Edit tour

Windows Analysis Report
SlackSetup.exe

Overview

General Information

Sample name:	SlackSetup.exe
Analysis ID:	1528459
MD5:	ff5d2158365794b8a813e0373e717775
SHA1:	acd93c4264d6ece9124a6abc6bb01f1d52c6a293
SHA256:	29571343619ddedf7c469509730c46ee63e71804971c723fe5c53ca993d6aa8d
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Malicious sample detected (through community Yara rule)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SlackSetup.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\SlackSetup.exe" MD5: FF5D2158365794B8A813E0373E717775)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SlackSetup.exe	INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded	Detects executables referencing many base64-encoded IR and analysis tools names	ditekSHen	0x37ec:$s3: UHJvY2Vzc0hhY2tlcg 0x35e4:$s4: cHJvY2V4cA 0x35fe:$s5: cHJvY2V4cDY0 0x34d6:$s11: ZHVtcGNhcA 0x37ae:$s21: eDY0ZGJn 0x37c0:$s22: eDMyZGJn 0x3548:$s23: ZG5zcHk 0x34f0:$s24: ZGU0ZG90 0x3524:$s25: aWxzcHk 0x3758:$s27: aWRhNjQ

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SlackSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SlackSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlackSetup.exe.log

Jump to behavior

Source: SlackSetup.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 104.21.50.84:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: SlackSetup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\1\ConsoleApp5\obj\x86\Release\SlackSetup.pdb source: SlackSetup.exe

Source: global traffic

HTTP traffic detected: POST /lapi/lcheck.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: slack.meetingsvideoapp.comContent-Length: 65Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: slack.meetingsvideoapp.com

Source: unknown

HTTP traffic detected: POST /lapi/lcheck.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: slack.meetingsvideoapp.comContent-Length: 65Expect: 100-continueConnection: Keep-Alive

Source: SlackSetup.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: SlackSetup.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: SlackSetup.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SlackSetup.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SlackSetup.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SlackSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SlackSetup.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SlackSetup.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: SlackSetup.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008820000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SlackSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://slack.meetingsvideoapp.com
Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://slack.meetingsvideoapp.comd
Source: SlackSetup.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: SlackSetup.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: SlackSetup.exe, 00000000.00000002.1819694618.000000000882A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://slack.meetingsvideoapp.com
Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://slack.meetingsvideoapp.com/lapi/lcheck.php
Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://slack.meetingsvideoapp.com/lapi/lcheck.phpT
Source: SlackSetup.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: SlackSetup.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown

HTTPS traffic detected: 104.21.50.84:443 -> 192.168.2.4:49735 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: SlackSetup.exe, type: SAMPLE

Matched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen

Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C3A20	0_2_085C3A20
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C42F0	0_2_085C42F0
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C36D8	0_2_085C36D8

Source: SlackSetup.exe, 00000000.00000002.1817379481.00000000069DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs SlackSetup.exe

Source: SlackSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SlackSetup.exe, type: SAMPLE

Matched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names

Source: classification engine

Classification label: sus36.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\SlackSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlackSetup.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe

Mutant created: NULL

Source: SlackSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SlackSetup.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\SlackSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: SlackSetup.exe

Static PE information: certificate valid

Source: SlackSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SlackSetup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SlackSetup.exe

Static file information: File size 99563784 > 1048576

Source: SlackSetup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5eefc00

Source: SlackSetup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SlackSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\1\ConsoleApp5\obj\x86\Release\SlackSetup.pdb source: SlackSetup.exe

Source: SlackSetup.exe

Static PE information: 0x8F4D00E2 [Fri Mar 9 06:06:26 2046 UTC]

Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C6988 push cs; retn 0006h	0_2_085C6C32
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C6C30 push cs; retn 0006h	0_2_085C6C32
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C308F pushfd ; ret	0_2_085C3091
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C0545 push eax; ret	0_2_085C054A
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C0D41 push ds; ret	0_2_085C0D42
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C056B push edx; ret	0_2_085C057A
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C059F push edx; ret	0_2_085C057A
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C5AF0 push ebx; ret	0_2_085C5AFE
Source: C:\Users\user\Desktop\SlackSetup.exe	Code function: 0_2_085C2F37 push es; ret	0_2_085C2F38

Source: C:\Users\user\Desktop\SlackSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlackSetup.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe	Memory allocated: 8580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Memory allocated: A760000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe	Window / User API: threadDelayed 1006			Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Window / User API: threadDelayed 2288			Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7416	Thread sleep count: 1006 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99663s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7424	Thread sleep count: 2288 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7392	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7404	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe TID: 7364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BIOS
Source: C:\Users\user\Desktop\SlackSetup.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard

Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99828	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99663	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\SlackSetup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SlackSetup.exe, 00000000.00000002.1819694618.0000000008761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwaret-^q
Source: SlackSetup.exe, 00000000.00000002.1817379481.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SlackSetup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe

Queries volume information: C:\Users\user\Desktop\SlackSetup.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SlackSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://www.certum.pl/CPS0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
slack.meetingsvideoapp.com	104.21.50.84	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://slack.meetingsvideoapp.com/lapi/lcheck.php	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cevcsca2021.ocsp-certum.com07	SlackSetup.exe	false		unknown
http://slack.meetingsvideoapp.com	SlackSetup.exe, 00000000.00000002.1819694618.0000000008836000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://subca.ocsp-certum.com02	SlackSetup.exe	false		unknown
http://crl.certum.pl/ctnca2.crl0l	SlackSetup.exe	false		unknown
http://repository.certum.pl/ctnca2.cer09	SlackSetup.exe	false		unknown
https://slack.meetingsvideoapp.com	SlackSetup.exe, 00000000.00000002.1819694618.000000000882A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	SlackSetup.exe	false		unknown
https://www.certum.pl/CPS0	SlackSetup.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SlackSetup.exe, 00000000.00000002.1819694618.0000000008820000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://slack.meetingsvideoapp.comd	SlackSetup.exe, 00000000.00000002.1819694618.0000000008836000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://repository.certum.pl/cevcsca2021.cer0	SlackSetup.exe	false		unknown
http://www.certum.pl/CPS0	SlackSetup.exe	false	URL Reputation: safe	unknown
https://slack.meetingsvideoapp.com/lapi/lcheck.phpT	SlackSetup.exe, 00000000.00000002.1819694618.0000000008761000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.50.84	slack.meetingsvideoapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528459
Start date and time:	2024-10-07 23:15:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SlackSetup.exe
Detection:	SUS
Classification:	sus36.winEXE@1/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SlackSetup.exe, PID 7260 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SlackSetup.exe

Simulations

Behavior and APIs

Time	Type	Description
17:16:37	API Interceptor	15x Sleep call for process: SlackSetup.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.50.84	https://fcg-cdn.exponea.com/webuyanycarusa/e/.eJzj4kmax2W7_tiF_21--auEFJLY-dbvOrX0UNLicNNt27-cr05VPbFxz7clV39wxWh9PVUrJZpRUlJQbKWvn1xcUJSfl5aqV1Cin2lYKpfy6KvzTUcrXi6m0mIh9tSKgvy81EQrbiA3V4g1NTcxM8dKFMhJFuJ3d_ZTCHENDlHQVXDOL6iMCtHXT8pPqdQvSUzKSdUvgbCL9EtSICLRRrGYgliUGcdCuSmZZfqJWTzxs1kVJ7_OmPTvYnc_AJnIWFE.CGgmGwr4slS8IA/click	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.65.255.143
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	188.114.96.3
	L-tron_Payroll.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==	Get hash	malicious	Unknown	Browse	104.16.231.132
	+18365366724753456-83736-10244688.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.50.84
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.21.50.84
	T6l6gPxwQU.exe	Get hash	malicious	Unknown	Browse	104.21.50.84
	https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	104.21.50.84
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	104.21.50.84
	SecuriteInfo.com.Win64.TrojanX-gen.22573.8055.exe	Get hash	malicious	Unknown	Browse	104.21.50.84
	Ref#0503711.exe	Get hash	malicious	AgentTesla	Browse	104.21.50.84
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	104.21.50.84
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.21.50.84
	shipping.exe	Get hash	malicious	AgentTesla	Browse	104.21.50.84

Process:	C:\Users\user\Desktop\SlackSetup.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1275
Entropy (8bit):	5.35000234432459
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhwE4TyzsXE4qdKtKIE4oKNzKoZAE4KzeR:MxHKlYHKh3owHvH7tHo6hAHKzeR
MD5:	B83F2658AA37E03A5D14BB5EED09BE8E
SHA1:	55584234985AE61A6F94124C1AED2BF1891706FA
SHA-256:	375434A3737EBE91AB6BD9A4C9CAB1F34506FBB0155A904393928588CC365C6D
SHA-512:	75177F489A73EEBE495A15051C77E69BFA74DC8DB089ED46C0E3D72B080AE9CDDFB53E932121881CCC26F6536741F9EF6D4D7718C45BD42CC78964FF805388FA
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.600598153411856
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SlackSetup.exe
File size:	99'563'784 bytes
MD5:	ff5d2158365794b8a813e0373e717775
SHA1:	acd93c4264d6ece9124a6abc6bb01f1d52c6a293
SHA256:	29571343619ddedf7c469509730c46ee63e71804971c723fe5c53ca993d6aa8d
SHA512:	4895f983866c3d81961ca424a764294aa1c73b3213ed32b956aad1019ad35226c20ccbcec77ad5862506d0c58e9817979bab5145e8d5181f25727cea61b38326
SSDEEP:	768:ePfbyyv23cPR2JiqdTPzrvF/82ADYiU/FwHDHf/ckOC:MfdQ1TzrF/8tkiU/qjHV
TLSH:	7028AF62AD8D40DCCC19EE42408F985727DF58C384DEB8A6F07EDE758BBEA161B4D205
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M...............0.................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x62f16ce
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8F4D00E2 [Fri Mar 9 06:06:26 2046 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	07/08/2024 10:33:40 07/08/2025 10:33:39
Subject Chain	CN="Yantai Guanlian Logistics Technology Co., Ltd.", O="Yantai Guanlian Logistics Technology Co., Ltd.", L=Yantai, S=Shandong, C=CN, SERIALNUMBER=91370611MA3TWX1N8R, OID.1.3.6.1.4.1.311.60.2.1.1=Yantai, OID.1.3.6.1.4.1.311.60.2.1.2=Shandong, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	C615A36DD609D46D0EE6CF8A35203ECB
Thumbprint SHA-1:	7D495C559D33D85A466ED3381FA96FA72F653E41
Thumbprint SHA-256:	82E19AF1EB7410A4575FCFB499FDBD2444559AFA95D4569C7620B5F88A06CBE2
Serial:	54E3B3305D1386C1172F1B8AB6FF6835

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
pop edx
dec edi
dec esi
inc ebp
pop ebp
imul esp, dword ptr [eax+55h], 05h
inc edi
bound ebx, dword ptr [esp+eax*2]
push ds
inc ebp
cmp eax, 131B1768h
push es
adc al, byte ptr [edx]
sbb byte ptr [eax+64h], dl
or ebx, dword ptr [ebx]
pop ebp
inc ebp
push ebx
sub esp, dword ptr [0903525Dh]
add ebx, dword ptr [473D570Bh]
adc byte ptr [edi+1Bh], al
push ebx
aas
and eax, 0A061B5Dh
or cl, byte ptr [edi]
or al, 41h
das
sbb ebx, dword ptr [ebx+54h]
add eax, 573E2042h
push ebp
adc byte ptr [eax+00h], al
femms
push esp
das
pop ds
add edx, dword ptr [ebp+0Ch]
push eax
cmp dword ptr [ebx+ecx], esi
sbb esi, dword ptr [0839071Dh]
inc esi
aas
sbb byte ptr [ebx], ch
push ebp
inc esp
inc ebp
sub esp, dword ptr [eax]
push edi
cmp dword ptr [esi+5Dh], edi
push edi
jne 00007F485C7E36C9h
pop es
adc byte ptr [edi+0Bh], bh
pop esi
cmp eax, 155A591Fh
sbb al, 22h
add eax, 1264510Ah
sbb eax, 7F3F6740h
pop edi
xor al, byte ptr [67566579h]
add eax, dword ptr [bx+62h]
inc ebp
cmp eax, 5F7C0D60h
xor bl, byte ptr [eax+eax+1Bh]
push ss
sbb dword ptr [edi+1Dh], edx
hint_nop dword ptr [edx+eax+40h]
sub al, 7Ch
pop ebx
pop ebx
sbb dword ptr [eax+00h], eax
hint_nop dword ptr [edi+2Ch]
pop ds
adc dl, byte ptr [ebp+1Dh]
push ebx
sub esp, dword ptr [1E035017h]
add byte ptr [ebx], bl
sbb dl, byte ptr [edi+65h]
sbb dl, byte ptr [ecx]
pop esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5ef167c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ef2000	0xee0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5ef1000	0x2908
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ef4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5ef15fc	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5eefba0	0x5eefc00	cf5fc249ba4c0fc528d07b9af13be0ba	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5ef2000	0xee0	0x1000	edb1076e5f84d4e22995e7bae29667d6	False	0.390869140625	data	4.269504228657102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5ef4000	0xc	0x200	dca461aacb617786585372cbadc12f4c	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\357\005\014"	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5ef2100	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	0.3935018050541516
RT_GROUP_ICON	0x5ef29b8	0x14	data	1.15
RT_VERSION	0x5ef29dc	0x304	data	0.4430051813471503
RT_MANIFEST	0x5ef2cf0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 23:16:39.091181040 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:39.091240883 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:39.091315031 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:39.106084108 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:39.106120110 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:39.575959921 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:39.576205015 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:39.586152077 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:39.586179972 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:39.586618900 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:39.632741928 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:39.675416946 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:40.002733946 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:40.002819061 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:40.126688004 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:40.170360088 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:40.388498068 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:40.388619900 CEST	443	49735	104.21.50.84	192.168.2.4
Oct 7, 2024 23:16:40.388776064 CEST	49735	443	192.168.2.4	104.21.50.84
Oct 7, 2024 23:16:40.395373106 CEST	49735	443	192.168.2.4	104.21.50.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 23:16:39.038433075 CEST	55008	53	192.168.2.4	1.1.1.1
Oct 7, 2024 23:16:39.052627087 CEST	53	55008	1.1.1.1	192.168.2.4
Oct 7, 2024 23:16:46.646675110 CEST	53	58710	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 23:16:39.038433075 CEST	192.168.2.4	1.1.1.1	0xa97	Standard query (0)	slack.meetingsvideoapp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 23:16:39.052627087 CEST	1.1.1.1	192.168.2.4	0xa97	No error (0)	slack.meetingsvideoapp.com		104.21.50.84	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:16:39.052627087 CEST	1.1.1.1	192.168.2.4	0xa97	No error (0)	slack.meetingsvideoapp.com		172.67.203.162	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slack.meetingsvideoapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	104.21.50.84	443	7260	C:\Users\user\Desktop\SlackSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 21:16:39 UTC	183	OUT	POST /lapi/lcheck.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: slack.meetingsvideoapp.com Content-Length: 65 Expect: 100-continue Connection: Keep-Alive
2024-10-07 21:16:39 UTC	65	OUT	Data Raw: 64 74 3d 53 57 67 50 57 33 41 43 52 55 56 61 42 51 46 58 66 51 4e 52 53 41 70 37 41 77 70 25 32 46 44 46 35 4b 43 52 77 47 56 6e 4a 53 47 6c 42 57 66 6c 56 62 4d 77 39 51 52 31 6c 53 55 6b 51 34 Data Ascii: dt=SWgPW3ACRUVaBQFXfQNRSAp7Awp%2FDF5KCRwGVnJSGlBWflVbMw9QR1lSUkQ4
2024-10-07 21:16:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-07 21:16:40 UTC	686	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 21:16:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kt6kktWtrYK7fuf6czQUjUXbRLBNNgtOjG7B%2FJbT38eFby0O23SGyqyR8DZsSfrtR%2Fi56%2FuQRSabk9PJGq%2BgwivlzzbhcYZnNYExe8ydppB6%2Fena1SO%2FEOmBsmOMjvGHtsIU56RjEn2CuaX0%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0e9de7a41440e-EWR 57 SWgVHTNMEgEaC0YgIAFfUVQ5AUsv
2024-10-07 21:16:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	17:16:27
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\SlackSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SlackSetup.exe"
Imagebase:	0x570000
File size:	99'563'784 bytes
MD5 hash:	FF5D2158365794B8A813E0373E717775
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 085C3A20 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e10f5eeaf9f99696d4e28a7de521f10d858219260e652f97ceb224a764ecd7
Instruction ID: 80d1d92ebf0b7abf624011afd758c2d965c4a0d8582379c88a4b6ffab788be41
Opcode Fuzzy Hash: 22e10f5eeaf9f99696d4e28a7de521f10d858219260e652f97ceb224a764ecd7
Instruction Fuzzy Hash: 9EB11570E0021D8FDB14CFA9C8857EEBAF2BB88355F14852DD819A7394EB749846CF81

Function 085C42F0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea55cc6ec8a5e29c14d6b6e7692f18bc81b65278934df5da4ac14087b5d639f
Instruction ID: e475d5a3e8612a9e110ec9a3772f36b37ae0409000500dc13f4eb8c7812842a4
Opcode Fuzzy Hash: 2ea55cc6ec8a5e29c14d6b6e7692f18bc81b65278934df5da4ac14087b5d639f
Instruction Fuzzy Hash: F1B15C70E002098FDB10CFE9D991B9DBBF2BF88715F24852DD419A7294EB749885CF85

Function 085C6988 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

xbq, xrefs: 085C6ABB
xbq, xrefs: 085C6B17
(bq, xrefs: 085C6BFE
(bq, xrefs: 085C6BD2

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: (bq$(bq$xbq$xbq
API String ID: 0-2582918839
Opcode ID: 1b39fcd95669d3a0138c764a5c4b4501c9ef4f17a8e68d70d523b6d51397dd41
Instruction ID: 795dd8d1db525acd09cc0bd53c36441f068d49501ee579db6c01cbf4edfe4cbc
Opcode Fuzzy Hash: 1b39fcd95669d3a0138c764a5c4b4501c9ef4f17a8e68d70d523b6d51397dd41
Instruction Fuzzy Hash: 56519F313002459FDB459F68C850B6E7BE2EF84315F14886DE81A9B3A5CF36ED42CB91

Function 085C4D08 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

+]q, xrefs: 085C4DF9

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: +]q
API String ID: 0-928041668
Opcode ID: d775dc00c11bef09b0a3cf2238af88c8981118bf0ad521615736c04a8625ed23
Instruction ID: f173e1166e3199d862a9f2f51bb3152695b88192a89bb2fcea0a9c6f5e989692
Opcode Fuzzy Hash: d775dc00c11bef09b0a3cf2238af88c8981118bf0ad521615736c04a8625ed23
Instruction Fuzzy Hash: 90C15935A00205CFDB05DFA8C494A9EBBF6BF89300F188569E405EB3A5DB70ED46CB91

Function 085C4880 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

c#, xrefs: 085C4B77

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: c#
API String ID: 0-143056266
Opcode ID: 6391bc76d9d0ed29ec35970513e87f1645d2c862cb4ddc2e91979d5b363b8994
Instruction ID: 2771c55947b64a75f54bde6881173b880f54f016f3e8281449995a1e086427f6
Opcode Fuzzy Hash: 6391bc76d9d0ed29ec35970513e87f1645d2c862cb4ddc2e91979d5b363b8994
Instruction Fuzzy Hash: 5F71DF35300358DFDF861B79D91472E3AAFEBC8710F10C82EE411A37A9CB7698859796

Function 085C487F Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

c#, xrefs: 085C4B77

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: c#
API String ID: 0-143056266
Opcode ID: 19a2b8d8751f92e116446bcb82ef771aafc431226866348ac6630bc66f9e6706
Instruction ID: 7cce9ee5340546e7803d99fc56969eb12bdfc7bba3d85d068cccfac469b5d1f6
Opcode Fuzzy Hash: 19a2b8d8751f92e116446bcb82ef771aafc431226866348ac6630bc66f9e6706
Instruction Fuzzy Hash: CE61AE31300358DFDF861B69D91471E3AAFEBC8710F10882EE411A37A9CF769C956796

Function 085C0D68 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

cA, xrefs: 085C0F25

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: cA
API String ID: 0-2872761854
Opcode ID: 2860f61a017fffea38309bd263e9b670b0db043953261d55a17fd21edc1f7301
Instruction ID: afaf3c1bc158d2693e2e8c043726cfa91eb72d850a5e44d0464ab5d544c1c0f8
Opcode Fuzzy Hash: 2860f61a017fffea38309bd263e9b670b0db043953261d55a17fd21edc1f7301
Instruction Fuzzy Hash: 51518930700755DFCB54ABB9C954A6E7BA6BBC8605F10882CE406AB395EF35DC86CF81

Function 085C4D03 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

+]q, xrefs: 085C4DF9

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: +]q
API String ID: 0-928041668
Opcode ID: ad30e51b1c87249e835391c48fc1862083cb4a0c106f1a52cbc0fd0b78feaa93
Instruction ID: b7da9098756f0be669522b126cc8593a1ec6c3ce4efb79c107521d09ade75c47
Opcode Fuzzy Hash: ad30e51b1c87249e835391c48fc1862083cb4a0c106f1a52cbc0fd0b78feaa93
Instruction Fuzzy Hash: 86518E35A00255CFCB05DFA8C494A9DBBF6FF89300F1484A9E406EB365EB71AD46CB91

Function 085C0D67 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

cA, xrefs: 085C0F25

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: cA
API String ID: 0-2872761854
Opcode ID: 3ed25f64aaa5bb0b6a35d75e64695fcfbd4150b8c27147116157d21e95a2b8cf
Instruction ID: 90fb950c08eef7d5751a85dd167787f6c974938f0740bc601c70d1324401118f
Opcode Fuzzy Hash: 3ed25f64aaa5bb0b6a35d75e64695fcfbd4150b8c27147116157d21e95a2b8cf
Instruction Fuzzy Hash: F941CE30700715DFCB54AFB5D95066EBAA6BBC8201F00892CE816AB395EF34DC86CF91

Function 085C6983 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

xbq, xrefs: 085C6ABB

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID: xbq
API String ID: 0-73991425
Opcode ID: 9422aa57bbb4a0c51ac99d8990af169657d7b58f9df7a44fe2618d3779ce4301
Instruction ID: 9f3c3030e4dc1f1c29c0582414e604e167e325ce3a5572a398424c7b2adbfcea
Opcode Fuzzy Hash: 9422aa57bbb4a0c51ac99d8990af169657d7b58f9df7a44fe2618d3779ce4301
Instruction Fuzzy Hash: 4741AE313002419FDB459F64C850BAA7BE2FF85315F2485ADD85A8B3E2CA36EC82DB50

Function 085C3A1B Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac884871a27874591ed781ce077e048661b4b600f23f756ec95d10a3189b543
Instruction ID: 667a44f86cd540a08215a0890661de2941ec0c3a79020d1d6be1c1b1037cbc69
Opcode Fuzzy Hash: aac884871a27874591ed781ce077e048661b4b600f23f756ec95d10a3189b543
Instruction Fuzzy Hash: D3B11370E0021D8FDB10CFA8C8857EEBBB1BB88359F14852DD819A7394EB749846CF91

Function 085C42E5 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e6821eba0ccbf1de1105cce72775081957c323a76ba40f16f1a8142f3ab22d
Instruction ID: 0d0b5ab6cd8408c55d322b58f9567b7567abaacb73a127dfa558cebff484f35a
Opcode Fuzzy Hash: a8e6821eba0ccbf1de1105cce72775081957c323a76ba40f16f1a8142f3ab22d
Instruction Fuzzy Hash: A0B14B70E002098FDB10CFE9D991B9DBBF1BF88715F24852DE819A7254EB749885CF85

Function 085C405D Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae9da810712967ec9e645259d953730ffe6ad94ce230ea932b8932a0ffde310
Instruction ID: 14e2cab81e0564258c1e5175051302b6011c4c664338b8d38a030c1ce9a5059f
Opcode Fuzzy Hash: bae9da810712967ec9e645259d953730ffe6ad94ce230ea932b8932a0ffde310
Instruction Fuzzy Hash: 987134B0E002099FDF10CFA9C891B9EBBF2BF88355F14812DE459A7254EB749846CF95

Function 085C4068 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29e21e5c8728cffd435f22323b0c713f7c56e5517a7a0d280d5b83506ae7706
Instruction ID: 9346bc482d736f05d1c52ddd08a925da947671d3a849600bd3e79ed67c260319
Opcode Fuzzy Hash: a29e21e5c8728cffd435f22323b0c713f7c56e5517a7a0d280d5b83506ae7706
Instruction Fuzzy Hash: CB7136B0E002099FDF14CFA9C891B9EBBF2BF88355F14812DE459A7254EB749846CF85

Function 085C0A3F Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae6c08f3f04f3e5097d91e8124f62be7ff7821d91e53ca41a647db31b045889
Instruction ID: 93a988dcdbed5226f0a7196393cc5795e234a80dba1230da3ecda8a572f4e9e7
Opcode Fuzzy Hash: 6ae6c08f3f04f3e5097d91e8124f62be7ff7821d91e53ca41a647db31b045889
Instruction Fuzzy Hash: FD516770A00A51CFDB29CFA8D54469EBFF2BF48249B144A5EE486DB2A1D730D984CF10

Function 085C0723 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22db935124313886177cadd37db2d5d3eefc38a7250f13b69980b678af4be410
Instruction ID: 5b857e7afa0cd9970b3d9fcf4b53d16f6e7b4b5bd788c923793ee1c0d71aa672
Opcode Fuzzy Hash: 22db935124313886177cadd37db2d5d3eefc38a7250f13b69980b678af4be410
Instruction Fuzzy Hash: BA31E02184F7E0AFD713AB785C655DA3FB49E53245B0A01DBE0C0CF0A3D4588A9DC7AA

Function 085C1B3F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c31b10a0e0297d1cfd5ab2b97a51355b36bfc2be7fe83837d044b2b0f6bac3f
Instruction ID: 2b278f544c67105d3168d4fab341c37f1cd3cc8a5e3fa6c76c1805ea14e92891
Opcode Fuzzy Hash: 3c31b10a0e0297d1cfd5ab2b97a51355b36bfc2be7fe83837d044b2b0f6bac3f
Instruction Fuzzy Hash: 1C41DFB0D002499FDB10DFA9C584ADEBFB5BF48314F108429E409AB254DB75A945CF94

Function 085C1B40 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5c4e893a5ac3968072e5e0d8c4bb567c23f7d16d376882fb0d24e91958a5b3
Instruction ID: 5f2f470c9cd64af9bdce3f4573338d1e238cfd8d23ca3f7a8f944e9055e77c5e
Opcode Fuzzy Hash: 7a5c4e893a5ac3968072e5e0d8c4bb567c23f7d16d376882fb0d24e91958a5b3
Instruction Fuzzy Hash: 3041DDB0D002499FDB10DFA9C584A9EBFB5BF48314F208429E809AB264DB75A945CF94

Function 085C642D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3e0cb2c91a160f5d664a423891a33e476e8c04fb39bdf56346d553d2a38bd1
Instruction ID: 566341467a2996f8fecd3a158e23d47f66896b07b8a64bf9c2f22c84227d3b4f
Opcode Fuzzy Hash: 3e3e0cb2c91a160f5d664a423891a33e476e8c04fb39bdf56346d553d2a38bd1
Instruction Fuzzy Hash: 90310570D002599FDB14DFAAD594AEEBFF1BF48314F24802DE849AB254CB349945CF90

Function 085C07D3 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b951221f3c3507fdf4fefbb65fb91f53bd2a2b4f998c5acf4c7818a69459a5
Instruction ID: 19b57dd7618fab070baa4121f36ca78864d15fec6ce3605b216ea2b75e573567
Opcode Fuzzy Hash: 23b951221f3c3507fdf4fefbb65fb91f53bd2a2b4f998c5acf4c7818a69459a5
Instruction Fuzzy Hash: C121CE1284F7E06FD703AB7868755EA3FB49E43144B0A41DBE0C0CB0A3D4588A9CC7AA

Function 085C6438 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bae14217fd8a19d39c66500be351f83fb8911a792e730547499767e91328953
Instruction ID: 98bc5d53a4032bc1ed84170b19bb4eb3824949a13e51ee3a050bf310110f5bb7
Opcode Fuzzy Hash: 4bae14217fd8a19d39c66500be351f83fb8911a792e730547499767e91328953
Instruction Fuzzy Hash: E93126B0D002599FCB14CFAAC584ADEBFF5BF48340F24802DE808AB254DB349945CFA0

Function 085C100D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4776a0892c0b40beb53d875cbcf4eae79a6dfcfd5b5f0b7587438a45a451ec9
Instruction ID: cfb2b27779ffa382e62f750b91ea73cbd5cb99df4cfecd682dcaa6b7e3f3b0d1
Opcode Fuzzy Hash: c4776a0892c0b40beb53d875cbcf4eae79a6dfcfd5b5f0b7587438a45a451ec9
Instruction Fuzzy Hash: DC317A30B40A66CFCB24EFB4D9546AE7BB2BF85646F10082CD406AB391DB399945CF81

Function 06C2D4CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818517739.0000000006C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c2d000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e09b691c64eea969b37a4b9dde11094de9ba4d9b404e1290a46cfcabd0134e
Instruction ID: 7e7a0fc02b184ffca412a54d8b9cb7e7949ae6c65847199da8a1244e3d313c9e
Opcode Fuzzy Hash: a8e09b691c64eea969b37a4b9dde11094de9ba4d9b404e1290a46cfcabd0134e
Instruction Fuzzy Hash: 0C2133B1904201DFDB05DF14D9C0B26BF65FFA8318F20C57DEC0A0A256C376E546CAA1

Function 085C0C30 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca905f6082851bacaa632d0b9a521305b15972592074ff9aad669f49bb4e57a1
Instruction ID: 808787b1a381cea9fdfaee2db63ce7d246358c1c73dbee40e2b643e351adace5
Opcode Fuzzy Hash: ca905f6082851bacaa632d0b9a521305b15972592074ff9aad669f49bb4e57a1
Instruction Fuzzy Hash: E311E671742261AFEB152775880432E3F955F85A18F2484AED689CF3D2EE26C84387C6

Function 085C0C2F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fa122cfacb38f86d538237d11a4f39827082a1d25ac93b8ae70c9b83df235f
Instruction ID: 2d29c3532bba8236e720f2e7adca21aa26dc6c186a8114fcd0ddd03c895f7c8d
Opcode Fuzzy Hash: c8fa122cfacb38f86d538237d11a4f39827082a1d25ac93b8ae70c9b83df235f
Instruction Fuzzy Hash: 0911E671742261AFD71527358C0471E3E955F85A18F24846ED689CB392EE26C84387C7

Function 085C0A47 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d12aa944f44b5779059ed7ca4994f13dd34fd2205ff0742bb63238d45b0aed
Instruction ID: dc11ad0131f34eb7119f21cbc3532201705fe55a41ba5858a76d76e7409b8cc6
Opcode Fuzzy Hash: c6d12aa944f44b5779059ed7ca4994f13dd34fd2205ff0742bb63238d45b0aed
Instruction Fuzzy Hash: C2114C31A00625DFDB289FA9D80469EBFF6FF48246B04466DE941E3250E7709954CFA1

Function 06C2D4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818517739.0000000006C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c2d000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 85b5c96bae727da51b4eb2cb3332f006daa8b475cb3eb2edb4b20bf65e6d266d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7511AFB6904241CFDB06CF10D5C4B16BF62FB94314F24C6ADDC0A4B256C33AE55ACBA1

Function 06C2D7B5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818517739.0000000006C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c2d000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb56f18cba2d86d9bda4833f32b30c3387bbe62adb0061e9fa447d26e2aba6bd
Instruction ID: c6020bfe6d89cbcc542166cff717091d4cfb89510f0391635de95ccd0a7fe6d7
Opcode Fuzzy Hash: bb56f18cba2d86d9bda4833f32b30c3387bbe62adb0061e9fa447d26e2aba6bd
Instruction Fuzzy Hash: 5B01F7314083519EE7508E1ACD84767BFD8DF51724F08C46BED0A5A186C679E840C6F1

Function 085C0887 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f2f441c0501fd27f8c17b36173cf262872c468605ca2a8b0904dd9e198ba6a
Instruction ID: ea86779ad600411c93852178b55d73e5f81d569249cb9980fe06e7e399c1b3b5
Opcode Fuzzy Hash: 29f2f441c0501fd27f8c17b36173cf262872c468605ca2a8b0904dd9e198ba6a
Instruction Fuzzy Hash: 0DF06932D0061A96CB009AB9E8004DEF7BAEFC9310F168662E12177164EB74258AC7A1

Function 085C4C7B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a0c7a1ee95c45aceeb69790e385ce77bcfe148299088b03f429aa428f93f4f
Instruction ID: 004cebe312667b93217a7f5417b06a3dfe686cee369cdf4c655ec7ec426315c7
Opcode Fuzzy Hash: b2a0c7a1ee95c45aceeb69790e385ce77bcfe148299088b03f429aa428f93f4f
Instruction Fuzzy Hash: 21F0E932E511099FCF14DB74C8669EFBFBAAF84300F45892AD502B7350DEB069068AD2

Function 085C4BFF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44074f9a21e7b9d3b0f40a562b60ef702a12d7791cad17f7ac3b5df7fad5234
Instruction ID: 73dba9dbb63d0094cad2217745cffb6fea94c9b02b731afa124fd812b0f7cd25
Opcode Fuzzy Hash: c44074f9a21e7b9d3b0f40a562b60ef702a12d7791cad17f7ac3b5df7fad5234
Instruction Fuzzy Hash: 20F03C32D0160AA6CB00DBA9E9405DEB7BBEFD9310F654651E11077160EBB4268AC7A1

Function 085C4C00 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e58479d48d6bdae326d6ba9606dc53d739ec3fa36a33b88326d87a16700613
Instruction ID: 83d87bdb69d4f5eda6a5ba10ac9df639ed15d5b70e23b04cde270fe90678a402
Opcode Fuzzy Hash: b6e58479d48d6bdae326d6ba9606dc53d739ec3fa36a33b88326d87a16700613
Instruction Fuzzy Hash: A3F04F32D0160FA6CB00DBA9D9401DDF7BBEFD9310F654651E11077160EBB4268AC791

Function 06C2D7B4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818517739.0000000006C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c2d000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4ff1677b016c2febba71d19ffa9b8ee62885af2c2e4e4c306e2e455f9e455a
Instruction ID: 4845754b61abc7a8f9fccf835f170654b80a9d56b8079690824075ed71f99434
Opcode Fuzzy Hash: 7b4ff1677b016c2febba71d19ffa9b8ee62885af2c2e4e4c306e2e455f9e455a
Instruction Fuzzy Hash: A2F0C271808340AAE7108E1ACC84BA2FFE8EF50724F18C45AED095F286C279A844CAB0

Function 085C0907 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31767b160c21fd2d2f9e55b4455688f353baa133d214bb304e49e26cd7a23fc6
Instruction ID: f0b67b359e95f2fc6827363d9873f8bb3ffccbc2cd9dcbfc29f49f91a462e50b
Opcode Fuzzy Hash: 31767b160c21fd2d2f9e55b4455688f353baa133d214bb304e49e26cd7a23fc6
Instruction Fuzzy Hash: A5F0E972E101099BDF14DB74C455AEFBFBA9F84300F00852AD102B7280DE7069068AD2

Function 085C0908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e712c4a90a605741ec451aacacfd1a8f55479754c2e9424293263993ddb0b2c
Instruction ID: 7f5daa9203e7ac296d45088ba37d82cd84418354072bb7ba69d2489d17445e4f
Opcode Fuzzy Hash: 4e712c4a90a605741ec451aacacfd1a8f55479754c2e9424293263993ddb0b2c
Instruction Fuzzy Hash: E9F0E972E101099BDF04DB64C4556EFBFB69F84300F00852AD102B7280DE7069068AD2

Function 085C098F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd04654cae8504e569117de8905d6aaf4c0604ff60db510a52390abcfe6f138
Instruction ID: 6abaf9094301c9adbf6488ee23e6e73f527b1abbef38d126f992c349ee9373de
Opcode Fuzzy Hash: 4cd04654cae8504e569117de8905d6aaf4c0604ff60db510a52390abcfe6f138
Instruction Fuzzy Hash: B4F06D71901249AFCB80EFB8E980A8DBBB6EB44301F1081A9C1059B325EB305A49DB82

Function 085C0990 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0d6d4e11b032bbe6b6861dc557c8b2421f2c876bb4fcb8b1b3f1719d7ff62a
Instruction ID: e14d3026c4355f4c528e5c69d097a6946cbc225b903ada3ac22470c1d714c27d
Opcode Fuzzy Hash: 0e0d6d4e11b032bbe6b6861dc557c8b2421f2c876bb4fcb8b1b3f1719d7ff62a
Instruction Fuzzy Hash: 25F01D719012599FCB84EFB8E990A8DBBB6EB44301F1081A9C5059B365EB305A49DB82

Function 085C0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1db411b3b24bb40271bdf2ff689ad2819edf0137208e3a0b1254d1281b7a03
Instruction ID: b6c71ae0c623b2c06be451f796384e56d07817100f2754c71b09c00207c10d0c
Opcode Fuzzy Hash: cc1db411b3b24bb40271bdf2ff689ad2819edf0137208e3a0b1254d1281b7a03
Instruction Fuzzy Hash: 39D01771905308AFDB01CFF8C50576DBBF9EB05281F608499E448D7245DA319E50CB91

Function 085C50C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58fb5ace039455535bd7ab6c5a6c1a917294790a0da69c9ed61b762ea3b1db5
Instruction ID: 8fa386f83569c39df8c083c053a6fdd9ee953d59b4f4011ea43d93878b1ffc80
Opcode Fuzzy Hash: f58fb5ace039455535bd7ab6c5a6c1a917294790a0da69c9ed61b762ea3b1db5
Instruction Fuzzy Hash: A6E0923494420ACFDB14DFC9C4487ADBBB1BF48316F144469E101AB260EBB52A86CF90

Non-executed Functions

Function 085C36D8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819348499.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85c0000_SlackSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cd8fa1a58b7b25776b542dc821308e783e80ce99108e90e7a692c56a205801
Instruction ID: 984f976ffa98c0d869671eba33cd6ed24ca6b516f5a018f8ee2b870e42ca34f2
Opcode Fuzzy Hash: 49cd8fa1a58b7b25776b542dc821308e783e80ce99108e90e7a692c56a205801
Instruction Fuzzy Hash: 549125B0E002099FDB14CFA9C9857DDBBF2BB88315F14852DE409A7394EB749886CF81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SlackSetup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlackSetup.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
SlackSetup.exe