049175812
Instruction Fuzzy Hash: FA111871D003498FDB24DFAAC8457DEFBF4EB48324F248419D419A7240DB79A945CF95

Function 022EB558 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022EB5BE

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 152bac51475700ab55183e92b0fe773ab557e4111eb63a85d48499ecdc7c026d
Instruction ID: a0015783fecaca1e3bf4eef1b5f902a1d548118aa00ccda23307952a4a006b5d
Opcode Fuzzy Hash: 152bac51475700ab55183e92b0fe773ab557e4111eb63a85d48499ecdc7c026d
Instruction Fuzzy Hash: BE1102B5C003498FDB10DF9AD444BDEFBF4AB88314F14841AD429A7210D375A545CFA1

Function 02918C00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 0291C73D

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 45158aa26e2c27673739ead920951ac28c91857b749f7d6caedcc4ef42078b00
Instruction ID: f44e023533825cecadd649205b3a9b246e34ed2dad32a40acf1e553476835730
Opcode Fuzzy Hash: 45158aa26e2c27673739ead920951ac28c91857b749f7d6caedcc4ef42078b00
Instruction Fuzzy Hash: FD1103B590034DDFDB20DF9AD985BDEBBF8EB48324F10845AE518A7200C375A944CFA5

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 027B2109 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 027B2135

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 47a005429a82f7024daa8ae832215990efe3ab6e7b5fad74b5e1e1488238310c
Instruction ID: 77b2e46c03316883ea0cf4c627ca18be25f436ebb42bfe13492221cf352d70dc
Opcode Fuzzy Hash: 47a005429a82f7024daa8ae832215990efe3ab6e7b5fad74b5e1e1488238310c
Instruction Fuzzy Hash: F2F0E2B59002099FDB10DF89D485BDEBBF4EF88324F20845AE969A7251C378A945CFA1

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0076D4E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505590280.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d33f230e359f10db701d2dc3bd9a7b0d040adafe70a80124e7d33f3fc0affa3
Instruction ID: e2125cef7dd6abd3b81158f5dcc78ae9f517bf18f63179d5feb2f784ac595c67
Opcode Fuzzy Hash: 6d33f230e359f10db701d2dc3bd9a7b0d040adafe70a80124e7d33f3fc0affa3
Instruction Fuzzy Hash: 132106B1A14200DFDB25DF10D9C0B16BF65FB98318F248569DC0B0B647C33ADD66CAA2

Function 0077D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505665026.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef7ab996fab075c6c98602037d8c21005bbe6bc9caf93032a175ffae1ebba81
Instruction ID: ec2964a4b7cf1eb359d7a4231fab4feed30862e5dd10dea5e673d368114fa806
Opcode Fuzzy Hash: 4ef7ab996fab075c6c98602037d8c21005bbe6bc9caf93032a175ffae1ebba81
Instruction Fuzzy Hash: CE21C1716042049FDF25DF10D980B15BBB5FF84324F24C5A9D84D4B242C33ADC47CA61

Function 0077D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505665026.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06d4fd9397f4f9f359577b4bdc3a35eaa842d2090cd7324fa320b7b8c69288a
Instruction ID: 8fe8d95a44e4a4da4b0f037c9bc4f2997f4128f4ba42b4b704a0d4627b07d75f
Opcode Fuzzy Hash: d06d4fd9397f4f9f359577b4bdc3a35eaa842d2090cd7324fa320b7b8c69288a
Instruction Fuzzy Hash: 0F21CF756042049FDF24DF14D984B26BBB5EB88314F24C569D84D4B286C33ADC47CA62

Function 0076D4E3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505590280.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63b2946cef6f228bea6bf308b0c32d66e3d437da7a1df527002fe7e9624e2f1
Instruction ID: c040383d711aa549c8186ad2e3d534f68aaff787b757a008e3c6fa40c67a68af
Opcode Fuzzy Hash: f63b2946cef6f228bea6bf308b0c32d66e3d437da7a1df527002fe7e9624e2f1
Instruction Fuzzy Hash: C311B176A04280CFCB15CF10D9C4B16BF72FB98324F2485A9DC0A4B657C33AD866CBA1

Function 0077D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505665026.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04350605a9db7d138f2fbe48ca01c73726ab69fdae8acd1ee8d1c9fc5ffa3134
Instruction ID: 7186bf6fe5f9469e4339349d5879813dcfb46b967d8be26463dd3721dcc5cf76
Opcode Fuzzy Hash: 04350605a9db7d138f2fbe48ca01c73726ab69fdae8acd1ee8d1c9fc5ffa3134
Instruction Fuzzy Hash: 1E118E75504284DFCB15CF14D5C4B15BBB2FB44314F24C6A9D84D4B656C33AD85ACB61

Function 0077D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505665026.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04350605a9db7d138f2fbe48ca01c73726ab69fdae8acd1ee8d1c9fc5ffa3134
Instruction ID: 7c919ebc49b885a445e5bf069c898ef8f0e898de04e3d5da52ae5eece6615219
Opcode Fuzzy Hash: 04350605a9db7d138f2fbe48ca01c73726ab69fdae8acd1ee8d1c9fc5ffa3134
Instruction Fuzzy Hash: 00118B75504280DFCB15DF14D6C4B15BBB2FF84324F28C6ADD8494B696C33AD84ACB61

Function 0076D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505590280.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07728bf40f06818d61a5313922ecf025a7d287d91180f3721fb11cd7c9b61ba
Instruction ID: 122ffc7cb5263b3a66c9b9847a9d07ec1c5bf27ef6a6fc796eeafec20c089980
Opcode Fuzzy Hash: a07728bf40f06818d61a5313922ecf025a7d287d91180f3721fb11cd7c9b61ba
Instruction Fuzzy Hash: A701F271A183449EE7304A21CC84B66BF98DF81325F18C06AEC4A0B282C27C9C46CAB2

Function 0076D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505590280.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbbad51dd8cb9594fd7acf7ee02a7ec2517f6498879357ebc3195731bbd8483
Instruction ID: 2ab9fa0cb89ff850b75ba99ee89f82ebfc813a88dca5d2b7b7d5cb1c6b8f2c74
Opcode Fuzzy Hash: 2bbbad51dd8cb9594fd7acf7ee02a7ec2517f6498879357ebc3195731bbd8483
Instruction Fuzzy Hash: 0EF0F071604344AEEB208E16CC84B63FFD8EB81334F18C15AED490F286C279AC44CBB1

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

Strings

@, xrefs: 00409092
PA, xrefs: 00408E3D
@, xrefs: 00408D03

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID: @$@$PA
API String ID: 0-3039612711
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 0291CE88 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38776f4f640d1c4cdfdccd3ed4ed7c2166a1eaa8f865203e2d05c9c81e6398fc
Instruction ID: f028f75df1cc95a162c610ae342cf76e37780dd17b825fa07af38f814f924ced
Opcode Fuzzy Hash: 38776f4f640d1c4cdfdccd3ed4ed7c2166a1eaa8f865203e2d05c9c81e6398fc
Instruction Fuzzy Hash: 1A426D70E00218CFDB68DF69C89479EBBF6AF88300F148569D40AAB395DB349D45CFA5

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 069E6C23 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1510866762.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_69e0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3ebbf78d0ed5c7f2dffe9a19763a9a2c8d8fc3f1107b5f2545f76520b2e43b
Instruction ID: 0fbf0b7f23dc57619c969a8e3dda3caf26ac4b08a4bdd4852e0d641ca8d42784
Opcode Fuzzy Hash: 6f3ebbf78d0ed5c7f2dffe9a19763a9a2c8d8fc3f1107b5f2545f76520b2e43b
Instruction Fuzzy Hash: 1022B971E002298FDB68CFA9CD90BEDBBB2AF88300F5481A9D509E7355DA745E85CF50

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 027B01D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8951b8aa3e76bc2ccc1a61df66fafc4f02023fd2eaa253d4af1a46ea822a515f
Instruction ID: d5ee736d3b97185eed0b9733252a85ce13eb03007136eb5fdb63e2d742098c8b
Opcode Fuzzy Hash: 8951b8aa3e76bc2ccc1a61df66fafc4f02023fd2eaa253d4af1a46ea822a515f
Instruction Fuzzy Hash: D812A7B2C917458AE710CF25EDCC1893BA1BB45318FD04A1AD2611F2E9E7B4166EEF4C

Function 0291D3B0 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1507647653.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6005a7600f756fd5097fa1b2bc790d925d7ac9508256c478d4bf622a44b9522b
Instruction ID: ad61e9a3884c9866a05bd75b14cdf33d77014c47f40f0df4d57c64148ae1fc16
Opcode Fuzzy Hash: 6005a7600f756fd5097fa1b2bc790d925d7ac9508256c478d4bf622a44b9522b
Instruction Fuzzy Hash: BDC15C71E00258DFDF25DF66C88079DBBB2AF89304F14C5AAD449AB255DB30E985CFA0

Function 022EE17C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1506386516.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70635f3d8a19360c48ccfe038ea28ddf0685be6efdfcc9f791645a4982515dd
Instruction ID: aa6d15dfa87bea9f1a4536bf5cd0f30cd2e41c45f6cdc5f344de3b6202b552a2
Opcode Fuzzy Hash: a70635f3d8a19360c48ccfe038ea28ddf0685be6efdfcc9f791645a4982515dd
Instruction Fuzzy Hash: 1AA1AC32E1030A8FCF19DFE4C98459EB7B2FF85300B55456AE806AB269DB71E945DF40

Function 027B01C8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1507485968.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f82bc77872a8856b0f74054ee5ace475da95ba4bcb0b60e8b0a2ea81399fba0
Instruction ID: dd757ab304c152d8e1c4e5f412a3f6914107993b1130fead4053fd3c617872cd
Opcode Fuzzy Hash: 2f82bc77872a8856b0f74054ee5ace475da95ba4bcb0b60e8b0a2ea81399fba0
Instruction Fuzzy Hash: 86C10BB2C917458BD714CF25ECCC1897BB1BB85314F904B1AD1612B2D8EBB4166EEF48

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(023B1650), ref: 00414050

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

`$B, xrefs: 0040FACC
P$B, xrefs: 0040FAAA

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0041470C

Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A

___removelocaleref.LIBCMT ref: 00414717

Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1

___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B
API String ID: 467427115-470711618
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000000.00000002.1505223066.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1505186132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505248370.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505271444.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505291294.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1505310948.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loader.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\loader.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
loader.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Function 022ED5F0 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 022ED600 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 027B1D30 Relevance: 1.7, APIs: 1, Instructions: 237
COMMON

Function 022EB358 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Function 027B1E85 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Function 027B1E90 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 027B1424 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 022E5E75 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 022E4998 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02913204 Relevance: 1.6, APIs: 1, Instructions: 84
windowCOMMON

Function 022ED840 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON