Edit tour

Windows Analysis Report
wrong bank details.exe

Overview

General Information

Sample name:	wrong bank details.exe
Analysis ID:	1528126
MD5:	67a9a9b047b1e4f4d70930d8fd2142ad
SHA1:	269a60f8300a7b449c9cdc54a1470eefc0e192fb
SHA256:	a750777345fce604f483adfbe40e5f0d4c0582e5536c273675d7fd1002e84c5d
Tags:	exeMassLogger
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wrong bank details.exe (PID: 4992 cmdline: "C:\Users\user\Desktop\wrong bank details.exe" MD5: 67A9A9B047B1E4F4D70930D8FD2142AD)

wrong bank details.exe (PID: 6236 cmdline: "C:\Users\user\Desktop\wrong bank details.exe" MD5: 67A9A9B047B1E4F4D70930D8FD2142AD)

wrong bank details.exe (PID: 616 cmdline: "C:\Users\user\Desktop\wrong bank details.exe" MD5: 67A9A9B047B1E4F4D70930D8FD2142AD)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf7bf:$a1: get_encryptedPassword 0xfae7:$a2: get_encryptedUsername 0xf55a:$a3: get_timePasswordChanged 0xf67b:$a4: get_passwordField 0xf7d5:$a5: set_encryptedPassword 0x11131:$a7: get_logins 0x10de2:$a8: GetOutlookPasswords 0x10bd4:$a9: StartKeylogger 0x11081:$a10: KeyLoggerEventArgs 0x10c31:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xef7f:$a1: get_encryptedPassword 0xf2a7:$a2: get_encryptedUsername 0xed1a:$a3: get_timePasswordChanged 0xee3b:$a4: get_passwordField 0xef95:$a5: set_encryptedPassword 0x108f1:$a7: get_logins 0x105a2:$a8: GetOutlookPasswords 0x10394:$a9: StartKeylogger 0x10841:$a10: KeyLoggerEventArgs 0x103f1:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb0f:$a1: get_encryptedPassword 0x2692f:$a1: get_encryptedPassword 0xfe37:$a2: get_encryptedUsername 0x26c57:$a2: get_encryptedUsername 0xf8aa:$a3: get_timePasswordChanged 0x266ca:$a3: get_timePasswordChanged 0xf9cb:$a4: get_passwordField 0x267eb:$a4: get_passwordField 0xfb25:$a5: set_encryptedPassword 0x26945:$a5: set_encryptedPassword 0x11481:$a7: get_logins 0x282a1:$a7: get_logins 0x11132:$a8: GetOutlookPasswords 0x27f52:$a8: GetOutlookPasswords 0x10f24:$a9: StartKeylogger 0x27d44:$a9: StartKeylogger 0x113d1:$a10: KeyLoggerEventArgs 0x281f1:$a10: KeyLoggerEventArgs 0x10f81:$a11: KeyLoggerEventArgsEventHandler 0x27da1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: wrong bank details.exe PID: 4992	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: wrong bank details.exe PID: 4992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wrong bank details.exe PID: 4992	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wrong bank details.exe PID: 4992	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: wrong bank details.exe PID: 4992	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x387c8:$a1: get_encryptedPassword 0x889c0:$a1: get_encryptedPassword 0x38ae1:$a2: get_encryptedUsername 0x88cd9:$a2: get_encryptedUsername 0x38577:$a3: get_timePasswordChanged 0x8876f:$a3: get_timePasswordChanged 0x38698:$a4: get_passwordField 0x88890:$a4: get_passwordField 0x387de:$a5: set_encryptedPassword 0x889d6:$a5: set_encryptedPassword 0x3a0e1:$a7: get_logins 0x8a2d9:$a7: get_logins 0x39d92:$a8: GetOutlookPasswords 0x89f8a:$a8: GetOutlookPasswords 0x39b84:$a9: StartKeylogger 0x89d7c:$a9: StartKeylogger 0x3a031:$a10: KeyLoggerEventArgs 0x8a229:$a10: KeyLoggerEventArgs 0x39be1:$a11: KeyLoggerEventArgsEventHandler 0x89dd9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: wrong bank details.exe PID: 616	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: wrong bank details.exe PID: 616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wrong bank details.exe PID: 616	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: wrong bank details.exe PID: 616	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x47375:$a1: get_encryptedPassword 0x4768e:$a2: get_encryptedUsername 0x47124:$a3: get_timePasswordChanged 0x47245:$a4: get_passwordField 0x4738b:$a5: set_encryptedPassword 0x48c8e:$a7: get_logins 0x4893f:$a8: GetOutlookPasswords 0x48731:$a9: StartKeylogger 0x48bde:$a10: KeyLoggerEventArgs 0x4878e:$a11: KeyLoggerEventArgsEventHandler
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.wrong bank details.exe.35c07b0.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.wrong bank details.exe.35c07b0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wrong bank details.exe.35c07b0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.wrong bank details.exe.35c07b0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd37f:$a1: get_encryptedPassword 0xd6a7:$a2: get_encryptedUsername 0xd11a:$a3: get_timePasswordChanged 0xd23b:$a4: get_passwordField 0xd395:$a5: set_encryptedPassword 0xecf1:$a7: get_logins 0xe9a2:$a8: GetOutlookPasswords 0xe794:$a9: StartKeylogger 0xec41:$a10: KeyLoggerEventArgs 0xe7f1:$a11: KeyLoggerEventArgsEventHandler
0.2.wrong bank details.exe.35c07b0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12329:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11827:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b35:$a4: \Orbitum\User Data\Default\Login Data 0x1292d:$a5: \Kometa\User Data\Default\Login Data
4.2.wrong bank details.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.wrong bank details.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.wrong bank details.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.wrong bank details.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf17f:$a1: get_encryptedPassword 0xf4a7:$a2: get_encryptedUsername 0xef1a:$a3: get_timePasswordChanged 0xf03b:$a4: get_passwordField 0xf195:$a5: set_encryptedPassword 0x10af1:$a7: get_logins 0x107a2:$a8: GetOutlookPasswords 0x10594:$a9: StartKeylogger 0x10a41:$a10: KeyLoggerEventArgs 0x105f1:$a11: KeyLoggerEventArgsEventHandler
4.2.wrong bank details.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14129:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13627:$a3: \Google\Chrome\User Data\Default\Login Data 0x13935:$a4: \Orbitum\User Data\Default\Login Data 0x1472d:$a5: \Kometa\User Data\Default\Login Data
0.2.wrong bank details.exe.35a9990.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.wrong bank details.exe.35a9990.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wrong bank details.exe.35a9990.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.wrong bank details.exe.35a9990.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd37f:$a1: get_encryptedPassword 0xd6a7:$a2: get_encryptedUsername 0xd11a:$a3: get_timePasswordChanged 0xd23b:$a4: get_passwordField 0xd395:$a5: set_encryptedPassword 0xecf1:$a7: get_logins 0xe9a2:$a8: GetOutlookPasswords 0xe794:$a9: StartKeylogger 0xec41:$a10: KeyLoggerEventArgs 0xe7f1:$a11: KeyLoggerEventArgsEventHandler
0.2.wrong bank details.exe.35a9990.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12329:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11827:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b35:$a4: \Orbitum\User Data\Default\Login Data 0x1292d:$a5: \Kometa\User Data\Default\Login Data
0.2.wrong bank details.exe.35a9990.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.wrong bank details.exe.35a9990.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wrong bank details.exe.35a9990.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.wrong bank details.exe.35a9990.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf17f:$a1: get_encryptedPassword 0x25f9f:$a1: get_encryptedPassword 0xf4a7:$a2: get_encryptedUsername 0x262c7:$a2: get_encryptedUsername 0xef1a:$a3: get_timePasswordChanged 0x25d3a:$a3: get_timePasswordChanged 0xf03b:$a4: get_passwordField 0x25e5b:$a4: get_passwordField 0xf195:$a5: set_encryptedPassword 0x25fb5:$a5: set_encryptedPassword 0x10af1:$a7: get_logins 0x27911:$a7: get_logins 0x107a2:$a8: GetOutlookPasswords 0x275c2:$a8: GetOutlookPasswords 0x10594:$a9: StartKeylogger 0x273b4:$a9: StartKeylogger 0x10a41:$a10: KeyLoggerEventArgs 0x27861:$a10: KeyLoggerEventArgs 0x105f1:$a11: KeyLoggerEventArgsEventHandler 0x27411:$a11: KeyLoggerEventArgsEventHandler
0.2.wrong bank details.exe.35a9990.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14129:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af49:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13627:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a447:$a3: \Google\Chrome\User Data\Default\Login Data 0x13935:$a4: \Orbitum\User Data\Default\Login Data 0x2a755:$a4: \Orbitum\User Data\Default\Login Data 0x1472d:$a5: \Kometa\User Data\Default\Login Data 0x2b54d:$a5: \Kometa\User Data\Default\Login Data
0.2.wrong bank details.exe.35c07b0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.wrong bank details.exe.35c07b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wrong bank details.exe.35c07b0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.wrong bank details.exe.35c07b0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf17f:$a1: get_encryptedPassword 0xf4a7:$a2: get_encryptedUsername 0xef1a:$a3: get_timePasswordChanged 0xf03b:$a4: get_passwordField 0xf195:$a5: set_encryptedPassword 0x10af1:$a7: get_logins 0x107a2:$a8: GetOutlookPasswords 0x10594:$a9: StartKeylogger 0x10a41:$a10: KeyLoggerEventArgs 0x105f1:$a11: KeyLoggerEventArgsEventHandler
0.2.wrong bank details.exe.35c07b0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14129:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13627:$a3: \Google\Chrome\User Data\Default\Login Data 0x13935:$a4: \Orbitum\User Data\Default\Login Data 0x1472d:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T15:41:25.284643+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	132.226.8.169	80	TCP
2024-10-07T15:41:31.628469+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: wrong bank details.exe.616.4.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendMessage"}

Multi AV Scanner detection for submitted file

Source: wrong bank details.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: wrong bank details.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: wrong bank details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: wrong bank details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mGVh.pdb source: wrong bank details.exe
Source:	Binary string: mGVh.pdbSHA256 source: wrong bank details.exe

Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 00DA5782h	4_2_00DA5358
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 00DA51B9h	4_2_00DA4F08
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 00DA5782h	4_2_00DA56AF
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F41935h	4_2_04F415F8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4E778h	4_2_04F4E4D0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F40741h	4_2_04F40498
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4BF28h	4_2_04F4BC80
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F43EF8h	4_2_04F43C50
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4DEC8h	4_2_04F4DC20
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4D088h	4_2_04F4CDE0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4F028h	4_2_04F4ED80
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F40FF1h	4_2_04F40D48
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4C7D8h	4_2_04F4C530
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4A970h	4_2_04F4A6C8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4D93Ah	4_2_04F4D690
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4F8D8h	4_2_04F4F630
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4A0C0h	4_2_04F49E18
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F43AA0h	4_2_04F437F8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4B220h	4_2_04F4AF78
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F431F0h	4_2_04F42F48
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F40B99h	4_2_04F408F0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4C380h	4_2_04F4C0D8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F44350h	4_2_04F440A8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4E320h	4_2_04F4E078
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F402E9h	4_2_04F40040
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4BAD0h	4_2_04F4B828
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4F480h	4_2_04F4F1D8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F41449h	4_2_04F411A0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4CC30h	4_2_04F4C988
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4EBD0h	4_2_04F4E928
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F42D98h	4_2_04F42AF0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4FD30h	4_2_04F4FA88
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4A518h	4_2_04F4A270
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4D4E0h	4_2_04F4D238
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4B678h	4_2_04F4B3D0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F43648h	4_2_04F433A0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4x nop then jmp 04F4ADC8h	4_2_04F4AB20

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-19134.crl0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendDocument?chat_id=4039
Source: wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33d
Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33l

