Edit tour

Windows Analysis Report
Ljrfk7uRvO.exe

Overview

General Information

Sample name:	Ljrfk7uRvO.exe renamed because original name is a hash value
Original sample name:	8b92f9878021028541ee3ad507b2a08fb3884007cca9b659503693a41589eb22.exe
Analysis ID:	1542740
MD5:	e1a865386810fdd8cfe6724c251bc236
SHA1:	9eca601597cd96d337b5fed54b3943bed1a35137
SHA256:	8b92f9878021028541ee3ad507b2a08fb3884007cca9b659503693a41589eb22
Tags:	20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found API chain indicative of debugger detection

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Ljrfk7uRvO.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\Ljrfk7uRvO.exe" MD5: E1A865386810FDD8CFE6724C251BC236)

WerFault.exe (PID: 5920 cmdline: C:\Windows\system32\WerFault.exe -u -p 5916 -s 1112 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://20.25.126.96:443/Sp6d", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://20.25.126.96/Sp6d"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1d5b7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x1d623:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T09:11:25.427863+0200	2028765	3	Unknown Traffic	192.168.2.7	49703	20.25.126.96	443	TCP
2024-10-26T09:11:27.573446+0200	2028765	3	Unknown Traffic	192.168.2.7	49706	20.25.126.96	443	TCP
2024-10-26T09:11:29.775318+0200	2028765	3	Unknown Traffic	192.168.2.7	49709	20.25.126.96	443	TCP
2024-10-26T09:11:32.034352+0200	2028765	3	Unknown Traffic	192.168.2.7	49712	20.25.126.96	443	TCP
2024-10-26T09:11:34.164396+0200	2028765	3	Unknown Traffic	192.168.2.7	49715	20.25.126.96	443	TCP
2024-10-26T09:11:36.269551+0200	2028765	3	Unknown Traffic	192.168.2.7	49718	20.25.126.96	443	TCP
2024-10-26T09:11:38.400931+0200	2028765	3	Unknown Traffic	192.168.2.7	49721	20.25.126.96	443	TCP
2024-10-26T09:11:40.513252+0200	2028765	3	Unknown Traffic	192.168.2.7	49727	20.25.126.96	443	TCP
2024-10-26T09:11:42.651135+0200	2028765	3	Unknown Traffic	192.168.2.7	49732	20.25.126.96	443	TCP
2024-10-26T09:11:44.783807+0200	2028765	3	Unknown Traffic	192.168.2.7	49735	20.25.126.96	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ljrfk7uRvO.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://20.25.126.96:443/Sp6d", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}
Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://20.25.126.96/Sp6d"}

Multi AV Scanner detection for submitted file

Source: Ljrfk7uRvO.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Ljrfk7uRvO.exe

Joe Sandbox ML: detected

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://20.25.126.96:443/Sp6d
Source: Malware configuration extractor	URLs: http://20.25.126.96/Sp6d

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49703 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49706 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49712 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49709 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49727 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49718 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49715 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49721 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49735 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49732 -> 20.25.126.96:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: Ljrfk7uRvO.exe, 00000000.00000003.1515452427.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1526311294.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1493593551.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1482576326.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1504828649.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Sp6d
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Sp6d$
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Sp6dSpace_G
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Sp6dbJ
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/chedvmbusRFCOMM
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/f
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/k
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/p
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/p6d
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/t

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5916 -s 1112

Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5916

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\bfe7b994-2b8f-4bf9-b957-a262dd8a2f4e

Jump to behavior

Source: Ljrfk7uRvO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ljrfk7uRvO.exe

ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\Ljrfk7uRvO.exe "C:\Users\user\Desktop\Ljrfk7uRvO.exe"
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5916 -s 1112

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Ljrfk7uRvO.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Code function: 0_2_000D012B push eax; ret		0_2_000D0387
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Code function: 0_2_000D0312 push eax; ret		0_2_000D0387

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe TID: 5948	Thread sleep count: 170 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe TID: 5948	Thread sleep time: -1700000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Last function: Thread delayed

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000017E000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000017E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-943

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	0_2_00401180
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Code function: 0_2_00402F69 SetUnhandledExceptionFilter,	0_2_00402F69
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Code function: 0_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_00401A70
Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe	Code function: 0_2_004092E4 SetUnhandledExceptionFilter,	0_2_004092E4

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe

Code function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,

0_2_00401630

Source: C:\Users\user\Desktop\Ljrfk7uRvO.exe

Code function: 0_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00401990

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Ljrfk7uRvO.exe	87%	ReversingLabs	Win64.Backdoor.CobaltStrike
Ljrfk7uRvO.exe	100%	Avira	HEUR/AGEN.1345031
Ljrfk7uRvO.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://20.25.126.96/Sp6d	true		unknown
http://20.25.126.96:443/Sp6d	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://20.25.126.96/Sp6dbJ	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/Sp6d	Ljrfk7uRvO.exe, 00000000.00000003.1515452427.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1526311294.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1493593551.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1482576326.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000003.1504828649.000000000018F000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/Sp6d$	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/Sp6dSpace_G	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000010C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp, Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/p	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/t	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://20.25.126.96/k	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/chedvmbusRFCOMM	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/p6d	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.000000000018F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/f	Ljrfk7uRvO.exe, 00000000.00000002.1881764104.0000000000164000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.25.126.96	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542740
Start date and time:	2024-10-26 09:10:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ljrfk7uRvO.exe renamed because original name is a hash value
Original Sample Name:	8b92f9878021028541ee3ad507b2a08fb3884007cca9b659503693a41589eb22.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 7 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Ljrfk7uRvO.exe

Simulations

Behavior and APIs

Time	Type	Description
03:11:22	API Interceptor	195x Sleep call for process: Ljrfk7uRvO.exe modified
03:12:05	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.60
	https://load.aberegg-immobilien.ch/	Get hash	malicious	HTMLPhisher	Browse	40.126.31.73
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	22.252.12.135
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	20.57.78.10
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	21.238.75.88
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	40.99.246.89
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	22.36.15.81
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	22.23.166.67
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	20.189.202.203
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	20.253.255.210

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ljrfk7uRvO.exe_46e1d5682d2aaed3ce5311f53ec99cd11ab55ee5_0a3509db_6478054e-9102-4016-9df3-992504b8e67a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8896411247310103
Encrypted:	false
SSDEEP:	96:SvuFREBUslhMoh7JfqQXIDcQWc6zcEZcw37dhT+HbHg/5jgOg0dl/phsv5o1OyW+:d4BUw0I3DUjZ7yzuiFCZ24lO8S
MD5:	70EBBB3FC981490BEA3ECD2332644314
SHA1:	B36CAEE8D9029E52AD46CA986FE54B3C1C2DEA46
SHA-256:	2F1E791469A87839F142903593D80484C0A65446688F350A47483CE95A44D590
SHA-512:	F8C8F7B9E5AF0749B67C5CF8EA02B38AB1A8E7983EFFC9E17916642E35EF488CADE85CA8E36880F39840506E05E046756E2430E8A1A33135168135DEE77C427E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.0.0.3.0.5.2.6.6.7.7.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.0.0.3.0.5.6.2.6.1.5.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.7.8.0.5.4.e.-.9.1.0.2.-.4.0.1.6.-.9.d.f.3.-.9.9.2.5.0.4.b.8.e.6.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.9.b.9.2.2.2.-.5.1.7.1.-.4.c.8.4.-.8.2.8.8.-.c.7.c.e.6.e.2.8.4.d.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.j.r.f.k.7.u.R.v.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.1.c.-.0.0.0.1.-.0.0.1.4.-.c.f.e.6.-.9.a.4.2.7.6.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.1.b.9.1.9.6.c.a.7.8.3.3.5.5.0.9.f.7.9.2.3.a.6.f.9.e.e.1.f.8.8.0.0.0.0.f.f.f.f.!.0.0.0.0.9.e.c.a.6.0.1.5.9.7.c.d.9.6.d.3.3.7.b.5.f.e.d.5.4.b.3.9.4.3.b.e.d.1.a.3.5.1.3.7.!.L.j.r.f.k.7.u.R.v.O...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:45 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	148478
Entropy (8bit):	1.3384797411052702
Encrypted:	false
SSDEEP:	768:hf2o2wGNPzLDNtJ/Ig/APQydIK3z71Nmz2fittJJRkP2fr:hL4eIymKD71Nmz2fittJJRkP2fr
MD5:	90A2A2ACD778448FB09B2EBA77F81C3A
SHA1:	10198C35F10CEB35F39001736FC8BF638AC119DF
SHA-256:	A39E8F5072AB6EB330A79067198AB0403F2A4A9641DC1B89240BDECFE918622B
SHA-512:	5CCFF3C767090E9BB3D781B856907968110BAEE83FFFE7404877DBACF8123D407D0846808AE2AFA0EAECA1C22425A57ACAB55CC183F0A4A6545B99FFA20B29CB
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp, Author: unknown
Reputation:	low
Preview:	MDMP..a..... .......1..g.........................................Z..........T.......8...........T............/..........................................................................................................eJ..............Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER759A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8796
Entropy (8bit):	3.7069326538353247
Encrypted:	false
SSDEEP:	192:R6l7wVeJpkDK96YNk/fbgmfAmpD089bdt0f3/m:R6lXJpAQ6Y+XbgmfAqd+fO
MD5:	B90D49017ACF3D4879BF62EB7DFAB705
SHA1:	E9862062C02C835E3C65B3DB92DC2816E2401642
SHA-256:	9AEAF5F279F60589C8413F65EC10AC7325663829EA326908DDFBF4FB064D5A74
SHA-512:	D03FE0F9A51D602EE63E3EBD342E28E71B52E9B2B2B3AB8ACC55F5F012D5E1FCD77FA273A723A6CDEB1D8B2A5C89891833540CB43A95A8BD0BD37519A60C7E6C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75DA.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4685
Entropy (8bit):	4.488923446996072
Encrypted:	false
SSDEEP:	48:cvIwWl8zsI/Jg771I9P8WpW8VYlYm8M4Jkb4COKFWeyq85gVnONG3sU3LUhQd:uIjfSI7Y17VVJoxLSGr34hQd
MD5:	EE9BC143DCE5F229FEFA26D14AB4662E
SHA1:	5595CF1A9A536A1540851FA16C02E5E36227A9ED
SHA-256:	992215D2BE12C119ED2CC7E7E475CD65892B778D67D26C304460896C39F449E4
SHA-512:	27B91F04749E93E440DC6F81147D228FECB499BBE5FE7D56896AF48B5FE2A1FCB3E5EA33A378AF42FBC51ED14ABFBEA6C263E4046F69B256323549795959D73E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560054" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416748870454769
Encrypted:	false
SSDEEP:	6144:ncifpi6ceLPL9skLmb0mkSWSPtaJG8nAgex285i2MMhA20X4WABlGuNS5+:ci58kSWIZBk2MM6AFBEo
MD5:	D83CEF64AFFD8DF7DF9246CD4F2EB112
SHA1:	4ACC3723CCF6C54142936A7AE89D2E2681D9BB4D
SHA-256:	C3BA1C059284FA865F9AAC9D0D801E1DAD0E3DF7E5513602090942884F99C285
SHA-512:	00FBE228E4C0F63F93DA6415BFE4FF71149E8C9E021D57ADA3446DBF61E888497159A79CD7175583EC869F13EE26C81CE2B911969D6308EEC852A5B8DE36A49C
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>..Pv'...............................................................................................................................................................................................................................................................................................................................................h.d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.241464468454697
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	Ljrfk7uRvO.exe
File size:	19'456 bytes
MD5:	e1a865386810fdd8cfe6724c251bc236
SHA1:	9eca601597cd96d337b5fed54b3943bed1a35137
SHA256:	8b92f9878021028541ee3ad507b2a08fb3884007cca9b659503693a41589eb22
SHA512:	bd44f655f5dd8d07735622f9035e83b78da6a634745a24327501400465ef892482236071826d7a37cfbae48af2883a0cd3c8c7f4739540ff1b33801b79f13c4b
SSDEEP:	192:0V7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2JSbTRWF8qa1Dojjgi:mqaCF31cix+Dc4zjCSbYFF46gi
TLSH:	F292EA3FE71368E8C105D57845FB3733DCB13CB286A6A32E2724D6B42F105A46EAA910
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."...H................@............................................... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x401ba0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	147442e63270e287ed57d33257638324

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00003FF5h]
mov dword ptr [eax], 00000001h
call 00007FAC28BF61EFh
call 00007FAC28BF59DAh
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00003FC5h]
mov dword ptr [eax], 00000000h
call 00007FAC28BF61BFh
call 00007FAC28BF59AAh
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FAC28BF7684h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FAC28BF5D09h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
jmp ecx
dec eax
arpl word ptr [00002AC2h], ax
test eax, eax
jle 00007FAC28BF5D58h
cmp dword ptr [00002ABBh], 00000000h
jle 00007FAC28BF5D4Fh
dec eax
mov edx, dword ptr [00007CFEh]
dec eax
mov dword ptr [ecx+eax], edx
dec eax
mov edx, dword ptr [00007CFBh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9000	0x8d8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6000	0x2b8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5060	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9224	0x1e8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20a8	0x2200	3040ba596609d0f7ba50ac030468b13e	False	0.5708869485294118	data	5.9208685532060095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x4f0	0x600	6d1a81d2a0c354f61e4c08017270e9e7	False	0.673828125	dBase III DBT, version number 0, next free block index 10, 1st item "\234\253\2477\207\024$\024\255m\271\236\342\264\342\262\222}\331\025\315\3030\0176\377\011\035Rm\025\240jW\260\266\255Xv\277\253\343\024L\364\234\010X\206\344:Z\221\247\017\007\324\204\024G\235\245\027\\333\375U"	5.938441229712016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5000	0x910	0xa00	b02c91451e7abad85f4a5bbe48fd6333	False	0.2421875	data	4.472912660223878	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x6000	0x2b8	0x400	ad5ec754cf0e204a3a3c39436081f3bc	False	0.380859375	data	2.9668653207491333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x7000	0x238	0x400	6ce9e303fb86766d702ecb2b174cf348	False	0.2578125	data	2.6337753778508075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x8000	0x9d0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9000	0x8d8	0xa00	ec8dedb62953693cf02784f71f75d547	False	0.323828125	data	3.7083607069283806	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xa000	0x68	0x200	52d79e9aecf5d5c3145d3ec54aa197a8	False	0.0703125	data	0.2709192282599745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xb000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile

msvcrt.dll

__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T09:11:25.427863+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49703	20.25.126.96	443	TCP
2024-10-26T09:11:27.573446+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49706	20.25.126.96	443	TCP
2024-10-26T09:11:29.775318+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49709	20.25.126.96	443	TCP
2024-10-26T09:11:32.034352+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49712	20.25.126.96	443	TCP
2024-10-26T09:11:34.164396+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49715	20.25.126.96	443	TCP
2024-10-26T09:11:36.269551+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49718	20.25.126.96	443	TCP
2024-10-26T09:11:38.400931+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49721	20.25.126.96	443	TCP
2024-10-26T09:11:40.513252+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49727	20.25.126.96	443	TCP
2024-10-26T09:11:42.651135+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49732	20.25.126.96	443	TCP
2024-10-26T09:11:44.783807+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49735	20.25.126.96	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 09:11:24.347485065 CEST	49703	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:24.347515106 CEST	443	49703	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:24.347609043 CEST	49703	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:24.360912085 CEST	49703	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:24.360923052 CEST	443	49703	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:25.427726984 CEST	443	49703	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:25.427862883 CEST	49703	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:25.428028107 CEST	49703	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:25.428047895 CEST	443	49703	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:25.428662062 CEST	49704	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:25.428721905 CEST	443	49704	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:25.428802967 CEST	49704	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:25.429037094 CEST	49704	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:25.429054022 CEST	443	49704	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:26.486571074 CEST	443	49704	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:26.486833096 CEST	49704	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.486887932 CEST	49704	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.486915112 CEST	443	49704	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:26.487579107 CEST	49705	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.487634897 CEST	443	49705	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:26.487719059 CEST	49705	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.487885952 CEST	49705	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.487919092 CEST	443	49705	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:26.487973928 CEST	49705	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.495556116 CEST	49706	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.495594025 CEST	443	49706	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:26.495697021 CEST	49706	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.496076107 CEST	49706	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:26.496089935 CEST	443	49706	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:27.573246956 CEST	443	49706	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:27.573446035 CEST	49706	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:27.589557886 CEST	49706	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:27.589582920 CEST	443	49706	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:27.645404100 CEST	49707	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:27.645457983 CEST	443	49707	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:27.645535946 CEST	49707	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:27.645925045 CEST	49707	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:27.645942926 CEST	443	49707	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:28.712574005 CEST	443	49707	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:28.712678909 CEST	49707	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.712812901 CEST	49707	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.712831974 CEST	443	49707	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:28.715961933 CEST	49708	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.716017962 CEST	443	49708	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:28.716114044 CEST	49708	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.716204882 CEST	49708	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.716232061 CEST	443	49708	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:28.716270924 CEST	49708	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.717173100 CEST	49709	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.717210054 CEST	443	49709	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:28.717278004 CEST	49709	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.717515945 CEST	49709	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:28.717525959 CEST	443	49709	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:29.775165081 CEST	443	49709	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:29.775317907 CEST	49709	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:29.775398970 CEST	49709	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:29.775412083 CEST	443	49709	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:29.779630899 CEST	49710	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:29.779685020 CEST	443	49710	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:29.779774904 CEST	49710	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:29.780332088 CEST	49710	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:29.780364990 CEST	443	49710	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:30.842201948 CEST	443	49710	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:30.842298985 CEST	49710	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.861244917 CEST	49710	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.861290932 CEST	443	49710	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:30.945029020 CEST	49711	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.945075035 CEST	443	49711	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:30.945152044 CEST	49711	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.945280075 CEST	49711	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.945344925 CEST	443	49711	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:30.945406914 CEST	49711	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.985575914 CEST	49712	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.985620975 CEST	443	49712	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:30.985682011 CEST	49712	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.987669945 CEST	49712	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:30.987687111 CEST	443	49712	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:32.034229994 CEST	443	49712	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:32.034352064 CEST	49712	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:32.034440041 CEST	49712	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:32.034466982 CEST	443	49712	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:32.035149097 CEST	49713	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:32.035171032 CEST	443	49713	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:32.035252094 CEST	49713	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:32.035475016 CEST	49713	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:32.035487890 CEST	443	49713	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:33.103915930 CEST	443	49713	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:33.104166985 CEST	49713	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.104166985 CEST	49713	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.104847908 CEST	49714	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.104898930 CEST	443	49714	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:33.104975939 CEST	49714	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.105093002 CEST	49714	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.105210066 CEST	443	49714	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:33.105269909 CEST	49714	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.106197119 CEST	49715	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.106262922 CEST	443	49715	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:33.106347084 CEST	49715	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.106687069 CEST	49715	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.106704950 CEST	443	49715	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:33.418685913 CEST	49713	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:33.418730974 CEST	443	49713	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:34.164303064 CEST	443	49715	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:34.164396048 CEST	49715	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:34.164522886 CEST	49715	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:34.164571047 CEST	443	49715	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:34.165323973 CEST	49716	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:34.165364981 CEST	443	49716	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:34.165432930 CEST	49716	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:34.165731907 CEST	49716	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:34.165745974 CEST	443	49716	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:35.215598106 CEST	443	49716	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:35.215722084 CEST	49716	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.215816975 CEST	49716	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.215826988 CEST	443	49716	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:35.216649055 CEST	49717	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.216691017 CEST	443	49717	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:35.216758013 CEST	49717	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.216845989 CEST	49717	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.216867924 CEST	443	49717	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:35.216929913 CEST	49717	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.217917919 CEST	49718	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.217945099 CEST	443	49718	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:35.217999935 CEST	49718	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.218261003 CEST	49718	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:35.218272924 CEST	443	49718	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:36.269315958 CEST	443	49718	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:36.269551039 CEST	49718	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:36.269771099 CEST	49718	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:36.269790888 CEST	443	49718	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:36.270736933 CEST	49719	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:36.270804882 CEST	443	49719	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:36.270912886 CEST	49719	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:36.271197081 CEST	49719	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:36.271213055 CEST	443	49719	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:37.335484028 CEST	443	49719	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:37.335628033 CEST	49719	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.351965904 CEST	49719	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.352026939 CEST	443	49719	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:37.352752924 CEST	49720	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.352788925 CEST	443	49720	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:37.352880955 CEST	49720	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.352941990 CEST	49720	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.353086948 CEST	443	49720	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:37.353144884 CEST	49720	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.355560064 CEST	49721	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.355616093 CEST	443	49721	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:37.355676889 CEST	49721	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.355902910 CEST	49721	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:37.355918884 CEST	443	49721	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:38.400852919 CEST	443	49721	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:38.400930882 CEST	49721	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:38.401042938 CEST	49721	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:38.401060104 CEST	443	49721	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:38.401768923 CEST	49723	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:38.401798010 CEST	443	49723	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:38.401873112 CEST	49723	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:38.402172089 CEST	49723	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:38.402185917 CEST	443	49723	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:39.445089102 CEST	443	49723	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:39.445166111 CEST	49723	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.445269108 CEST	49723	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.445290089 CEST	443	49723	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:39.445868015 CEST	49726	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.445914984 CEST	443	49726	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:39.445992947 CEST	49726	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.446156025 CEST	49726	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.446213961 CEST	443	49726	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:39.446309090 CEST	49726	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.447244883 CEST	49727	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.447283030 CEST	443	49727	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:39.447393894 CEST	49727	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.447643042 CEST	49727	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:39.447657108 CEST	443	49727	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:40.513101101 CEST	443	49727	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:40.513252020 CEST	49727	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:40.513289928 CEST	49727	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:40.513315916 CEST	443	49727	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:40.513863087 CEST	49730	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:40.513899088 CEST	443	49730	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:40.514061928 CEST	49730	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:40.514246941 CEST	49730	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:40.514262915 CEST	443	49730	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:41.563702106 CEST	443	49730	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:41.563853979 CEST	49730	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.564079046 CEST	49730	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.564096928 CEST	443	49730	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:41.564644098 CEST	49731	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.564681053 CEST	443	49731	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:41.564815998 CEST	49731	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.564949989 CEST	49731	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.564980984 CEST	443	49731	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:41.565120935 CEST	49731	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.566339970 CEST	49732	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.566389084 CEST	443	49732	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:41.566450119 CEST	49732	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.566875935 CEST	49732	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:41.566891909 CEST	443	49732	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:42.651056051 CEST	443	49732	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:42.651134968 CEST	49732	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:42.654162884 CEST	49732	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:42.654185057 CEST	443	49732	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:42.658229113 CEST	49733	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:42.658274889 CEST	443	49733	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:42.658348083 CEST	49733	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:42.665616989 CEST	49733	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:42.665632010 CEST	443	49733	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:43.708178997 CEST	443	49733	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:43.711437941 CEST	49733	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.711529016 CEST	49733	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.711549997 CEST	443	49733	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:43.712038040 CEST	49734	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.712101936 CEST	443	49734	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:43.715440989 CEST	49734	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.716020107 CEST	49734	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.716059923 CEST	443	49734	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:43.716119051 CEST	49734	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.718342066 CEST	49735	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.718369961 CEST	443	49735	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:43.718564987 CEST	49735	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.718791962 CEST	49735	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:43.718803883 CEST	443	49735	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:44.783668041 CEST	443	49735	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:44.783807039 CEST	49735	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:44.783896923 CEST	49735	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:44.783915043 CEST	443	49735	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:44.784646988 CEST	49736	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:44.784755945 CEST	443	49736	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:44.784847975 CEST	49736	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:44.785063028 CEST	49736	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:44.785100937 CEST	443	49736	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:45.839387894 CEST	443	49736	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:45.839500904 CEST	49736	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:45.839595079 CEST	49736	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:45.839622021 CEST	443	49736	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:45.840228081 CEST	49737	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:45.840272903 CEST	443	49737	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:45.840353966 CEST	49737	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:45.840445995 CEST	49737	443	192.168.2.7	20.25.126.96
Oct 26, 2024 09:11:45.840465069 CEST	443	49737	20.25.126.96	192.168.2.7
Oct 26, 2024 09:11:45.840512991 CEST	49737	443	192.168.2.7	20.25.126.96

Target ID:	0
Start time:	03:11:21
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\Ljrfk7uRvO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Ljrfk7uRvO.exe"
Imagebase:	0x400000
File size:	19'456 bytes
MD5 hash:	E1A865386810FDD8CFE6724C251BC236
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:11:45
Start date:	26/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5916 -s 1112
Imagebase:	0x7ff755c30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	14.3%
Total number of Nodes:	217
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401180 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 196
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011E6
SetUnhandledExceptionFilter.KERNEL32 ref: 00401258
malloc.MSVCRT ref: 00401322
strlen.MSVCRT ref: 00401345
malloc.MSVCRT ref: 00401351
memcpy.MSVCRT ref: 00401365
GetStartupInfoA.KERNEL32 ref: 00401463

Strings

@P@, xrefs: 00401231

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID: @P@
API String ID: 649803965-1136412694
Opcode ID: b78087a4727109617a980b8b34e7f88b19eb7fde71d655465aeb3eeb3b98bcac
Instruction ID: 0837f65e99a2b31b617579b96e5607858f818787d00fb595da640d4b13c89ff1
Opcode Fuzzy Hash: b78087a4727109617a980b8b34e7f88b19eb7fde71d655465aeb3eeb3b98bcac
Instruction Fuzzy Hash: FB7199B2601B0486EB259F56E99476A33A1F745B88F84803BEF49773A1DF7CC884C748

Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50
pipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeA.KERNEL32 ref: 0040167C
ConnectNamedPipe.KERNEL32 ref: 00401699
WriteFile.KERNEL32 ref: 004016BC
CloseHandle.KERNEL32 ref: 004016C9

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateFileHandleWrite
String ID:
API String ID: 2239253087-0
Opcode ID: c91bc22eb4ab6627967eacdcd294d58c4f35a533641819062c461ff4691d2373
Instruction ID: 792960597df4a3593b3ed71ec0f1f42691249fcecf88183cb5a5311cb3ffe816
Opcode Fuzzy Hash: c91bc22eb4ab6627967eacdcd294d58c4f35a533641819062c461ff4691d2373
Instruction Fuzzy Hash: 7311A57171464487E7208B12EC4871B7660B785BA4F588639EF59277E4DF7DC409CB08

Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004017B9
SleepEx.KERNELBASE ref: 004017CD

Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784

GetTickCount.KERNEL32 ref: 004017FC
CreateThread.KERNEL32 ref: 00401885

Strings

., xrefs: 00401841
i, xrefs: 00401829
%c%c%c%c%c%c%c%c%cMSSE-%d-server, xrefs: 0040185A
p, xrefs: 00401831
e, xrefs: 00401819
\, xrefs: 00401839
\, xrefs: 00401811
p, xrefs: 00401821
@@, xrefs: 004017AE

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
API String ID: 3660650057-1020837823
Opcode ID: f49c4c9a7e10605904a6a10e00f2c520319c1cb0802325312295c4206e11c210
Instruction ID: b1b191c08856ce7a5ac3e1961f061f1fb3c952ac0291ac520aaac2e6cde2bc09
Opcode Fuzzy Hash: f49c4c9a7e10605904a6a10e00f2c520319c1cb0802325312295c4206e11c210
Instruction Fuzzy Hash: BB11E1B2214A80C6F714DF62F84975BBBA0F384749F44412ADB49277A8CB7CC445CF48

Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 004015BC
VirtualProtect.KERNEL32 ref: 004015F6
CreateThread.KERNEL32 ref: 0040161B

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: Virtual$AllocCreateProtectThread
String ID:
API String ID: 3039780055-0
Opcode ID: 4aacca1e8eccfaf740ded84acdafb972c0e8b5e828dd24c9fd05ba3d77ec4f75
Instruction ID: a871edb487987511a762a7aedd3aa3d9a3b96542bc8ba466cbe2f33faf2e38cc
Opcode Fuzzy Hash: 4aacca1e8eccfaf740ded84acdafb972c0e8b5e828dd24c9fd05ba3d77ec4f75
Instruction Fuzzy Hash: 3D012B9231558051E7249B73AC08B9AAA91A38DBC9F48C139EF4B5BBA5DA3CC505C708

Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 0040174D
ReadFile.KERNEL32 ref: 00401777
CloseHandle.KERNEL32 ref: 00401784

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: a9a6f3105b428fa11eb0a8b9509746e60382a865a5325daa86df34bad7210379
Instruction ID: 40b2c8f30f00ef97869f90130fa51706c158e82a26dd4cfec866ebc6162fc2d5
Opcode Fuzzy Hash: a9a6f3105b428fa11eb0a8b9509746e60382a865a5325daa86df34bad7210379
Instruction Fuzzy Hash: 2101F77531460186E7219B16F90471776A0B394BA4F648339EFA917BD4DB7DC50ACB08

Function 000D012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000D0146

Strings

U.;, xrefs: 000D0141

Memory Dump Source

Source File: 00000000.00000002.1881743168.00000000000D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_Ljrfk7uRvO.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction ID: b043179f8e7ab60c6ca85c4edca9a9e742e03efe6a78e8fd4646591d42716523
Opcode Fuzzy Hash: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction Fuzzy Hash: 6B116D6034890D1BF62C91AE7C5A73A21CAD7D8765F24812FB54EC33D6DC68CC82416A

Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885

SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: Sleep$CountCreateThreadTickmalloc
String ID:
API String ID: 345437100-0
Opcode ID: b6d36b54cf31cf0f426623e933f06735054b4a30bed8d9593c1a6858c86775c1
Instruction ID: 8364c3e29ff4e62ba415e97045e67fc6fb748e7a580f304519b0ce082c56ecd4
Opcode Fuzzy Hash: b6d36b54cf31cf0f426623e933f06735054b4a30bed8d9593c1a6858c86775c1
Instruction Fuzzy Hash: B4C022A030208880EF08B3B280AB32E0A080B08388F0C083FEF0B322E28C3CC000030E

Non-executed Functions

Function 00401A70 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00401A84
RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
RtlVirtualUnwind.KERNEL32 ref: 00401ADD
SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
GetCurrentProcess.KERNEL32 ref: 00401B34
TerminateProcess.KERNEL32 ref: 00401B42
abort.MSVCRT ref: 00401B48

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 27e43dfa7ef0e7d63c314b0127c2fc61b110ad3033d9dc91a01dad9a926d3ef7
Instruction ID: cf336b0ec7d2cb6baae35a739632777ca23f94a65b3f666190a75c6fcbb7d788
Opcode Fuzzy Hash: 27e43dfa7ef0e7d63c314b0127c2fc61b110ad3033d9dc91a01dad9a926d3ef7
Instruction Fuzzy Hash: B5210FB5202F45E9EB009B61F98438A33B4BB08B88F40452ADF8E27775EF38C519C708

Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
GetCurrentProcessId.KERNEL32 ref: 004019E0
GetCurrentThreadId.KERNEL32 ref: 004019E8
GetTickCount.KERNEL32 ref: 004019F0
QueryPerformanceCounter.KERNEL32 ref: 004019FE

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 180d7ae7fc5b59493381c36575e32c3318445472d573a77b1124f7da9349a765
Instruction ID: 088ae4e322ac71afa1741572681cd55a149c1471ea95f8004f9c9491386c013f
Opcode Fuzzy Hash: 180d7ae7fc5b59493381c36575e32c3318445472d573a77b1124f7da9349a765
Instruction Fuzzy Hash: AA1170A6756B1092FB209B25F90431973A0B788BF4F081A759F9D53BB4DA3CC986C708

Function 004092E4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d9dc15cd2323b1969d31b34d058e400771375719eba9729399da7e2cb3c015
Instruction ID: 265011cb5c43256728371d0b914e7cb99591770fb7db1c99b981b3b74fc6fd5e
Opcode Fuzzy Hash: 89d9dc15cd2323b1969d31b34d058e400771375719eba9729399da7e2cb3c015
Instruction Fuzzy Hash: 40D017E780DBC05BD3134EB888B618B3F90B2A2E0030FC0BF96C0523DBA52C1C018B46

Function 00402F69 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19992302b57e0ae1e896caf69d358159d2cdd7c295cfb7410856e5c68f34a958
Instruction ID: 82f505fb4451acb9e8d1e12f81e5a21f5fcc3540fe401e05c5c992db50528185
Opcode Fuzzy Hash: 19992302b57e0ae1e896caf69d358159d2cdd7c295cfb7410856e5c68f34a958
Instruction Fuzzy Hash: 62A0029244DD0290E3101B40D9413A07279D306240F0424A6421461072853D8520414C

Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00401E69

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
Address %p has no image-section, xrefs: 00401DC0
Mingw-w64 runtime failure:, xrefs: 00401D88
VirtualProtect failed with code 0x%x, xrefs: 00401F56

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: eb96bce5aba28f4b7fd5428a67a7dc765e3f26f51d184c285f7c9c3ca2c1b9e4
Instruction ID: 10d76aa513752d408286ffc26ec959f6f169e193d9772deefbdc98a11bb0eab9
Opcode Fuzzy Hash: eb96bce5aba28f4b7fd5428a67a7dc765e3f26f51d184c285f7c9c3ca2c1b9e4
Instruction Fuzzy Hash: 2C51DFB2701B4086DB109F26E94475E77A1F799BA4F58423AEF98233E1EA3CC485C748

Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 0040268A

Strings

CCG , xrefs: 004025F6

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 02ca0884ae1087a20c21e45c5c541f93375eef4ab3a09d0df9e107311897ccd7
Instruction ID: 8a37928041284c8a434aeccdd4db6f983c568c8f0cf3e4f2934023fa32f313ab
Opcode Fuzzy Hash: 02ca0884ae1087a20c21e45c5c541f93375eef4ab3a09d0df9e107311897ccd7
Instruction Fuzzy Hash: C321A171B0154146EE296279865D33B10019B9A374F284E379A3DA73E0DEFECCC2830E

Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unknown pseudo relocation bit size %d., xrefs: 00402294
Unknown pseudo relocation protocol version %d., xrefs: 004022A8

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 8caf0c066df89f6cee4c07a50155e792156557ee52966e310dcb16b3cca200fb
Instruction ID: 42e0c3400c77c9dd47adb4fdb8995eb2357067ceb312bbd9be83e7c2f840df7f
Opcode Fuzzy Hash: 8caf0c066df89f6cee4c07a50155e792156557ee52966e310dcb16b3cca200fb
Instruction Fuzzy Hash: 6A712272B10B9486DF10CF61DA0875A7761FB58BA8F58862ADF08377E8DB7DC540CA08

Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00401E69

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
Address %p has no image-section, xrefs: 00401DC0, 00401FA5

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-157664173
Opcode ID: 24b42db9420a0036ba5551ca2cf6389df1f73159e8ba1386f4a30517d06c5471
Instruction ID: 52aafb0f448170306d42bca5540912cc2139dda9d14def77d71a33c16101a6f6
Opcode Fuzzy Hash: 24b42db9420a0036ba5551ca2cf6389df1f73159e8ba1386f4a30517d06c5471
Instruction Fuzzy Hash: 4B31E3B3702A4195EF118F12EA4175A3761BB95BA4F49413AEF4C273A1EF3CD486C788

Function 00401C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Unknown error, xrefs: 00401D2C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: d6c75893a8b8cdba1cdccd7648c7c79805f69453ca37c984926281bf3413687d
Instruction ID: 8762e6e2ae6541d4c7c6524eaf70c560080aac858bcbb5099d5ba83032827fc6
Opcode Fuzzy Hash: d6c75893a8b8cdba1cdccd7648c7c79805f69453ca37c984926281bf3413687d
Instruction Fuzzy Hash: 1E016163D18F88C2D6018F18E8003AB7331FB6E749F259316EB8C3A565DB79D592C704

Function 00401CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Argument domain error (DOMAIN), xrefs: 00401CE0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 1d2f049123975630175d9b48e20279646fed079e7b419bc05d7036498ca68734
Instruction ID: 8c7bf1553abe8d1c1cf5b10b417118f64097995adaaa4f0d994d3f7e231e07fb
Opcode Fuzzy Hash: 1d2f049123975630175d9b48e20279646fed079e7b419bc05d7036498ca68734
Instruction Fuzzy Hash: ECF06D62858E8882D2029F1CE4003AB7331FB9EB88F28531AEF8D3A155DB28D5828704

Function 00401CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
Partial loss of significance (PLOSS), xrefs: 00401CF0

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 7751c0dc0e5f4d0d5a77e2b05341f0464b5ada29b978619af56a2b80f2ae8e47
Instruction ID: 5cd091db9141fe0e6e89e9efff11c316d26cc63b3b889972c32c6c159b948a40
Opcode Fuzzy Hash: 7751c0dc0e5f4d0d5a77e2b05341f0464b5ada29b978619af56a2b80f2ae8e47
Instruction Fuzzy Hash: C4F06262858E8882D2029F1CE4003AB7331FB5E788F245316EF8D3A555DB28D5828704

Function 00401D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
Overflow range error (OVERFLOW), xrefs: 00401D00

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 2da7071e0933fc8cd59be707335068b51f9eec2d662f944c6a91e8b8bb5ba5d0
Instruction ID: c612fb770c622c5d72669c3638e63aa4b2f428d8e56e9d424d6433c91b575293
Opcode Fuzzy Hash: 2da7071e0933fc8cd59be707335068b51f9eec2d662f944c6a91e8b8bb5ba5d0
Instruction Fuzzy Hash: 6FF01D62958E8882D2029F1DE4003AB7331FB9EB99F68531AEF8D3A555DB29D5828704

Function 00401D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
The result is too small to be represented (UNDERFLOW), xrefs: 00401D10

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 20ed77b3cd1f5ce30684c910d9c1ef4ed1bc2c10df881c0e026ae3cc509b1426
Instruction ID: abe9318e7ccd880ee09ac2f980ce11207d3172f5f88a25f0641f3127fee3ffee
Opcode Fuzzy Hash: 20ed77b3cd1f5ce30684c910d9c1ef4ed1bc2c10df881c0e026ae3cc509b1426
Instruction Fuzzy Hash: 77F06D62858E8882D2029F1DE4003AB7331FB9EB88F28531AEF8D3A155DB28D5828704

Function 00401D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Total loss of significance (TLOSS), xrefs: 00401D20
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2868899dc0ce06e4a194e0e488d1f1fc1f92f94880d84b2dd2216e23dea375c1
Instruction ID: 7a53e470b351231260d633d6082b1e766a8645853782131be27a1b39d9499402
Opcode Fuzzy Hash: 2868899dc0ce06e4a194e0e488d1f1fc1f92f94880d84b2dd2216e23dea375c1
Instruction Fuzzy Hash: 52F01262958E8882D2029F1DE4003AB7331FB9E799F245316EF8D3A555DB39D5828704

Function 00401C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Argument singularity (SIGN), xrefs: 00401C78
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.1882022563.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1882000489.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882044750.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882068118.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1882091531.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ljrfk7uRvO.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: bfa7157af2bfae74903953b95ccb901f8d552bd3022b870c14073aba30280489
Instruction ID: b6e0ecebc6e2091bb6bcdfd9ecb9f8b620cfa756c99f7cd1274eda0ebaf44184
Opcode Fuzzy Hash: bfa7157af2bfae74903953b95ccb901f8d552bd3022b870c14073aba30280489
Instruction Fuzzy Hash: CBF03062954F8882D202DF2DE4003AB7331FB5EB9DF649316EF8D3A555DB29D5828704

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ljrfk7uRvO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ljrfk7uRvO.exe_46e1d5682d2aaed3ce5311f53ec99cd11ab55ee5_0a3509db_6478054e-9102-4016-9df3-992504b8e67a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER759A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75DA.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

Windows Analysis Report
Ljrfk7uRvO.exe

Function 00401180 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 196
sleepstringCOMMON

Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50
pipefileCOMMON

Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54
threadCOMMON

Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47
memorythreadCOMMON

Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Function 000D012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 00401A70 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185
COMMON

Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209
COMMON

Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
COMMON