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49719 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\wrong bank details.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_023CD55C	0_2_023CD55C
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA8DF0	0_2_06CA8DF0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA4720	0_2_06CA4720
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA3078	0_2_06CA3078
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA4F90	0_2_06CA4F90
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA4F7F	0_2_06CA4F7F
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA2C40	0_2_06CA2C40
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA4B58	0_2_06CA4B58
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DAC168	4_2_00DAC168
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DA27B9	4_2_00DA27B9
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DACAB0	4_2_00DACAB0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DA2DD1	4_2_00DA2DD1
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DA7E68	4_2_00DA7E68
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DA4F08	4_2_00DA4F08
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DAB9E0	4_2_00DAB9E0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DACAAF	4_2_00DACAAF
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DA4EF8	4_2_00DA4EF8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DA7E67	4_2_00DA7E67
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F41C58	4_2_04F41C58
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F415F8	4_2_04F415F8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F44500	4_2_04F44500
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F47770	4_2_04F47770
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F46998	4_2_04F46998
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4E4D0	4_2_04F4E4D0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4E4C0	4_2_04F4E4C0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F49C90	4_2_04F49C90
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F40498	4_2_04F40498
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4BC80	4_2_04F4BC80
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F40489	4_2_04F40489
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4BC71	4_2_04F4BC71
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F43C50	4_2_04F43C50
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F43C42	4_2_04F43C42
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4DC20	4_2_04F4DC20
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4DC11	4_2_04F4DC11
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4CDE0	4_2_04F4CDE0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F415EA	4_2_04F415EA
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4CDD0	4_2_04F4CDD0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4ED80	4_2_04F4ED80
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4ED70	4_2_04F4ED70
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F40D48	4_2_04F40D48
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4C530	4_2_04F4C530
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F40D39	4_2_04F40D39
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4C520	4_2_04F4C520
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4A6C8	4_2_04F4A6C8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4A6B9	4_2_04F4A6B9
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4D690	4_2_04F4D690
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4D681	4_2_04F4D681
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4F630	4_2_04F4F630
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4F620	4_2_04F4F620
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F49E18	4_2_04F49E18
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F437F8	4_2_04F437F8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F437E8	4_2_04F437E8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4AF78	4_2_04F4AF78
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4AF68	4_2_04F4AF68
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F42F48	4_2_04F42F48
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F42F38	4_2_04F42F38
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F408F0	4_2_04F408F0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F408DF	4_2_04F408DF
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4C0D8	4_2_04F4C0D8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4C0CA	4_2_04F4C0CA
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F440A8	4_2_04F440A8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F44098	4_2_04F44098
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4E078	4_2_04F4E078
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4E068	4_2_04F4E068
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F40040	4_2_04F40040
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4B828	4_2_04F4B828
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4001F	4_2_04F4001F
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4B818	4_2_04F4B818
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4F1D8	4_2_04F4F1D8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4F1C8	4_2_04F4F1C8
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F411A0	4_2_04F411A0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4118F	4_2_04F4118F
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4C988	4_2_04F4C988
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4C97A	4_2_04F4C97A
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4E922	4_2_04F4E922
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4E928	4_2_04F4E928
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F42AF0	4_2_04F42AF0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F42AE0	4_2_04F42AE0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4FA88	4_2_04F4FA88
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4A270	4_2_04F4A270
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4FA78	4_2_04F4FA78
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4A261	4_2_04F4A261
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4D238	4_2_04F4D238
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4D22A	4_2_04F4D22A
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4B3D0	4_2_04F4B3D0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4B3C1	4_2_04F4B3C1
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F433A0	4_2_04F433A0
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F43391	4_2_04F43391
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F41B4A	4_2_04F41B4A
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4AB20	4_2_04F4AB20
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_04F4AB10	4_2_04F4AB10

Source: wrong bank details.exe, 00000000.00000002.2146705585.0000000006C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000000.2103680319.000000000025C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemGVh.exe8 vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2142441399.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2143846738.00000000025DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs wrong bank details.exe
Source: wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs wrong bank details.exe
Source: wrong bank details.exe, 00000004.00000002.4550376269.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs wrong bank details.exe
Source: wrong bank details.exe, 00000004.00000002.4550578170.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs wrong bank details.exe
Source: wrong bank details.exe	Binary or memory string: OriginalFilenamemGVh.exe8 vs wrong bank details.exe

Source: wrong bank details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: wrong bank details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, OFYmxUvYUEi1tHs4m2.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, OFYmxUvYUEi1tHs4m2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, OFYmxUvYUEi1tHs4m2.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, OFYmxUvYUEi1tHs4m2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/3

Source: C:\Users\user\Desktop\wrong bank details.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wrong bank details.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\wrong bank details.exe	Mutant created: \Sessions\1\BaseNamedObjects\GALWlSTgPdbAZdxHULqK

Source: wrong bank details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wrong bank details.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\wrong bank details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wrong bank details.exe, 00000004.00000002.4551831921.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4552916694.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: wrong bank details.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"
Source: C:\Users\user\Desktop\wrong bank details.exe	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"
Source: C:\Users\user\Desktop\wrong bank details.exe	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"
Source: C:\Users\user\Desktop\wrong bank details.exe	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: wrong bank details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wrong bank details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: wrong bank details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mGVh.pdb source: wrong bank details.exe
Source:	Binary string: mGVh.pdbSHA256 source: wrong bank details.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: wrong bank details.exe, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs	.Net Code: AFCSnSjktJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.wrong bank details.exe.25b4924.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs	.Net Code: AFCSnSjktJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.wrong bank details.exe.7310000.5.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_023CF530 pushfd ; iretd	0_2_023CF531
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 0_2_06CA9A88 push es; ret	0_2_06CA9A94
Source: C:\Users\user\Desktop\wrong bank details.exe	Code function: 4_2_00DAF273 push ebp; retf	4_2_00DAF281

Source: wrong bank details.exe

Static PE information: section name: .text entropy: 7.983800868512996

Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, FCqjw3DuGTe57JV7o2.cs	High entropy of concatenated method names: 'vWonCjkyZ', 'iauGJCLLa', 'gPS3ptrIL', 'o1aahSaZm', 'FgCfwSfxR', 'KwmRMtUSF', 'WKr7usgKtalTtZBv9r', 'XGsNngx173ARwHDe2C', 'GhCIL6HES', 'XvqO5quiG'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, G3WmFiEX3cpCgE1upC.cs	High entropy of concatenated method names: 'eKto91fcgC', 'zqaojJreAG', 'HEQonxb1k4', 'VIpoGvKOy8', 'MO8o3tckt4', 'WdCoawOAJ3', 'IwBofk20Jf', 'RbSoRMoVrp', 'ci8hZYtwxqZ3A3FG7nZ', 'juZLUUtWvkV6nVB75S2'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, iXnLdLW7CcvgHiapVT1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bG1OClAMZs', 'NCeOdrXaQc', 'ibGOK3CK0w', 'GhNOZJAX88', 'LfFOgeXx4J', 'ibxObWFqas', 'WxbOciFSYW'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, prGmTPNv2QCHHgMW6l.cs	High entropy of concatenated method names: 'yM1hjE8hSO', 'I5RhrRyAPo', 'j0yhnFlcRf', 'w4PhGWk9rH', 'vixhitXftj', 'Y8nh3yUtuZ', 'LkZha8mdOB', 'IylhvklJYq', 'eTThfVSD6V', 'vZmhRkcmIh'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, T0dkFJeDVXcxq2Gt99.cs	High entropy of concatenated method names: 'hDh4Waw6n7', 'Fjk47CydyT', 'YXv4SYDoR3', 'Mla4lifw6v', 'l6M4QMeUWS', 'zQo4pN1N3X', 'KlU4oZvI0g', 'LpKIcleGXL', 'x4qIsUcGGs', 'bHiIVFEa1F'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, XbdTaBRH6qOnTxoik4.cs	High entropy of concatenated method names: 'TSOpisbLac', 'jahpavJ86y', 'D2g12ViFIS', 'StC1E7WS6K', 'zU71XpfEUv', 'vwp15XHurb', 'gRp1moohJE', 'aSs1YdrykY', 'xDA1NnfTC4', 'max1JwWxdD'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, ppqoTmVfKVPplix4TV.cs	High entropy of concatenated method names: 'scYIFo6lvZ', 'oikIqPVuSw', 'iUHI2Y8psd', 'dhHIE5SRH8', 'lwSICHxcPy', 'inJIXPAvUs', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, dX3VNQZgEhPrW2sijw.cs	High entropy of concatenated method names: 'LHdx6ENZed', 'YfJxwvfpwN', 'ToString', 'rp7xl2n0cQ', 'T2FxQgoUKC', 'tDWx1kE1NX', 'Abfxp1n2SQ', 'iqoxovKpVS', 'WPbxhUWCjw', 'mKDxyUD8yG'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, jnga2ebRKnaelFULRW.cs	High entropy of concatenated method names: 'L1CxsPyc3a', 's7jxeluoHx', 'xtwIPQn25B', 'TqxIWJUj3g', 'kfRx0voqRj', 'csrxL9DhJ8', 'iRXxUiZJlU', 'FEZxCHeGe4', 'DPJxdHG17I', 'YwPxKvdX77'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, XK3khbUj96ZQnftMaD.cs	High entropy of concatenated method names: 'f5I8vy14aj', 'DfZ8fnDOlM', 'bg08FPhr6E', 'RP08qk9cMG', 'BtE8EI6YMC', 'HE98Xr58pM', 'MJ18mHBEPH', 'GUL8YouRuO', 'MFM8JxccBT', 'bC48053SBG'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, juXfEuWPXpwx3Zh8Pp2.cs	High entropy of concatenated method names: 'h5V4jiYGRN', 'f7v4r5HP7p', 'CKg4no94bt', 'iZW4GHfutQ', 'ETX4itf216', 'lI843nCUA3', 'dml4akHTrq', 'ct04v4xg1a', 'Xsu4fIbp99', 'Rwa4Rg9JUf'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bAqFSIsBuZUb5q20YZ.cs	High entropy of concatenated method names: 'hJMIl3poHu', 'SswIQHdhTI', 'hLdI1cCW98', 'S3mIpmsBlA', 'Xu6IoBOdHQ', 'YcSIhsy1w0', 'XknIydWExA', 'ypwIMUN3QN', 'pVhI67f24s', 'kVfIwoQ6D3'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, waLIt8zE22aqy7b4jc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Mpi48uYbDJ', 'E1D4BcjFDL', 'DuF4HkfQXQ', 'yec4x78ae7', 'UJ34I2NKuP', 'oUr44TIJFd', 'zhc4OKUwV3'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, r6CW5PF3YwoVTIIo2o.cs	High entropy of concatenated method names: 'FnRotmC7Nl', 'GlCoQm2jTI', 'T8SopBgp0x', 'eVjohimVP2', 'r8aoymbXhr', 'VX7pgpPeJq', 'N1xpb6DCYC', 'Y9wpcLtlbB', 'lI0ps2NxQC', 'fRSpVH375U'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, JShcRmmsjlsvFAs170.cs	High entropy of concatenated method names: 'NPPhlqWFHJ', 'RlHh198bnL', 'akLho7hrnR', 'SKMoeGQ1LQ', 'AlZoz2IASc', 'lX3hPK3vXi', 'mguhWRnyVF', 'SxrhDBnati', 'VIAh79HXfU', 'sLghSixDMg'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, Ytu2QfSYmXelK4IS1S.cs	High entropy of concatenated method names: 'kx0WhFYmxU', 'MUEWyi1tHs', 'vkmW6B9KDV', 'gBGWwfVbdT', 'qoiWBk446C', 'b5PWH3YwoV', 'uYvsdjjXMTZsD2QDwJ', 'doAHoXOMttJBKiZHpW', 'PqWKHcuyHxDvOPIbEn', 'LgmWW3RZf0'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, VqGKaRWD0ybbyhTZIEb.cs	High entropy of concatenated method names: 'QCiOjiEQi0', 'evYOr1GbpS', 'gICOnM04g9', 'aiBKdjb5UEI2LW7XwRo', 'McrjlJbL5mgJlCxx83d', 'ncS03wbBUYiwkYmVJ2x', 'O37s8nbzcFV9WYyekOI', 'e7kv18DeQt0xuXCYVxF'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, hlvhouQiIC1cE3H005.cs	High entropy of concatenated method names: 'Dispose', 't7bWVPT2YJ', 'IG3DqLII6K', 'xn5ssaJYoY', 'qWAWeqFSIB', 'wZUWzb5q20', 'ProcessDialogKey', 'LZHDPpqoTm', 'EKVDWPplix', 'rTVDDK0dkF'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, OFYmxUvYUEi1tHs4m2.cs	High entropy of concatenated method names: 'dcFQCl8k0N', 'HnlQd5Sdp5', 'PgvQKeMav5', 'aodQZV17eE', 'SpEQgDggyq', 'zknQbN2ulp', 'MSlQc5Cwui', 'FRMQsIuJB8', 'ReWQViWfHf', 'u6bQelUR1O'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, bkmHwoyomka5cbrXc4.cs	High entropy of concatenated method names: 'MZV7twfIZt', 'Tpd7laAamE', 'KbG7QMx4aZ', 'ytV71C4YwC', 'cYD7pVbNYn', 'udj7oNjwdq', 'z7t7hV5CKf', 'wZU7yFgTO3', 'kgQ7Ma1m3E', 'VRH763mBxC'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, D6XisAfkmB9KDVQBGf.cs	High entropy of concatenated method names: 'MYy1Gjc7yV', 'cRI13mXfZG', 't6F1vumBCs', 'gWk1fbCk3B', 'pFi1B4denc', 'ROc1Hkifmy', 'kI21xXo9fn', 'rQH1IM9hg6', 'QHF14uExrQ', 'i871OgMXCL'
Source: 0.2.wrong bank details.exe.6c00000.4.raw.unpack, vgdJJ0COQaS2onvOO3.cs	High entropy of concatenated method names: 'RNvBJXZoWk', 'REBBLp6KKc', 'tdHBCu9vE1', 'icOBdokLCh', 'LkQBqcTdXb', 'AD4B2FwS3e', 'DVBBEI7JxT', 'LgxBX2FtbB', 'vJLB598TdX', 'oaOBmfvhA1'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, FCqjw3DuGTe57JV7o2.cs	High entropy of concatenated method names: 'vWonCjkyZ', 'iauGJCLLa', 'gPS3ptrIL', 'o1aahSaZm', 'FgCfwSfxR', 'KwmRMtUSF', 'WKr7usgKtalTtZBv9r', 'XGsNngx173ARwHDe2C', 'GhCIL6HES', 'XvqO5quiG'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, G3WmFiEX3cpCgE1upC.cs	High entropy of concatenated method names: 'eKto91fcgC', 'zqaojJreAG', 'HEQonxb1k4', 'VIpoGvKOy8', 'MO8o3tckt4', 'WdCoawOAJ3', 'IwBofk20Jf', 'RbSoRMoVrp', 'ci8hZYtwxqZ3A3FG7nZ', 'juZLUUtWvkV6nVB75S2'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, iXnLdLW7CcvgHiapVT1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bG1OClAMZs', 'NCeOdrXaQc', 'ibGOK3CK0w', 'GhNOZJAX88', 'LfFOgeXx4J', 'ibxObWFqas', 'WxbOciFSYW'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, prGmTPNv2QCHHgMW6l.cs	High entropy of concatenated method names: 'yM1hjE8hSO', 'I5RhrRyAPo', 'j0yhnFlcRf', 'w4PhGWk9rH', 'vixhitXftj', 'Y8nh3yUtuZ', 'LkZha8mdOB', 'IylhvklJYq', 'eTThfVSD6V', 'vZmhRkcmIh'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, T0dkFJeDVXcxq2Gt99.cs	High entropy of concatenated method names: 'hDh4Waw6n7', 'Fjk47CydyT', 'YXv4SYDoR3', 'Mla4lifw6v', 'l6M4QMeUWS', 'zQo4pN1N3X', 'KlU4oZvI0g', 'LpKIcleGXL', 'x4qIsUcGGs', 'bHiIVFEa1F'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, XbdTaBRH6qOnTxoik4.cs	High entropy of concatenated method names: 'TSOpisbLac', 'jahpavJ86y', 'D2g12ViFIS', 'StC1E7WS6K', 'zU71XpfEUv', 'vwp15XHurb', 'gRp1moohJE', 'aSs1YdrykY', 'xDA1NnfTC4', 'max1JwWxdD'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, ppqoTmVfKVPplix4TV.cs	High entropy of concatenated method names: 'scYIFo6lvZ', 'oikIqPVuSw', 'iUHI2Y8psd', 'dhHIE5SRH8', 'lwSICHxcPy', 'inJIXPAvUs', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, dX3VNQZgEhPrW2sijw.cs	High entropy of concatenated method names: 'LHdx6ENZed', 'YfJxwvfpwN', 'ToString', 'rp7xl2n0cQ', 'T2FxQgoUKC', 'tDWx1kE1NX', 'Abfxp1n2SQ', 'iqoxovKpVS', 'WPbxhUWCjw', 'mKDxyUD8yG'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, jnga2ebRKnaelFULRW.cs	High entropy of concatenated method names: 'L1CxsPyc3a', 's7jxeluoHx', 'xtwIPQn25B', 'TqxIWJUj3g', 'kfRx0voqRj', 'csrxL9DhJ8', 'iRXxUiZJlU', 'FEZxCHeGe4', 'DPJxdHG17I', 'YwPxKvdX77'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, XK3khbUj96ZQnftMaD.cs	High entropy of concatenated method names: 'f5I8vy14aj', 'DfZ8fnDOlM', 'bg08FPhr6E', 'RP08qk9cMG', 'BtE8EI6YMC', 'HE98Xr58pM', 'MJ18mHBEPH', 'GUL8YouRuO', 'MFM8JxccBT', 'bC48053SBG'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, juXfEuWPXpwx3Zh8Pp2.cs	High entropy of concatenated method names: 'h5V4jiYGRN', 'f7v4r5HP7p', 'CKg4no94bt', 'iZW4GHfutQ', 'ETX4itf216', 'lI843nCUA3', 'dml4akHTrq', 'ct04v4xg1a', 'Xsu4fIbp99', 'Rwa4Rg9JUf'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bAqFSIsBuZUb5q20YZ.cs	High entropy of concatenated method names: 'hJMIl3poHu', 'SswIQHdhTI', 'hLdI1cCW98', 'S3mIpmsBlA', 'Xu6IoBOdHQ', 'YcSIhsy1w0', 'XknIydWExA', 'ypwIMUN3QN', 'pVhI67f24s', 'kVfIwoQ6D3'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, waLIt8zE22aqy7b4jc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Mpi48uYbDJ', 'E1D4BcjFDL', 'DuF4HkfQXQ', 'yec4x78ae7', 'UJ34I2NKuP', 'oUr44TIJFd', 'zhc4OKUwV3'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, r6CW5PF3YwoVTIIo2o.cs	High entropy of concatenated method names: 'FnRotmC7Nl', 'GlCoQm2jTI', 'T8SopBgp0x', 'eVjohimVP2', 'r8aoymbXhr', 'VX7pgpPeJq', 'N1xpb6DCYC', 'Y9wpcLtlbB', 'lI0ps2NxQC', 'fRSpVH375U'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, JShcRmmsjlsvFAs170.cs	High entropy of concatenated method names: 'NPPhlqWFHJ', 'RlHh198bnL', 'akLho7hrnR', 'SKMoeGQ1LQ', 'AlZoz2IASc', 'lX3hPK3vXi', 'mguhWRnyVF', 'SxrhDBnati', 'VIAh79HXfU', 'sLghSixDMg'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, Ytu2QfSYmXelK4IS1S.cs	High entropy of concatenated method names: 'kx0WhFYmxU', 'MUEWyi1tHs', 'vkmW6B9KDV', 'gBGWwfVbdT', 'qoiWBk446C', 'b5PWH3YwoV', 'uYvsdjjXMTZsD2QDwJ', 'doAHoXOMttJBKiZHpW', 'PqWKHcuyHxDvOPIbEn', 'LgmWW3RZf0'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, VqGKaRWD0ybbyhTZIEb.cs	High entropy of concatenated method names: 'QCiOjiEQi0', 'evYOr1GbpS', 'gICOnM04g9', 'aiBKdjb5UEI2LW7XwRo', 'McrjlJbL5mgJlCxx83d', 'ncS03wbBUYiwkYmVJ2x', 'O37s8nbzcFV9WYyekOI', 'e7kv18DeQt0xuXCYVxF'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, hlvhouQiIC1cE3H005.cs	High entropy of concatenated method names: 'Dispose', 't7bWVPT2YJ', 'IG3DqLII6K', 'xn5ssaJYoY', 'qWAWeqFSIB', 'wZUWzb5q20', 'ProcessDialogKey', 'LZHDPpqoTm', 'EKVDWPplix', 'rTVDDK0dkF'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, OFYmxUvYUEi1tHs4m2.cs	High entropy of concatenated method names: 'dcFQCl8k0N', 'HnlQd5Sdp5', 'PgvQKeMav5', 'aodQZV17eE', 'SpEQgDggyq', 'zknQbN2ulp', 'MSlQc5Cwui', 'FRMQsIuJB8', 'ReWQViWfHf', 'u6bQelUR1O'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, bkmHwoyomka5cbrXc4.cs	High entropy of concatenated method names: 'MZV7twfIZt', 'Tpd7laAamE', 'KbG7QMx4aZ', 'ytV71C4YwC', 'cYD7pVbNYn', 'udj7oNjwdq', 'z7t7hV5CKf', 'wZU7yFgTO3', 'kgQ7Ma1m3E', 'VRH763mBxC'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, D6XisAfkmB9KDVQBGf.cs	High entropy of concatenated method names: 'MYy1Gjc7yV', 'cRI13mXfZG', 't6F1vumBCs', 'gWk1fbCk3B', 'pFi1B4denc', 'ROc1Hkifmy', 'kI21xXo9fn', 'rQH1IM9hg6', 'QHF14uExrQ', 'i871OgMXCL'
Source: 0.2.wrong bank details.exe.35e2390.1.raw.unpack, vgdJJ0COQaS2onvOO3.cs	High entropy of concatenated method names: 'RNvBJXZoWk', 'REBBLp6KKc', 'tdHBCu9vE1', 'icOBdokLCh', 'LkQBqcTdXb', 'AD4B2FwS3e', 'DVBBEI7JxT', 'LgxBX2FtbB', 'vJLB598TdX', 'oaOBmfvhA1'

Source: C:\Users\user\Desktop\wrong bank details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR

Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 4580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 7440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 6F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 8440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 9440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597014	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595043	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Window / User API: threadDelayed 1774			Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Window / User API: threadDelayed 8090			Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe TID: 3992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 2548	Thread sleep count: 1774 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 2548	Thread sleep count: 8090 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -597014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -596030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -595043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe TID: 6480	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 597014	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 595043	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: wrong bank details.exe, 00000004.00000002.4550726878.0000000000B67000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wrong bank details.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe

Code function: 4_2_00DAC168 LdrInitializeThunk,LdrInitializeThunk,

4_2_00DAC168

Source: C:\Users\user\Desktop\wrong bank details.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\wrong bank details.exe

Memory written: C:\Users\user\Desktop\wrong bank details.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"			Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Process created: C:\Users\user\Desktop\wrong bank details.exe "C:\Users\user\Desktop\wrong bank details.exe"			Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Users\user\Desktop\wrong bank details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Users\user\Desktop\wrong bank details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wrong bank details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\wrong bank details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\wrong bank details.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\wrong bank details.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wrong bank details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wrong bank details.exe.35c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wrong bank details.exe PID: 616, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wrong bank details.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
wrong bank details.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://checkip.dyndns.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.telegram.org/bot	wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://certificates.godaddy.com/repository/0	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://certs.godaddy.com/repository/1301	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://reallyfreegeoip.orgd	wrong bank details.exe, 00000004.00000002.4551831921.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.godaddy.com/gdig2s1-19134.crl0	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendDocument?chat_id=4039	wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://certs.godaddy.com/repository/0	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33l	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.godaddy.com/gdroot-g2.crl0F	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.comd	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33d	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.godaddy.com/gdroot.crl0F	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://reallyfreegeoip.org	wrong bank details.exe, 00000004.00000002.4551831921.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgd	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.orgd	wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.com	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://certificates.godaddy.com/repository/gdig2.crt0	wrong bank details.exe, 00000004.00000002.4553998416.0000000006110000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550726878.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/d	wrong bank details.exe, 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wrong bank details.exe, 00000004.00000002.4551831921.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	wrong bank details.exe, 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wrong bank details.exe, 00000004.00000002.4551831921.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528126
Start date and time:	2024-10-07 15:40:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wrong bank details.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 40
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: wrong bank details.exe

Simulations

Behavior and APIs

Time	Type	Description
09:41:22	API Interceptor	11241063x Sleep call for process: wrong bank details.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	checkip.dyndns.org/
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	checkip.dyndns.org/
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	MT103-93850.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	StatementXofXaccount.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TTXAPPLICATION.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	KBGC_1200O000000_98756.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Updated New Order.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
188.114.96.3	RFQ 245801.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF
	74qgPmarBM.exe	Get hash	malicious	Pony	Browse	kuechenundmehr.com/x.htm
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	revexhibition.pages.dev/favicon.ico
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	http://www.tkmall-wholesale.com/	Get hash	malicious	Unknown	Browse	www.tkmall-wholesale.com/
	c1#U09a6.exe	Get hash	malicious	Unknown	Browse	winfileshare.com/ticket_line/llb.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	1tstvk3Sls.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3/qjqzqiiqayjq

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
api.telegram.org	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
checkip.dyndns.com	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.8.169
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
UTMEMUS	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.8.169
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	jHSDuYLeUl.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	rInvoiceCM60916_xlx.exe	Get hash	malicious	FormBook	Browse	172.67.133.115
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://www.masonpost.com:443/cgi-bin/redir?https://ctrk.klclick3.com/l/01J9K8KGETH6JCWEWSWY0Z1M23_0?upn=u001.itvpsDR1UD2k9ruxjm0OAspgqcVOQ2hpn9lpb50VxZJdbi9nOzDV7HSnhKeIcaLQsgzZhAfJ867-2F8IcC-2BBYACBF80J8eA0O7PKeZKrlC1Q54Fj-2FS5ho91OPbLHjsGsZQWTyMbbJfNaQPKh9-2FKW31wr-2BMvAwYD85cdCTmlJyLauY-3D1xqt_Zis0fkz6H88oOTECUjdmAu-2FGkDDLbhQT-2B-2B9-2BD8-2Fn-2BuGRBn47ofPUerdduk-2BghIIr31LJs6iNd0rpuOZI5rlm3TOpkCWZ1eNCAWCuASI4dMP9Tv6jbA2UWTI2YWLmFZqgYeVzSc0Fb4o9iKg-2BzjSlX63m5ZgVPzXZ0W3SrrpOTDVmr8Vwd0xwSjxu9efo9kpJLVs7HOh7Cib6eG0OHldiYrljs5jy-2BsmDgNausa6sMCHSoHHj10FI3IfGuCnAD3e6jEbbsHVD11-2FD9cWADvkKxwETdgNpgixeie55jSwivWDLRKcdIczYG3CyTpA1Y18cj-2FBGLZEHTJvF1rd5yfWClPzV1Xw6x2CQgpVVbtrTE5NXtV8WFomzmraH-2FRE0uCvY#QE5lb19IYWNrZXJAb2ZmaWNlLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.94.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	104.18.36.155
	Hscni Remittance_8115919700_16831215.html	Get hash	malicious	Tycoon2FA	Browse	104.17.25.14
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment.vbs	Get hash	malicious	FormBook	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment.vbs	Get hash	malicious	FormBook	Browse	149.154.167.220
	PAYMENT SPECIFIKACIJA 364846637-pdf.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	https://bono-sicherheitstechniksharefile.btn-ebikes.com/	Get hash	malicious	HtmlDropper	Browse	149.154.167.220
	Portal.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://46.27.141.62	Get hash	malicious	Unknown	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\wrong bank details.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.765554913857324
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	wrong bank details.exe
File size:	563'200 bytes
MD5:	67a9a9b047b1e4f4d70930d8fd2142ad
SHA1:	269a60f8300a7b449c9cdc54a1470eefc0e192fb
SHA256:	a750777345fce604f483adfbe40e5f0d4c0582e5536c273675d7fd1002e84c5d
SHA512:	f63cefa6eb0b9019983e5e5cfddda955b639ae45b842a40c55e0b088500cddd0cf9d223df15fcdf4a069e1cf6244363c647f50538c947c920fea4f8314a6a5c4
SSDEEP:	12288:mnf0nZYr6+Tvy+XxpbVsh8FCvWuagIYIHNb8Pqli:mnGZY2+TvlvbVshnvWuaa
TLSH:	7CC4F162FAC99A51EC6501FB94757CCC21A15E4DCD8BF2B82ABC791DCC721C2EF88542
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	d3d0deeae2f2c6c2

Static PE Info

General

Entrypoint:	0x47a39a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6703BDB5 [Mon Oct 7 10:53:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7a347	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x10e6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x78d4c	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x783a0	0x78400	d04247a1ddae5f0ba24017b3525a019d	False	0.9805012344074844	data	7.983800868512996	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0x10e6c	0x11000	c5c6dc42bb50a17ee74d536fbab54eec	False	0.07686121323529412	data	3.811066505218853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	2317be15d3e416249279c83778dbed14	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x7c130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m	0.06794924878741275
RT_GROUP_ICON	0x8c958	0x14	data	1.0
RT_VERSION	0x8c96c	0x314	data	0.434010152284264
RT_MANIFEST	0x8cc80	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T15:41:25.284643+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	132.226.8.169	80	TCP
2024-10-07T15:41:31.628469+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 15:41:24.028033018 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:24.033031940 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:24.033099890 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:24.033277988 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:24.038063049 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:24.850327969 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:24.854067087 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:24.859076977 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:25.229922056 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:25.239499092 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.239551067 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.239619017 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.249792099 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.249806881 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.284642935 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:25.711002111 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.711117029 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.721452951 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.721474886 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.722569942 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.769001007 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.794189930 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.839411974 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.904614925 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.904855013 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 7, 2024 15:41:25.905203104 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:25.955060959 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 7, 2024 15:41:31.313124895 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:31.318012953 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:31.579436064 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:41:31.591154099 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:31.591182947 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:31.591619015 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:31.592119932 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:31.592139006 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:31.628468990 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:41:32.226310015 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:32.226471901 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:32.312577009 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:32.328536034 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:32.328583956 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:32.845371962 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:32.849853039 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:32.849891901 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:32.850657940 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:41:32.850667000 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:33.199695110 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:41:33.253464937 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:42:36.579957008 CEST	80	49712	132.226.8.169	192.168.2.6
Oct 7, 2024 15:42:36.581547976 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:43:05.911454916 CEST	49712	80	192.168.2.6	132.226.8.169
Oct 7, 2024 15:43:05.911468983 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:43:05.911660910 CEST	443	49719	149.154.167.220	192.168.2.6
Oct 7, 2024 15:43:05.911828995 CEST	49719	443	192.168.2.6	149.154.167.220
Oct 7, 2024 15:43:05.916390896 CEST	80	49712	132.226.8.169	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 15:41:24.014233112 CEST	53720	53	192.168.2.6	1.1.1.1
Oct 7, 2024 15:41:24.022492886 CEST	53	53720	1.1.1.1	192.168.2.6
Oct 7, 2024 15:41:25.231239080 CEST	64886	53	192.168.2.6	1.1.1.1
Oct 7, 2024 15:41:25.238895893 CEST	53	64886	1.1.1.1	192.168.2.6
Oct 7, 2024 15:41:31.583260059 CEST	63675	53	192.168.2.6	1.1.1.1
Oct 7, 2024 15:41:31.590466976 CEST	53	63675	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 15:41:24.014233112 CEST	192.168.2.6	1.1.1.1	0xf4fc	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:25.231239080 CEST	192.168.2.6	1.1.1.1	0x4dee	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:31.583260059 CEST	192.168.2.6	1.1.1.1	0xe733	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 15:41:24.022492886 CEST	1.1.1.1	192.168.2.6	0xf4fc	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 15:41:24.022492886 CEST	1.1.1.1	192.168.2.6	0xf4fc	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:24.022492886 CEST	1.1.1.1	192.168.2.6	0xf4fc	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:24.022492886 CEST	1.1.1.1	192.168.2.6	0xf4fc	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:24.022492886 CEST	1.1.1.1	192.168.2.6	0xf4fc	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:24.022492886 CEST	1.1.1.1	192.168.2.6	0xf4fc	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:25.238895893 CEST	1.1.1.1	192.168.2.6	0x4dee	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:25.238895893 CEST	1.1.1.1	192.168.2.6	0x4dee	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 15:41:31.590466976 CEST	1.1.1.1	192.168.2.6	0xe733	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	132.226.8.169	80	616	C:\Users\user\Desktop\wrong bank details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 15:41:24.033277988 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 15:41:24.850327969 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 13:41:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 15:41:24.854067087 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 15:41:25.229922056 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 13:41:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 15:41:31.313124895 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 15:41:31.579436064 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 13:41:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Oct 7, 2024 15:41:32.312577009 CEST	149.154.167.220	443	192.168.2.6	49719	CN=api.telegram.org CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Sun Mar 24 14:08:48 CET 2024 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Fri Apr 25 15:08:48 CEST 2025 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	188.114.96.3	443	616	C:\Users\user\Desktop\wrong bank details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 13:41:25 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 13:41:25 UTC	678	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 13:41:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 64820 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GWcaQPfFHs4QlLERpsTE3iuGAglvyhiKwt%2Bp%2Falonh9m3roL6HzEBlMoMf4L4xg1NfP74ktMyLPNYWPGs7ociN%2FTJNQP%2Fm4etiirgYUFktmveE1pSO4TyZa3D8z2ZpHrCKJKl8F5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee4f048810727d-EWR
2024-10-07 13:41:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 13:41:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:41:21
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\wrong bank details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wrong bank details.exe"
Imagebase:	0x1e0000
File size:	563'200 bytes
MD5 hash:	67A9A9B047B1E4F4D70930D8FD2142AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2145167177.0000000003676000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2145167177.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:41:22
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\wrong bank details.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wrong bank details.exe"
Imagebase:	0x1f0000
File size:	563'200 bytes
MD5 hash:	67A9A9B047B1E4F4D70930D8FD2142AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:41:23
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\wrong bank details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wrong bank details.exe"
Imagebase:	0x640000
File size:	563'200 bytes
MD5 hash:	67A9A9B047B1E4F4D70930D8FD2142AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4550376269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4551831921.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	206
Total number of Limit Nodes:	15

Executed Functions

Function 06CA8DF0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a919445bacaef8d8b320427f36b27905d8d7ce44c35856da16acc1426f40c3
Instruction ID: ff91cbcfa64325f7cd522d4923179e73601f4f4a4b71853bf1a8bf81cbf66a0e
Opcode Fuzzy Hash: 42a919445bacaef8d8b320427f36b27905d8d7ce44c35856da16acc1426f40c3
Instruction Fuzzy Hash: 5BC1A870B017068FDBA9DB76C864BAAB7FBAF89704F24446DD1469B390CB34E901CB51

Function 06CA5C7C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CA5EBE

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 758ff81b8aef29161c72c0dfce32a089a0792d4b8335c9c822f02dc7ef599687
Instruction ID: 5d88c521969d59fc6dcdc4091be53f9107ac8becbac31bbbe9bd0a5f58965a5c
Opcode Fuzzy Hash: 758ff81b8aef29161c72c0dfce32a089a0792d4b8335c9c822f02dc7ef599687
Instruction Fuzzy Hash: 8EA16A71D0031ACFEB60CFA8C9457DDBBB2BF48314F5485A9E848A7280DB759A85CF91

Function 06CA5C88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CA5EBE

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a5435a96fa8477f00555945c8ca709d2fe28e9f0b6aeb7221e35c629c28998ea
Instruction ID: ffa23f3a382f2c14d58b0144fa828d7ade2ecebc8e0b41b54c837f66aa4bb9c2
Opcode Fuzzy Hash: a5435a96fa8477f00555945c8ca709d2fe28e9f0b6aeb7221e35c629c28998ea
Instruction Fuzzy Hash: 74914971D0031ADFEB60CFA8C9457DEBBB2BF48314F548569E808A7240DB759A85CF91

Function 023CAD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 023CAF9E

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 05af8c5a7943bfbbbb608c9284ce2cd304d64e94eccc0b6fb5c30b172edb2ab8
Instruction ID: 3075a5af8104a37aef75bfe61053f2c3e420e2d277efc5f20ee213f9726f3852
Opcode Fuzzy Hash: 05af8c5a7943bfbbbb608c9284ce2cd304d64e94eccc0b6fb5c30b172edb2ab8
Instruction Fuzzy Hash: C27155B0A00B098FD724DF2AD44475ABBF1FF88714F208A2DD48AD7A40DB75E849CB91

Function 023C590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023C59C9

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fa004633eeeea11c33e0f67fb27e5a33434bae594ac8b8b6fb6f9b1367fd40b7
Instruction ID: 3413404d23c0c262734decbfe07537e7436d68e32b452c6712deab026f0f2987
Opcode Fuzzy Hash: fa004633eeeea11c33e0f67fb27e5a33434bae594ac8b8b6fb6f9b1367fd40b7
Instruction Fuzzy Hash: F841D1B0C00719CBEB24CFAAC9847CEBBB5BF48314F60805AD449BB251DB75694ACF51

Function 023C44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023C59C9

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 336f99a10bcd619ddab09a427805326fd07b697f2ae36640c85871897cd56ff8
Instruction ID: 3a4db47523dad5a001b70f1a665954896bee934e9ce376bada9786f88016dad9
Opcode Fuzzy Hash: 336f99a10bcd619ddab09a427805326fd07b697f2ae36640c85871897cd56ff8
Instruction Fuzzy Hash: D241F270C0071DCBEB24CFAAC944B8EBBB5BF48304F60805AD409BB251DB716949CF91

Function 06CA59F8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CA5A90

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e8d7a0687bc2a3707c1effd44137cd2f2d771c74a6dc349fafb621f2006583ec
Instruction ID: c1eb4e548d74b7825cb2c038ec752486ce7b92cec0a291020a1fedf30f3aec2c
Opcode Fuzzy Hash: e8d7a0687bc2a3707c1effd44137cd2f2d771c74a6dc349fafb621f2006583ec
Instruction Fuzzy Hash: 5C2168B5D0034ADFDB10CFA9C880BEEBBF1BF48310F10892AE558A7240D7789940CBA4

Function 06CA5A00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CA5A90

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eeffa0eebc03893573c42121bfbe700b269704c1c329d9f0b951721f6b027e28
Instruction ID: bf348ffd6c9f0db4103f2dbe13b718b034234de255adb9e7ccd44bfe3c2057b5
Opcode Fuzzy Hash: eeffa0eebc03893573c42121bfbe700b269704c1c329d9f0b951721f6b027e28
Instruction Fuzzy Hash: 9121377190030ADFDB10CFA9C881BEEBBF5BF48314F108429E918A7240D7789950CBA5

Function 023CD21C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,023CD5F6,?,?,?,?,?), ref: 023CD6B7

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7a24fb63254c475b89f458d222d8fac1630f61e68600a457c04fa7f6f7456c02
Instruction ID: 23164c66e7ee3b74cb5d5a987e12c826e81973da0288c60ccc85e780d60230a5
Opcode Fuzzy Hash: 7a24fb63254c475b89f458d222d8fac1630f61e68600a457c04fa7f6f7456c02
Instruction Fuzzy Hash: F521E5B5900209DFDB10DF9AD584ADEFBF4FB48314F14801AE958A3310D374A954CFA5

Function 06CA5AE8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CA5B70

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 29af4f0c36f955e2978c87ee03a6f31e8b2489cc1114b61afdcbc24aa8758821
Instruction ID: 5ac1f78651f34a11aebd16fd7b0adb47b608073544c130ccb0f07e3a18320804
Opcode Fuzzy Hash: 29af4f0c36f955e2978c87ee03a6f31e8b2489cc1114b61afdcbc24aa8758821
Instruction Fuzzy Hash: 282105B1C0034A9FDB10CFA9C981BAEFBF5BF48314F10882EE559A7250D7789550CB65

Function 06CA5860 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CA58E6

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6b1e21beb639eb8a80740702c97ee11c3377649fd2063c4cc350d60315c5a3a7
Instruction ID: 87691e9d43ff6a1e4122fb60214c3cbd9996d9ae724c2760b12c237046a40011
Opcode Fuzzy Hash: 6b1e21beb639eb8a80740702c97ee11c3377649fd2063c4cc350d60315c5a3a7
Instruction Fuzzy Hash: 0D2157B1D0030A8FDB10CFAAC5857AEBBF4AF88314F14842ED559A7240DB789544CFA5

Function 023CD629 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,023CD5F6,?,?,?,?,?), ref: 023CD6B7

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4acf1d67f4701262f5aa3fa3e34f1c502ea2535e28e8209f32d4ebdd4e679eb1
Instruction ID: 8048891c61a6feac14be29efc1832fc8430aefdaf14e4a1e5b6591e41f653aca
Opcode Fuzzy Hash: 4acf1d67f4701262f5aa3fa3e34f1c502ea2535e28e8209f32d4ebdd4e679eb1
Instruction Fuzzy Hash: 6F21E5B5900209DFDB10CF9AD584ADEBBF5FB48324F14801AE958A3310D374A954CF65

Function 06CA5AF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CA5B70

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 92bdd09b5bb3465d3142da2b9d293ab1ce849495e6546996bfe1bbb93e07501d
Instruction ID: 7f9802fa92e06e999906cf60fd13672975411f933060f5c2d855b08823f1e921
Opcode Fuzzy Hash: 92bdd09b5bb3465d3142da2b9d293ab1ce849495e6546996bfe1bbb93e07501d
Instruction Fuzzy Hash: 2D2105B18003499FDB10CFAAC885ADEBBF5FF88320F508429E558A7240C7789550CBA5

Function 06CA5868 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CA58E6

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 55c5060e8bc891c643820db1cf2133abf69d41c0d917275795dbde4f71b0db1d
Instruction ID: 82f7aca222f299b09dd9eafc03a26a859ef25cfc6c4b628216d53eeee158fbbc
Opcode Fuzzy Hash: 55c5060e8bc891c643820db1cf2133abf69d41c0d917275795dbde4f71b0db1d
Instruction Fuzzy Hash: 12213871D0030A8FDB10DFAAC4857AEBBF4EF88324F54842AD559A7240CB789944CFA5

Function 06CA5940 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CA59AE

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 17910eec429945861ee360a74e955dc3e92870c997684720041e8af911e93384
Instruction ID: 2331e281762301cc64385f6b39ec3a4aacae680fca895c7e45ea0112f8d7faa5
Opcode Fuzzy Hash: 17910eec429945861ee360a74e955dc3e92870c997684720041e8af911e93384
Instruction Fuzzy Hash: D61156729003499FDB10CFAAC844BDEBBF5AF88324F108419E519A7250CB75A550CBA1

Function 06CA5938 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CA59AE

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0bf5ce2491f8904fe54eaf5866c477d9a76277d0dbf1e8eea108696de9a615d8
Instruction ID: 46e90c15ad6f7792aaced56926fd52a2ab6594103bb5ecb99ff22d11785b8669
Opcode Fuzzy Hash: 0bf5ce2491f8904fe54eaf5866c477d9a76277d0dbf1e8eea108696de9a615d8
Instruction Fuzzy Hash: 6B1189B180034ACFDB10CFA9C9447DEFBF5AF88324F208819D555A7250C775A540CFA1

Function 06CA57B0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06CA581A

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4d4288b5a194838a58d43745cc0ec27cbecb47cc75773b3770c69d339c7b0fda
Instruction ID: d9185f0f7eddb51c1c0545d8f906dad811f312c8cea26f784871ba9f513a90bb
Opcode Fuzzy Hash: 4d4288b5a194838a58d43745cc0ec27cbecb47cc75773b3770c69d339c7b0fda
Instruction Fuzzy Hash: FA1146B5D0034ACFDB20CFAAC94579EFBF4AF88224F24881AD559A7240C774A540CBA5

Function 06CA57B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06CA581A

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 50ad3bd806ef0c3e92d37845274881631114ff00111cbf7c4b8576158b5cd72b
Instruction ID: dfbb350371dad344695a5bab386c0680ba7632feb1e24d05828da5d55a4dc8b5
Opcode Fuzzy Hash: 50ad3bd806ef0c3e92d37845274881631114ff00111cbf7c4b8576158b5cd72b
Instruction Fuzzy Hash: 701136B1D00349CFDB20DFAAC84579EFBF4AF88724F24841AD519A7240CB79A944CBA5

Function 06CA6C58 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06CA8A35

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e266104cc423c8f51db27443d1930ecffee4b0f733baf9fff42b8d81d0523756
Instruction ID: ce4b4cc425686550bd76fc0bef9c5f849d1c6677b4688ad5be5d43f7cc89aa58
Opcode Fuzzy Hash: e266104cc423c8f51db27443d1930ecffee4b0f733baf9fff42b8d81d0523756
Instruction Fuzzy Hash: 4311F2B5800349DFDB50CF9AC948BDEBBF8EB48324F10841AE958A7640C3B5A954CFA5

Function 023CAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 023CAF9E

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 941cf5e307eb9d1882247912146f95f43bafed1f72a799d01598828f9315e1f3
Instruction ID: 4ce23df8216481c15859fad35fc1487d07c70db9b0e9b4ec8629c910d5575a58
Opcode Fuzzy Hash: 941cf5e307eb9d1882247912146f95f43bafed1f72a799d01598828f9315e1f3
Instruction Fuzzy Hash: 541113B6C003498FCB10CF9AD944BDEFBF4AF88224F20841AD858A7200C379A545CFA1

Function 06CA89D0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06CA8A35

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b7551507edd93e1113fb7885d4ad0fd76d55dd6fd59d47a81ac8fa227e857dee
Instruction ID: 5c9bf747bb971ac6b7d6cb447794ca5a4745a81807b00719f6acf3f92339aa8b
Opcode Fuzzy Hash: b7551507edd93e1113fb7885d4ad0fd76d55dd6fd59d47a81ac8fa227e857dee
Instruction Fuzzy Hash: 3511F2B9800349CFDB10CF99D544BDEBBF4FB48314F20881AD558A7240C378A945CFA1

Function 06CA9354 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06CA9BC9,?,?), ref: 06CA9D70

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fa25ddd12997a95c724ac051e944db02faa5d4ab08429fcc28f96c7b9a902e5a
Instruction ID: ebf55ecaa49603d07e7f7276c58ba747fc9f20576f4686534cf157de8b312d36
Opcode Fuzzy Hash: fa25ddd12997a95c724ac051e944db02faa5d4ab08429fcc28f96c7b9a902e5a
Instruction Fuzzy Hash: 531132B280034A8FDB10CF9AC445B9EBBF4EB88224F208419D958A7240D378A984CBA5

Function 06CA9D10 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06CA9BC9,?,?), ref: 06CA9D70

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 61b990cf990bf1b3491a77157f9dbf4d5f72783012f3fba88472d321bcec88c7
Instruction ID: dbf6b261d63c5f51787a1d2b62da21032d350975086c571786a2ec18b76c2f4c
Opcode Fuzzy Hash: 61b990cf990bf1b3491a77157f9dbf4d5f72783012f3fba88472d321bcec88c7
Instruction Fuzzy Hash: 6A1122B6C0034ACFDB10CF99C5457AEBBF0AB48324F20841AD998A7740D778A684CFA5

Function 00B3D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143107293.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14668d6459217f7510df31c5622b6ab226417c5f84def4aba73cd8f0fafccdc8
Instruction ID: 83808486150e53281aec8d2a9cd60e80b78d62541c5cdb8b54a669a165b92c67
Opcode Fuzzy Hash: 14668d6459217f7510df31c5622b6ab226417c5f84def4aba73cd8f0fafccdc8
Instruction Fuzzy Hash: D6210676504204EFDB05DF14E9C0B26BFA5FB94324F30C5A9D9090B356C336E856CBA1

Function 00B3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143107293.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35ced08e02c9d56563907af0dcaddb1d49eecb667a8e9e99d50e0d328f28c70
Instruction ID: 91137f25e4d0acd786161046d9b137bdd2a4d9b647d4412fec79d24e9c4346ad
Opcode Fuzzy Hash: d35ced08e02c9d56563907af0dcaddb1d49eecb667a8e9e99d50e0d328f28c70
Instruction Fuzzy Hash: 0B212572604240EFDB05DF14E9C0B2ABFA5FB98318F30C5A9E9090B256C336D856CAA1

Function 00B4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143162532.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36dd097dc8556f62af8dd625f4727332f7fbf8d6340cf00f769c2a47b0760d2
Instruction ID: 3dbb0500af7c71671df8f985f6fea8f3b05a347d40a944a10165042349d26bfe
Opcode Fuzzy Hash: f36dd097dc8556f62af8dd625f4727332f7fbf8d6340cf00f769c2a47b0760d2
Instruction Fuzzy Hash: 36212675604304EFDB05DF14D9C0B26BBE5FB84314F20C6ADE9094B392C7B6D946DA61

Function 00B4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143162532.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810d6376ed37728839454622fdd178f94e4a158bd428ab1505d8296d36123cba
Instruction ID: 2484b151d8c9fea01349deaf94ea43ce9f232346cad44816df03bdb8b7b93d21
Opcode Fuzzy Hash: 810d6376ed37728839454622fdd178f94e4a158bd428ab1505d8296d36123cba
Instruction Fuzzy Hash: 79213175604300EFCB14DF24D9D0B26BBA1FB88314F20C5ADE90A4B392C37AD907DA61

Function 00B4D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143162532.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d9616498f36ba39eb0450921001d9adc37d3d6ce19a2a124e5ae466200c656
Instruction ID: d2e4724d389998b4dbaa34733fc257156bdb60020c65aa7969cef6977f61e26d
Opcode Fuzzy Hash: c9d9616498f36ba39eb0450921001d9adc37d3d6ce19a2a124e5ae466200c656
Instruction Fuzzy Hash: 492192755083809FCB02CF14D994B11BFB1EB46314F28C5DAD8498F2A7C33AD906CB62

Function 00B3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143107293.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 23a6f07831c7d9aef017edd71bc9c9420101f24ca2f0d2cf6a93d7842e3ce566
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 4011D376504280DFCB16CF10D5C4B16BFB1FB94318F34C6A9D8490B656C33AD856CBA1

Function 00B3D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143107293.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: deeb829f48d1ac53d847651db1ceb6fc51d26b494312a2ef3455906a2144e3a8
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: CF11B1B6504280DFCB16CF10E5C4B16BFB1FB94324F24C6A9D8490B756C33AE856CBA1

Function 00B4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143162532.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 35d468255cf25249038d6d84bc2ba755dc11add48e2f0bf02d7592ddb4ece5f2
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: E911BB75504280DFCB01CF10C5C4B15BBA1FB84314F24C6A9D8494B2A6C37AD80ACB61

Function 00B3D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143107293.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad09954d0182b4f137d877b845f942c1608a0b16d99e5cce0720334ed96dd01
Instruction ID: f4734500dc39c0aca93e76e8a6305078dab83a39d36be0b9c65aef8db41e66e2
Opcode Fuzzy Hash: 6ad09954d0182b4f137d877b845f942c1608a0b16d99e5cce0720334ed96dd01
Instruction Fuzzy Hash: B0012671504340DAE7104B26EDC4B66FFD8EF41720F38C59AED090A286CBB8DC40C6B1

Function 00B3D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143107293.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b3d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea64801b6f54559ebcf9590c01ca0ef954776dbddba4e9ca30984ac0f95aa100
Instruction ID: 4d525adb2bc4bce9ef76b7f12348d3740f2539c3dd2c220143747d8bbcaab7c3
Opcode Fuzzy Hash: ea64801b6f54559ebcf9590c01ca0ef954776dbddba4e9ca30984ac0f95aa100
Instruction Fuzzy Hash: 4EF06271405344EEE7108A16DD84B62FFE8EF51724F28C55AED084B286C779AC44CAB1

Non-executed Functions

Function 06CA4F90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e996eaafa93dc5a1b7dbce8bca6bd41b55c68d1b2e181a5f7479a90f2100275a
Instruction ID: a4d8f917085ba2a009c20854fe673bcc999e198a1b33686fab4d41b9a911f310
Opcode Fuzzy Hash: e996eaafa93dc5a1b7dbce8bca6bd41b55c68d1b2e181a5f7479a90f2100275a
Instruction Fuzzy Hash: 32E1F874E002598FDB14DFA9C580AAEFBB2FF89304F64C269D514AB355D770A942CFA0

Function 06CA4B58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a4d0c8fd97bb62df56752302d671be6fbd3b7a76950e7575ee56c04e6da5dc
Instruction ID: 0b0f541fd99fbbe6d18d61d340fccd978499a68d42f3a162516513ebc7fb4e04
Opcode Fuzzy Hash: a0a4d0c8fd97bb62df56752302d671be6fbd3b7a76950e7575ee56c04e6da5dc
Instruction Fuzzy Hash: 48E1F774E002598FDB54DFA9C580AAEFBF2BF89304F248269D414AB355D771A942CFA0

Function 06CA4720 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6da65de373382a8ac41432c31186aa88eee4109e4e1b50b75a08b6dcc139772
Instruction ID: 6258be9a031bbd0682bdbcdae70e9413c9d46eddba46329ed3631f87bcd158e0
Opcode Fuzzy Hash: c6da65de373382a8ac41432c31186aa88eee4109e4e1b50b75a08b6dcc139772
Instruction Fuzzy Hash: F7E1F674E002598FDB14DFA9D580AAEFBF2BF89304F24C269D415AB355D770A942CFA0

Function 06CA2C40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc593bf466378f742c74d86304bcf35e24b3f346beb4adbea3cc58b99d8956d2
Instruction ID: 5acd3bb5163868a104367acf8e44d4a13c1facbcbfc638f48f1eb773bac53e4f
Opcode Fuzzy Hash: cc593bf466378f742c74d86304bcf35e24b3f346beb4adbea3cc58b99d8956d2
Instruction Fuzzy Hash: 7EE1FB74E002698FDB54DFA9C590AAEFBB2FF49304F248169D414AB355D734AE42CFA0

Function 06CA3078 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a776f9515354e3d151611759d4bc6ff11ae80c2b94608ad36f63a961e207e37
Instruction ID: f3be2e8be2bad56a0976a956b82557bd7f12fbb32d6f5b4d27aed15a336aaf2c
Opcode Fuzzy Hash: 9a776f9515354e3d151611759d4bc6ff11ae80c2b94608ad36f63a961e207e37
Instruction Fuzzy Hash: 4AE1FC74E002598FDB14DFA9C594AAEFBF2FF89304F248269D418A7355D731A942CFA0

Function 023CD55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143474048.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7e0be6f32a71788bd386727996ed137a1c78f59f11c9c5867c184537fa9a1b
Instruction ID: ea62d8cd22e0e47948c657bbfdc5b4f78f6c697a4b737a4a537aeefbb8f733eb
Opcode Fuzzy Hash: 2e7e0be6f32a71788bd386727996ed137a1c78f59f11c9c5867c184537fa9a1b
Instruction Fuzzy Hash: E4A13832A002098FCF15DFA5C84059EBBB3FF85304B25856EE906AB265DB71ED16CF40

Function 06CA4F7F Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146931174.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda75bba144e63b0f102f0351ba93d4d619a7d89f5e78d29a71d538ebe31f86d
Instruction ID: 548f3f9a777914bf97047b44dded684207035fbd7f7028cd8b55aded8271d8d1
Opcode Fuzzy Hash: bda75bba144e63b0f102f0351ba93d4d619a7d89f5e78d29a71d538ebe31f86d
Instruction Fuzzy Hash: C9511B74E0025A8FDB14DFA9C5809AEFBF2BF89304F24C269C458A7355D7309A42CFA1

Analysis Process: wrong bank details.exePID: 616, Parent PID: 4992COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	39%
Total number of Nodes:	41
Total number of Limit Nodes:	3

Executed Functions

Function 00DAC168 Relevance: 2.0, APIs: 1, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4551367053.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_da0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7c98c747e74e05740f7103e688483a9177656b51f74a81083188db60e19daf
Instruction ID: 4cdd383cae02cd42da1c7e48a24f8735b97944ec0cca596e6f17f62e796d7171
Opcode Fuzzy Hash: 8c7c98c747e74e05740f7103e688483a9177656b51f74a81083188db60e19daf
Instruction Fuzzy Hash: 12223874E102198FDB14DFA8C884B9DBBF2BF89310F1496A9D409AB355DB749D82CF60

Function 04F46998 Relevance: 1.0, Instructions: 974COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5d1775c93767564a978f022e6284450b6624a80a7b567e54fc154201cdf804
Instruction ID: 30dd85f81ae8944396a892019c48671ccd4584be8caabd26e04ff124200e2a8a
Opcode Fuzzy Hash: ea5d1775c93767564a978f022e6284450b6624a80a7b567e54fc154201cdf804
Instruction Fuzzy Hash: 6E822B71A002199FDB14DFA9C884AAEBBF6BFC9300F158569E805DB365DB34ED42CB50

Function 04F47770 Relevance: .9, Instructions: 917COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7661404b74eaeeb7ab6ce58a68e6e19d4df5150d7b3a912f16167d517a62fd07
Instruction ID: 4fe3f1adb25909692836adbcbb5cc4a46ac678086ce823efd2de79ac34da9bcb
Opcode Fuzzy Hash: 7661404b74eaeeb7ab6ce58a68e6e19d4df5150d7b3a912f16167d517a62fd07
Instruction Fuzzy Hash: 36824B34A00609DFCB14EFA8C984AAEBBF2FF88354F158559E4459B6A5DB30FD42CB50

Function 04F44500 Relevance: .7, Instructions: 745
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982aef469ffa2a423a42a1685b6bbbd61bc937fb00f6c75a5f68baea1ba833e1
Instruction ID: f0627d25a9598d9aa30fe28ea23c4adb3fd89ca90910165258179e97115bb16f
Opcode Fuzzy Hash: 982aef469ffa2a423a42a1685b6bbbd61bc937fb00f6c75a5f68baea1ba833e1
Instruction Fuzzy Hash: 1E827B74E01228DFDB64DF69D894BEDBBB2BB89300F1081EA950DA7265DB345E81CF50

Function 04F415F8 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea6a715002760de41939ed6222b028fd46c39a4d098d7666875eba18d52cef5
Instruction ID: db54feae4b39b69cca6bf6174e31b8d386d24755f7eacec7a0006b34bc2a2540
Opcode Fuzzy Hash: 0ea6a715002760de41939ed6222b028fd46c39a4d098d7666875eba18d52cef5
Instruction Fuzzy Hash: 95E1B374E01218CFEB64DFA5D944B9DBBB2FF89300F2081A9D409A7395DB755A86CF20

Function 00DA4F08 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4551367053.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_da0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e7eb95b3781912e5f30dc0005eab1dec4edcbe2f73888a8362539db4b28f03
Instruction ID: 9bec46227c771a01b911f08783a16c3306ddd7cd8158e350422f10a8f4773fd6
Opcode Fuzzy Hash: a5e7eb95b3781912e5f30dc0005eab1dec4edcbe2f73888a8362539db4b28f03
Instruction Fuzzy Hash: 44C19174E01218CFDB54DFA9D944BADBBB2FF89300F1091AAD809A7365DB359A85CF10

Function 00DA5358 Relevance: .2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4551367053.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_da0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b4b398a4d78200d2c50e27ae9cb35045296fe221b6aa1b0172e9fa9872d494
Instruction ID: 419332aacac4f2dec25530d4b0d4a216fad999aa2d517bb89211ee78def6ab56
Opcode Fuzzy Hash: b7b4b398a4d78200d2c50e27ae9cb35045296fe221b6aa1b0172e9fa9872d494
Instruction Fuzzy Hash: 0DA11670D00619CFDB14DFA9D948B9DBBB1FF89300F24926AD408A73A5DB749985CF60

Function 00DA56AF Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4551367053.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_da0000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874db8c58e9f5ccf5cb822408e1fa7a171d90bfcdec8ebb2bcc1ed6eaf9c4ebe
Instruction ID: 97f5cdb1b9711e6603ad570fcd550e0d7d17e0fdae5cc6227463fa2bf4d7f278
Opcode Fuzzy Hash: 874db8c58e9f5ccf5cb822408e1fa7a171d90bfcdec8ebb2bcc1ed6eaf9c4ebe
Instruction Fuzzy Hash: 9291F270D00619CFDB10DFA8D948B9CBBB1FF49300F24925AE449AB3A5DB759985CF24

Function 04F41C58 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de04d739cced60b34ed96ebe9a0dcdcc40581cb7e50c5e2e4433b8a037228229
Instruction ID: 70869abf33a96508da851dba525cc25e73386a86a86bc3a9b1276d092c70178e
Opcode Fuzzy Hash: de04d739cced60b34ed96ebe9a0dcdcc40581cb7e50c5e2e4433b8a037228229
Instruction Fuzzy Hash: 6081B374E00218CFDB58DFAAD9547ADBBF2BF89300F20816AD419AB354DB345986CF50

Function 04F415EA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acc095e4792c55b8124a4035def887270206ede37265eedb4f9317da4bd4371
Instruction ID: 8cb93dde4c9169f3e79f26d628ed2f13026b828d7a6e54f555b481ba2a362dc9
Opcode Fuzzy Hash: 6acc095e4792c55b8124a4035def887270206ede37265eedb4f9317da4bd4371
Instruction Fuzzy Hash: 0241C470D002088BEB18DFAAD94479DBBF2BF89300F14C169D418BB294EB755986CF24

Function 00DAC76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 00DAC8AE

Memory Dump Source

Source File: 00000004.00000002.4551367053.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_da0000_wrong bank details.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1f92fb2074934c4f3a764e7874083fcfb81fa36a4513dab6c64918259558ada
Instruction ID: 647b82ba40f90e5ef3d196bb68e38e3a4bda4895c103af974a32992c87645435
Opcode Fuzzy Hash: f1f92fb2074934c4f3a764e7874083fcfb81fa36a4513dab6c64918259558ada
Instruction Fuzzy Hash: AB11AC74E102198FDB04DFA8D484BADB7F5FB89324F24A225E844A7251D774D842CB30

Function 04F48848 Relevance: .8, Instructions: 820
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18459a04fa0d5ec105996dbf969fbc11b3f10424816724396630aee38d6ea38
Instruction ID: b992ea8208533ae1d60a8d55e441f88f36c1447015f37d6e1d9b583dd6bd4a0c
Opcode Fuzzy Hash: f18459a04fa0d5ec105996dbf969fbc11b3f10424816724396630aee38d6ea38
Instruction Fuzzy Hash: B5722470A00219CFEB149FE4C850B9EBFB6EFC4300F1081A9D50AA73A5DE759E869F51

Function 04F465F1 Relevance: .2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea5423d988f62740d321bfafefac4ea55b71d569c34ec96e75f9129d4f773bc
Instruction ID: 0073e2fee6733cf4bed13fc653c7824d14df01c44ccae3d95b64ca7e7679bcf7
Opcode Fuzzy Hash: eea5423d988f62740d321bfafefac4ea55b71d569c34ec96e75f9129d4f773bc
Instruction Fuzzy Hash: 86817C75F001058FEB14CFA9C884A6ABBB2BFCA314B158169D415DB365DF39F842CB90

Function 04F462A8 Relevance: .2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfb76008b205b83dbb69a7af577b890bd1b5992b1091e7aec1c391b817d4d37
Instruction ID: 66136eb45f7d53e60a8640cd5a8b3e768db4bce041055dc9ee394a8a88b7b1c7
Opcode Fuzzy Hash: bdfb76008b205b83dbb69a7af577b890bd1b5992b1091e7aec1c391b817d4d37
Instruction Fuzzy Hash: 0071A131B042518FEB159B78D89463E7BE2BBCA740B148469E506CB399EF38DC43CB91

Function 04F42508 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0015dea626814bc3de6cda0d475372d33562feddb48e3a1a9d564b32f885a6
Instruction ID: ab5b994f64563a27c040cceabbbcbd85b727e9bf595b58941dac20de6e1a7d36
Opcode Fuzzy Hash: df0015dea626814bc3de6cda0d475372d33562feddb48e3a1a9d564b32f885a6
Instruction Fuzzy Hash: 7171B231F002199BDB15EFB4C8506AEBBF2AFC8740F14456AE405AB380DF30AD46CBA5

Function 04F484F8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffebd1f4ee4681aab00c3add1b3e059f5aafaaa32aa2445c537ed2025eb64adc
Instruction ID: d6fd3c20733d319221b715fd53cf07ffd808e2f32d3b51f28934157c60f5b20e
Opcode Fuzzy Hash: ffebd1f4ee4681aab00c3add1b3e059f5aafaaa32aa2445c537ed2025eb64adc
Instruction Fuzzy Hash: 8B517339B141158FC794EF39D89896A7FE9BF8979430548AAE406CB361EF31EC02CB50

Function 04F46130 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea3c2cc2db9695ea0c3f1dd47f2e4f05c6a25017b3b680b3ab8c083b0e3979e
Instruction ID: 94e77a5029e2505e82aa2fda885bad49807bda165a6539fca02c0b6f033a833a
Opcode Fuzzy Hash: 6ea3c2cc2db9695ea0c3f1dd47f2e4f05c6a25017b3b680b3ab8c083b0e3979e
Instruction Fuzzy Hash: DE51C031B042559FEB158F64D844BBA7FE2FBCA304F048969E845CB385DB38E902CB91

Function 04F444F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393cdb5500e497bdd937e9d22bcf97f8ccc07b3be7d0e6b976336075999ac6d5
Instruction ID: 1672d8015484c9dc180636b618ccf7fa49bfbe929d3c01742df7d8fbe38cbca8
Opcode Fuzzy Hash: 393cdb5500e497bdd937e9d22bcf97f8ccc07b3be7d0e6b976336075999ac6d5
Instruction Fuzzy Hash: 75819074E412699FDB64DF69DC50BEDBBB2BB89300F1080EAD909A7254EB355E81CF40

Function 04F45F08 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf94ec68b12f7d939f5bd6054fe07d82d1924e189877c012d3f7a89c729d2b
Instruction ID: 1757e36f61018d927f4e421dc8088dae36843e325851380541aba9b0fe2b3a07
Opcode Fuzzy Hash: 7ccf94ec68b12f7d939f5bd6054fe07d82d1924e189877c012d3f7a89c729d2b
Instruction Fuzzy Hash: AE41FF357006018FE729AB39D854A6A7FE2EFC5310F0545ADE54ACB7A0EF68EC068791

Function 04F424F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaef35c009fdc333ffd9ab4819e557f1447dff2823a58f152672036a7f9aa50
Instruction ID: 5c96d7b1e6dfa2868e1e926169c2cbca03f40bba846a3d2386d3aadbba65fbbd
Opcode Fuzzy Hash: dcaef35c009fdc333ffd9ab4819e557f1447dff2823a58f152672036a7f9aa50
Instruction Fuzzy Hash: FD414F71E012599BDB14DFA5C890AEEBBF5AFC8740F25816AE405B7240EF70A946CB90

Function 04F482F8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf98e9402fcd0217bf8620515eee93dc6538939e01bb93e5af67e97237edbf0
Instruction ID: a6a29a3bcb859ed5cc9dd983ebf80c421963bbc3cba6fe314a7f7bbecb104c50
Opcode Fuzzy Hash: 6bf98e9402fcd0217bf8620515eee93dc6538939e01bb93e5af67e97237edbf0
Instruction Fuzzy Hash: 8F414879B041159FCB15AF68D888ABE3BB1BF88350F104069F906CB3A1DB71ED52CB51

Function 04F45858 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a642ff1773a6b3c0c6ace61b259be80152e6da491839dc1ba66ddee3c41755
Instruction ID: 14efa65b70e21f6c487c4b9db4cd3e23057ad1c91d49d4a43ce23dd1888517f5
Opcode Fuzzy Hash: d6a642ff1773a6b3c0c6ace61b259be80152e6da491839dc1ba66ddee3c41755
Instruction Fuzzy Hash: 3F41C531A05259EFCF01AFA8D8546BE3FA2EB88310F04445AF91987355DF38DA62DB60

Function 04F48729 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d34556c21aed8e906c8a340ba6ad4f1dccb62649adb1d2aaa9e9da30ef4fe6c
Instruction ID: 71ac67f6525b2f1e2e38ce536b4bb51d7243cd22c033f06fb54e916f693d619d
Opcode Fuzzy Hash: 0d34556c21aed8e906c8a340ba6ad4f1dccb62649adb1d2aaa9e9da30ef4fe6c
Instruction Fuzzy Hash: 85212738B052414BDB247B3A98A427D3E87AFC8794B14807AD905CB399EE79DC43E380

Function 04F48640 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbaab9790095d6152ea5d91fdef159e2734c137c111213c356f3cf5af50a0e92
Instruction ID: f46116cb5707bfc4edbc83a16959abb6b3698d1158c77a60f4a77bf96472cb8a
Opcode Fuzzy Hash: fbaab9790095d6152ea5d91fdef159e2734c137c111213c356f3cf5af50a0e92
Instruction Fuzzy Hash: 1A21A639B081558BC754EE669C9467B7FEAEBC5380B14482AE911CB344EF71EC129760

Function 00C7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4551134310.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c7d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bebf822e145d99656c5f75efde48a3c8f6b748b981156b02a234582eecb0b7
Instruction ID: f677648db3779c8294debddd16a2006b5d2c0205c458fd654ddcc767bfcbb52c
Opcode Fuzzy Hash: 04bebf822e145d99656c5f75efde48a3c8f6b748b981156b02a234582eecb0b7
Instruction Fuzzy Hash: A421DEB5604244EFDB14DF14D980B26BBB5FF84314F24C56DE90E4A292C77AD846CA62

Function 00C7D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4551134310.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c7d000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11ffdd52b214c89809a91d99fb876ff83ca4121dbc0426d004375cf6f04da29
Instruction ID: 01eaddc69d9b9af212e870cd0d3fb0d0ba9ffd843605a09945e1acd30995bc63
Opcode Fuzzy Hash: f11ffdd52b214c89809a91d99fb876ff83ca4121dbc0426d004375cf6f04da29
Instruction Fuzzy Hash: 14214B7150D3C09FC703CB24D990711BF71AF46214F29C5EBD8898F2A7C23A980ACB62

Function 04F426EA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b781bd37d3257f3e6c4ae4b08e5985e79b5292d2f9e16a9823c6109c3c69610
Instruction ID: ebe350033444275bfaa5d26ba7c3851c7b432fbcc389c24a253bb28a1ea441c1
Opcode Fuzzy Hash: 2b781bd37d3257f3e6c4ae4b08e5985e79b5292d2f9e16a9823c6109c3c69610
Instruction Fuzzy Hash: 1A112632B083985FDB066F7458206AE3FA3AFCA250B0448ABE505DB392DE344D0687A5

Function 04F42270 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd84d85c722df93e155a0313dfb820db281b5228a9da3674738021acd27220b
Instruction ID: 223356ede368a7e9456198d564874b29c36e639ffe42706ceb7514031c1c2af1
Opcode Fuzzy Hash: 3bd84d85c722df93e155a0313dfb820db281b5228a9da3674738021acd27220b
Instruction Fuzzy Hash: AE1126B2800349DFDB10CF99D944BEEBFF4EB48320F158459EA18A7250D779A550DFA1

Function 04F41EB9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258991a72b8de3fb9839a6555ffcea0adb33e62a1e65f5e88b3419937a540027
Instruction ID: 65e862c063bcbae18f6dcdbb8616253b41c5ffa6598c11fdceddeccefcfb6f30
Opcode Fuzzy Hash: 258991a72b8de3fb9839a6555ffcea0adb33e62a1e65f5e88b3419937a540027
Instruction Fuzzy Hash: A8110039F402598FDB00DFF8D954BAEBBF5AB88311F009161E858E7355EB71A9838B50

Function 04F45EF8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218fff4c4e8437491f816cf34e4db241049634637cee5faaedcc045b8e85eb20
Instruction ID: 2fb3caa4bd8861699aa71e51d9f5e04ea576faebb8e799c9c7e726f3f66af0ab
Opcode Fuzzy Hash: 218fff4c4e8437491f816cf34e4db241049634637cee5faaedcc045b8e85eb20
Instruction Fuzzy Hash: 8C110630A00B418FD735AB2DC444B6ABFA2AFC0314F04965DD25A8B565EFB4F80A8792

Function 04F42990 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba52531ff2717ff0fdac81a91ec1c8e9bbb9cb310c2e8f2867ca7a080c705c6e
Instruction ID: 6be209a9616cc545730624918161a8e8ad224f2483a18066808ce1a673f64995
Opcode Fuzzy Hash: ba52531ff2717ff0fdac81a91ec1c8e9bbb9cb310c2e8f2867ca7a080c705c6e
Instruction Fuzzy Hash: 741167B6800249DFDB10CF99C944BDEBFF4EF48320F148459E518A7250D779A654DFA1

Function 04F460B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f3bd93b1f73c2d46368aeda93769a6b82b759d4503ce2b489380395b13d340
Instruction ID: 21a5d80409b051168960819df8f1a299435b8212c967da14d156c91eef824a87
Opcode Fuzzy Hash: 51f3bd93b1f73c2d46368aeda93769a6b82b759d4503ce2b489380395b13d340
Instruction Fuzzy Hash: 18018632B041286F9B059E599C10AAF3FDBDBC9B50F18802AF509D7284DE75DD1297A4

Function 04F460A0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba88008631075937a73b7f84d4a455ef55cd3dd6ef4bab1ebfcb70801e1f6d1
Instruction ID: 4ca531de17a8cc82720c90b1b16451bfa42152459e1307d2b0d58c2905890c4f
Opcode Fuzzy Hash: eba88008631075937a73b7f84d4a455ef55cd3dd6ef4bab1ebfcb70801e1f6d1
Instruction Fuzzy Hash: 84012673A081586FDB028E949C40ADF3FA6DBC5740B08806AF504C7181EA358A1297A0

Function 04F468A1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fd17a53e1a55070da5ef40cf4bcc3e7cee12def28a4acdbe9e17803603e9b7
Instruction ID: 5a6c323315b0012f4ebae8c93e78ead337dca35cce6a711a94e5b8b04f25ec5e
Opcode Fuzzy Hash: 93fd17a53e1a55070da5ef40cf4bcc3e7cee12def28a4acdbe9e17803603e9b7
Instruction Fuzzy Hash: 3AD012719052598FD71AEB78ECC94643F72EA90700700969ED0055A4AFDEFC1A5F9740

Function 04F4947D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d382b23c85a6a59109d4470ba12842baf79699655183424e73323ff54532569
Instruction ID: 28f36ae2ceded45a74854d9a6bd567fc07cecf5f5350da9f07bd2fe6c6e247cd
Opcode Fuzzy Hash: 9d382b23c85a6a59109d4470ba12842baf79699655183424e73323ff54532569
Instruction Fuzzy Hash: 0ED0673AB401089FCB049F98E8909DDF7B6FB98621B148526E915E3264C7719925DB50

Function 04F468B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07ef10514e0f31abc3e9902eb35aa3c0e350618d81a2709b5c2381aa3f9d2b7
Instruction ID: 45f6e9fa74dfda57fd8ad90b524ec436329cd6938ac38c2b75890e9bd4c9808f
Opcode Fuzzy Hash: c07ef10514e0f31abc3e9902eb35aa3c0e350618d81a2709b5c2381aa3f9d2b7
Instruction Fuzzy Hash: 2AC012304043198ED509F779F8455253B9AE6C0700B409919A1091515DDFFC59565690

Non-executed Functions

Function 04F408F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc37203a6c2977554d69062cea0acf92e4ff37accd42eb54a468a3a1abc426b7
Instruction ID: 269e6e3f4eb077837743090c823ec6a243ce7a40824fb2f1ffb1e9eb11e8d6fe
Opcode Fuzzy Hash: fc37203a6c2977554d69062cea0acf92e4ff37accd42eb54a468a3a1abc426b7
Instruction Fuzzy Hash: C8C1A174E01218CFDB54DFA9D944BADBBB2FF89300F2081A9D509AB355DB359A86CF10

Function 04F4E4D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87afbb71081572874152f6ce0e3710533e95ec1988d4bd37c703cae263359212
Instruction ID: 02abb505b4c07ed9d73da263a1d547c5022149827dd74986a41326a420708f89
Opcode Fuzzy Hash: 87afbb71081572874152f6ce0e3710533e95ec1988d4bd37c703cae263359212
Instruction Fuzzy Hash: 8CC19274E01218CFEB54DFA9C984B9DBBB2FF89300F1081A9D409AB355DB359A86CF50

Function 04F4C0D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77258a3ecfe615e8f7dd3ea7c6bbd994bc2fcdd33cb2148eddf7775039ae893
Instruction ID: 661bdb8e159c3f895a6e217bdad9fe8cba4bcf175d3e6a8fb84de7a49fa24a72
Opcode Fuzzy Hash: a77258a3ecfe615e8f7dd3ea7c6bbd994bc2fcdd33cb2148eddf7775039ae893
Instruction Fuzzy Hash: 3DC1A174E01258CFDB54DFA9C984BADBBB2FF89300F1091A9D409AB355DB359A86CF10

Function 04F440A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7523de9e17bf2dea2d515ba10f776d681dbbe7914594bbfebcdd24a8d6416585
Instruction ID: a6d9290ac9a776cf02bf133abf9fdf5335213daa8963e2d27e40f31b3c469c18
Opcode Fuzzy Hash: 7523de9e17bf2dea2d515ba10f776d681dbbe7914594bbfebcdd24a8d6416585
Instruction Fuzzy Hash: 65C19174E01218CFDB54DFA9C944BADBBB2FF89300F1491A9D409AB355DB359A86CF10

Function 04F40498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51a290514915256cf05ef927ad6246067edc3d80842c33babda6f4fea34c522
Instruction ID: f064f083b371d4e6ca0f5b65a7ae881a15ff943227f9a07506fab75f0c5906d4
Opcode Fuzzy Hash: d51a290514915256cf05ef927ad6246067edc3d80842c33babda6f4fea34c522
Instruction Fuzzy Hash: 57C1A174E01218CFDB54DFA9C944BADBBB2FF89300F1081A9D409AB355DB359A86CF50

Function 04F4BC80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10ad54fa50064f7cb66aea4df44bc84db7fdaa1874860627343ebb1c64b2f83
Instruction ID: 60ba3b6ea2bacfbf6723a39e6977fdf917fe613f4bba65f9417f46d81037f86a
Opcode Fuzzy Hash: f10ad54fa50064f7cb66aea4df44bc84db7fdaa1874860627343ebb1c64b2f83
Instruction Fuzzy Hash: 2EC1A274E01218CFEB54DFA9C944BADBBB2FF89300F1091A9D409AB355DB359A82CF50

Function 04F4E078 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41368c31bde22e372c813e60415fea1f28fbd1263286698ffc7324407bcd2f77
Instruction ID: 7272abe00987ffb0396e550b8ca29a345c8dd8470db6319c5499b0e3269f645c
Opcode Fuzzy Hash: 41368c31bde22e372c813e60415fea1f28fbd1263286698ffc7324407bcd2f77
Instruction Fuzzy Hash: 3FC19174E01218CFDB54DFA9C984BADBBB2FF89300F1091A9D409AB355DB359A86CF10

Function 04F43C50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1101b0cc0552a31651cd877ad29fa680303f0f58f3e5f6fc74dd55e8b6eb8ee
Instruction ID: 4cc90e92bf98d1390116e4d781a3c9c2833ffe1613296dcea1b202d2341e8d66
Opcode Fuzzy Hash: e1101b0cc0552a31651cd877ad29fa680303f0f58f3e5f6fc74dd55e8b6eb8ee
Instruction Fuzzy Hash: 75C19174E01218CFDB54DFA9C944BADBBB2FF89300F1091A9D809AB355DB359A86CF50

Function 04F40040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864d28e52adc87d74c229d7372a16701419a6b1b954ced0eda7f7d35af4432fe
Instruction ID: 6567b5e3f77665c9bb334c11d5e487ec6d86a8647f25ec8948a4b4f3110f73d2
Opcode Fuzzy Hash: 864d28e52adc87d74c229d7372a16701419a6b1b954ced0eda7f7d35af4432fe
Instruction Fuzzy Hash: 75C1A174E01218CFDB54DFA9D944BADBBB2FF89300F1081A9D409AB365DB359A86CF10

Function 04F4DC20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed1387d0a005ade6e7deffa7257dbd64b56ec51fdc4d6185459a41c12ef0386
Instruction ID: 22a5f69ee24555be079950c9a020eb5c488e8cba8de2760c24f01961ff22db5b
Opcode Fuzzy Hash: 4ed1387d0a005ade6e7deffa7257dbd64b56ec51fdc4d6185459a41c12ef0386
Instruction Fuzzy Hash: 66C19274E01218CFDB54DFA9C984B9DBBB2FF89300F1091A9D409AB355DB359A86CF50

Function 04F4B828 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2f1c0244cae43e389bc797486ace2ec62bde0cdcd9577e36f63a0429456aa8
Instruction ID: 40ac4347c7688585cc3572e677ec9267778f071f00e71597f1f063c395e6dd13
Opcode Fuzzy Hash: 6f2f1c0244cae43e389bc797486ace2ec62bde0cdcd9577e36f63a0429456aa8
Instruction Fuzzy Hash: 59C19274E01218CFDB54DFA5C984BADBBB2FF89300F1091A9D409AB355DB35AA86CF10

Function 04F4CDE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd16e7d6818b3b7d8cf9544e9c7a70614e5462414fe629ed3af5e345859b230
Instruction ID: 5d2321aa3e495648861badac6f3f23a7231cc65ab91b52b467be15652e4c124f
Opcode Fuzzy Hash: fdd16e7d6818b3b7d8cf9544e9c7a70614e5462414fe629ed3af5e345859b230
Instruction Fuzzy Hash: 69C19274E01218CFEB54DFA9C944B9DBBB2FF89300F1091A9D409AB355DB359A86CF50

Function 04F4F1D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ab05db33c5de088960d81833e092b958424c81ff4994495509c6fd39f32596
Instruction ID: b338d21305914d4838efc53868cced3d9ebdc9fb7c817f5ca66eacc6da80e1f3
Opcode Fuzzy Hash: 53ab05db33c5de088960d81833e092b958424c81ff4994495509c6fd39f32596
Instruction Fuzzy Hash: 3CC1A274E01218CFDB54DFA9C944B9DBBB2FF89300F1081A9D409AB355DB359A86CF60

Function 04F411A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ca31ceb78b29e0491636568c0a64213f921d462e356a0ae42976d24080077a
Instruction ID: 5445a982ddf61d24ac72476390c85dea438375424b4508f2b0275068e6d89538
Opcode Fuzzy Hash: b9ca31ceb78b29e0491636568c0a64213f921d462e356a0ae42976d24080077a
Instruction Fuzzy Hash: 2CC1A174E01218CFDB54DFA9D944BADBBB2FF89300F1081A9D409AB355DB359A86CF20

Function 04F4ED80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e338919c1e2eaa823e1ed9f56c9c98c7fe74b93227dfa76c94c97272307b591
Instruction ID: 18619e28378a1fe4dfa08b582307da9b5e26cb633712f60dcb331d039eafba86
Opcode Fuzzy Hash: 3e338919c1e2eaa823e1ed9f56c9c98c7fe74b93227dfa76c94c97272307b591
Instruction Fuzzy Hash: 98C19274E01218CFEB54DFA9C944B9DBBB2FF89300F1091A9D409AB355DB359A86CF50

Function 04F4C988 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4a28daa7f584a8258076d5010756b2f49d4f8612a13bfdb6f5a98b50be9b83
Instruction ID: bdcf67d1527d9ba0b491da9282227900bb33dceac0210b1f284427b4fb6dd4f3
Opcode Fuzzy Hash: cd4a28daa7f584a8258076d5010756b2f49d4f8612a13bfdb6f5a98b50be9b83
Instruction Fuzzy Hash: F3C1A174E01258CFDB54DFA9C984BADBBB2FF89300F1091A9D409AB355DB359A86CF10

Function 04F40D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a21d1b1db0ebea3ab32e6b676da0deeb0ea1dcf275fe42d53afede8f896a487
Instruction ID: 3ee3895391280526cb2c126b53aeed9e79e7318d19ef917861198274f9ac62a9
Opcode Fuzzy Hash: 3a21d1b1db0ebea3ab32e6b676da0deeb0ea1dcf275fe42d53afede8f896a487
Instruction Fuzzy Hash: FCC19074E01218CFDB54DFA9D954BADBBB2FF89300F1081A9D409AB355DB359A86CF20

Function 04F4C530 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d62d4244ea97dc23e3fb452a4ef615e678e93d1d64443acf241e91fd8a48594
Instruction ID: 0cc757be8d0f30092cb7ddc94f66cb3a7dfca2bbfcf166ce07dc19cc0ce4595a
Opcode Fuzzy Hash: 7d62d4244ea97dc23e3fb452a4ef615e678e93d1d64443acf241e91fd8a48594
Instruction Fuzzy Hash: 8CC1A274E01258CFDB54DFA9C944B9DBBB2FF89300F1091A9D409AB355DB355A82CF50

Function 04F4E928 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e21e4699671d778c9a91665c0c435e7279e53ba02e0a704ce579868a7af295
Instruction ID: d987670b81a8b9429c2b18fe49dca77daf2def6a7c67f086a5aee491cace5e39
Opcode Fuzzy Hash: a4e21e4699671d778c9a91665c0c435e7279e53ba02e0a704ce579868a7af295
Instruction Fuzzy Hash: FBC1A174E01218CFDB54DFA9C984BADBBB2FF89300F1491A9D409AB355DB359A86CF10

Function 04F42AF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc34a1d7a5de60b1210655617f6c7f76acde6bada92c413a88020a3c2298733
Instruction ID: 35a223eb49de1135c6265c0d00c695c0a0a37b7f05a5c82617915efa414fe9ae
Opcode Fuzzy Hash: 8cc34a1d7a5de60b1210655617f6c7f76acde6bada92c413a88020a3c2298733
Instruction Fuzzy Hash: ACC19074E01218CFDB54DFA9C944BADBBB2EF89300F5081A9D409AB355DB359A86CF10

Function 04F4A6C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89785e734c3d7ed47b5146291ae63d6ad70d3fcbd689c6a8aa5bc8fdfec24528
Instruction ID: b553046a21e5b072b69dcf263e526198788bf9251046102aba3547fb0d5ea150
Opcode Fuzzy Hash: 89785e734c3d7ed47b5146291ae63d6ad70d3fcbd689c6a8aa5bc8fdfec24528
Instruction Fuzzy Hash: 32C19174E01218CFEB54DFA5C984B9DBBB2FF89300F1491A9D409AB395DB355A86CF10

Function 04F4D690 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbf4fac5686b5f36a9acb6eed78c9c10dfcbb437eabf5af9cad868590d31c63
Instruction ID: ba62d369e6aa896cd4f2a907395daa574a53d158fe933a420fd9b679da2bce6a
Opcode Fuzzy Hash: bfbf4fac5686b5f36a9acb6eed78c9c10dfcbb437eabf5af9cad868590d31c63
Instruction Fuzzy Hash: 76C19174E01218CFDB54DFA5D984BADBBB2FF89300F1091A9D409AB355DB359A86CF10

Function 04F4FA88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e5d35508a7a9f52401f2ad5af558faaf3d25cc024af2d880fb513c78ae3417
Instruction ID: 15104e6c7d1e738d23d17e339ffdefc69831650611c1b562d948cf6fdf6f10c0
Opcode Fuzzy Hash: 51e5d35508a7a9f52401f2ad5af558faaf3d25cc024af2d880fb513c78ae3417
Instruction Fuzzy Hash: 79C19174E01218CFDB54DFA9C944BADBBB2FF89300F1081A9D409AB355DB359A86CF60

Function 04F4A270 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5877417cdca020b6f4ffa4c6ec0110b84c7e17272334fc49e721bdf69cb145
Instruction ID: d2a2acbac2233432f47053771ae84186d6dbf18ec1ef8aa5ce0a8ca979cbf1af
Opcode Fuzzy Hash: ac5877417cdca020b6f4ffa4c6ec0110b84c7e17272334fc49e721bdf69cb145
Instruction Fuzzy Hash: F1C19174E01218CFDB54DFA9C984BADBBB2FF89300F1091A9D409AB355DB359A86CF50

Function 04F4F630 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2722c01be4ae896124b9a4556a8b82ae59bd560c65f2d17a18fbc50a47502a
Instruction ID: 9bfa2ed3cd9dc546126b01360d0330a9a1892476ea57d1c17daeef904c26cddc
Opcode Fuzzy Hash: 3d2722c01be4ae896124b9a4556a8b82ae59bd560c65f2d17a18fbc50a47502a
Instruction Fuzzy Hash: FBC19174E01218CFDB54DFA5C944B9DBBB2FF89300F1091A9D409AB395DB359A86CF60

Function 04F4D238 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829910f131543316c0066092cb05691fedbaf54ee521b5d2e428f4fa6ec3d2fd
Instruction ID: 7f0167c4c953ee5d6abf53ce57d92316c91eab2cb905851ac0dd963e14d9ca5f
Opcode Fuzzy Hash: 829910f131543316c0066092cb05691fedbaf54ee521b5d2e428f4fa6ec3d2fd
Instruction Fuzzy Hash: 60C19174E01218CFEB54DFA5C984BADBBB2FF89300F1481A9D409AB355DB359A86CF10

Function 04F49E18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b226c1a0713cf99aeab0c44b2019197e1dfaa73b79a520345a744baa874bbd32
Instruction ID: 6ab13848af58fa66cf3506ac3a4bebfd5d94028d9f933724071ace19e01180bc
Opcode Fuzzy Hash: b226c1a0713cf99aeab0c44b2019197e1dfaa73b79a520345a744baa874bbd32
Instruction Fuzzy Hash: 86C19174E01218CFEB54DFA9C954BADBBB2FF89300F1091A9D409AB355DB359A86CF10

Function 04F437F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a425bb93840634e259d7cddfbe9405b77a314b2f01cec9d37a17f4d5cd420b
Instruction ID: ea981afbd700cd619e1d574b175edb127c24c49fb80df9a581cd580075295664
Opcode Fuzzy Hash: 04a425bb93840634e259d7cddfbe9405b77a314b2f01cec9d37a17f4d5cd420b
Instruction Fuzzy Hash: 77C19174E01218CFDB54DFA9C944BADBBB2FF89300F1491A9D809AB355DB359A86CF10

Function 04F4B3D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c03a502d929fed2282d77159aead12122919821ae300311675eadaaf31d9c2
Instruction ID: fda3cffc166fdc1f6bacc88a7589905554f836db44b4f7999eb4fc14f13d938f
Opcode Fuzzy Hash: 83c03a502d929fed2282d77159aead12122919821ae300311675eadaaf31d9c2
Instruction Fuzzy Hash: 03C19274E01218CFDB54DFA5C994BADBBB2FF89300F1081A9D409AB355DB35AA86CF50

Function 04F433A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65223c2631f1dc479fc5662de8c75a39119c219eb958507f3ca6f2bebc48414c
Instruction ID: 7d94667db84f05a441cbc445dfb4e39134e1c63f3c7e8b519a3a4a06c91f0dcf
Opcode Fuzzy Hash: 65223c2631f1dc479fc5662de8c75a39119c219eb958507f3ca6f2bebc48414c
Instruction Fuzzy Hash: 3BC19274E01218CFDB54DFA5C944BADBBB2FF89300F1091A9D809AB355DB359A86CF50

Function 04F4AF78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f95ba0c3f1be441c2748c6a5792b61a9f9d9de1d4504311b0126a21b99914b
Instruction ID: e79c2987dede46aa97cbc94e401633a0c477fc9d9e863a9762afa2a3855f7baf
Opcode Fuzzy Hash: c8f95ba0c3f1be441c2748c6a5792b61a9f9d9de1d4504311b0126a21b99914b
Instruction Fuzzy Hash: D2C19274E01218CFDB54DFA9C944BADBBB2FF89300F1491A9D409AB355DB35AA86CF10

Function 04F42F48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16e3a311aa0ed86791dc2aacbf89dd71fe7e745d86cf1b3205de06aa48fb4cc
Instruction ID: 8c05da1c6e99a25815f98540381e77ede803b57daa25be3dc67ce02da467dc25
Opcode Fuzzy Hash: b16e3a311aa0ed86791dc2aacbf89dd71fe7e745d86cf1b3205de06aa48fb4cc
Instruction Fuzzy Hash: DBC19274E01218CFDB54DFA9C944BADBBB2FF89300F1091A9D809AB355DB359A86CF10

Function 04F4AB20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4553644945.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4f40000_wrong bank details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35672410396b1ff7f29a3d053b577e5d022abb4791d490448acb707f957458ee
Instruction ID: 91de5351f12d7406f72ab7f28ecb11e973327333b5d7ffa41de953c818f80986
Opcode Fuzzy Hash: 35672410396b1ff7f29a3d053b577e5d022abb4791d490448acb707f957458ee
Instruction Fuzzy Hash: 12C1A074E01218CFDB54DFA9C984BADBBB2FF89300F1091A9D409AB355DB359A86CF10

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wrong bank details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wrong bank details.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
wrong bank details.exe

Function 06CA5C7C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 06CA5C88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 023CAD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 023C590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 023C44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06CA59F8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 06CA5A00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 023CD21C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 06CA5AE8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 06CA5860 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Function 023CD629 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 06CA5AF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 06CA5868 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 06CA5940 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 06CA5938 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre