Edit tour

Windows Analysis Report
DBUfLVzZhf.exe

Overview

General Information

Sample name:	DBUfLVzZhf.exe renamed because original name is a hash value
Original sample name:	ac52bcde75a75288f6cedfe766870179ceb2f18b.exe
Analysis ID:	1542940
MD5:	ac775ce03263340619836c9d01e8b2c3
SHA1:	ac52bcde75a75288f6cedfe766870179ceb2f18b
SHA256:	b966428056fbf13e8c0684e477c0ed6fd3b742762eac490b3beca8224e342927
Tags:	dllexeJohnWalkerTexasLoaderJWTLJWTLoaderReversingLabsuser-NDA0E
Infos:

Detection

JohnWalkerTexasLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected JohnWalkerTexasLoader

AI detected suspicious sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DBUfLVzZhf.exe (PID: 6084 cmdline: "C:\Users\user\Desktop\DBUfLVzZhf.exe" MD5: AC775CE03263340619836C9D01E8B2C3)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
DBUfLVzZhf.exe	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2117061251.00000176D2342000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security
00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security
Process Memory Space: DBUfLVzZhf.exe PID: 6084	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.DBUfLVzZhf.exe.176d2340000.0.unpack	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DBUfLVzZhf.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: DBUfLVzZhf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: DBUfLVzZhf.exe

Source: global traffic

HTTP traffic detected: GET /api.php?status=1&wallets=0&av=1 HTTP/1.1Host: xilloolli.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /api.php?status=1&wallets=0&av=1 HTTP/1.1Host: xilloolli.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xilloolli.com

Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45F3000.00000004.00000800.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4609000.00000004.00000800.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45F3000.00000004.00000800.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com
Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api-debug.php
Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php
Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wa
Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wallets=0&av=1
Source: DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wallets=0&av=10v
Source: DBUfLVzZhf.exe	String found in binary or memory: http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php
Source: DBUfLVzZhf.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: DBUfLVzZhf.exe	String found in binary or memory: https://ipinfo.io/country
Source: DBUfLVzZhf.exe	String found in binary or memory: https://ipinfo.io/ip
Source: DBUfLVzZhf.exe	String found in binary or memory: https://oklibed.com

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D5DD6	0_2_00007FFD342D5DD6
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D6B82	0_2_00007FFD342D6B82
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342DFF7C	0_2_00007FFD342DFF7C
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D1180	0_2_00007FFD342D1180
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D11FA	0_2_00007FFD342D11FA
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D225D	0_2_00007FFD342D225D
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D12D3	0_2_00007FFD342D12D3
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D1300	0_2_00007FFD342D1300
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D12FA	0_2_00007FFD342D12FA
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D12F8	0_2_00007FFD342D12F8

Source: DBUfLVzZhf.exe

Static PE information: No import functions for PE file found

Source: DBUfLVzZhf.exe, 00000000.00000000.2117086095.00000176D2364000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs DBUfLVzZhf.exe
Source: DBUfLVzZhf.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs DBUfLVzZhf.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

Mutant created: NULL

Source: DBUfLVzZhf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DBUfLVzZhf.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DBUfLVzZhf.exe

ReversingLabs: Detection: 28%

Source: DBUfLVzZhf.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DBUfLVzZhf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DBUfLVzZhf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: DBUfLVzZhf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DBUfLVzZhf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: DBUfLVzZhf.exe

Source: DBUfLVzZhf.exe

Static PE information: 0xEC2CE5FA [Sun Jul 24 17:03:54 2095 UTC]

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD341BD2A5 pushad ; iretd		0_2_00007FFD341BD2A6
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Code function: 0_2_00007FFD342D815A push ebx; ret		0_2_00007FFD342D816A

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Memory allocated: 176D26A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Memory allocated: 176EC170000 memory reserve \| memory write watch			Jump to behavior

Source: DBUfLVzZhf.exe, 00000000.00000002.3361169877.00000176F0C56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^+
Source: DBUfLVzZhf.exe, 00000000.00000002.3360170138.00000176EC863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: DBUfLVzZhf.exe, 00000000.00000002.3360170138.00000176EC863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Users\user\Desktop\DBUfLVzZhf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DBUfLVzZhf.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: DBUfLVzZhf.exe, 00000000.00000002.3361169877.00000176F0C56000.00000004.00000020.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358342702.00000176D2618000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\DBUfLVzZhf.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: DBUfLVzZhf.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DBUfLVzZhf.exe.176d2340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2117061251.00000176D2342000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DBUfLVzZhf.exe PID: 6084, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: DBUfLVzZhf.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DBUfLVzZhf.exe.176d2340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2117061251.00000176D2342000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DBUfLVzZhf.exe PID: 6084, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DBUfLVzZhf.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Walgentz

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xilloolli.com	188.114.96.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xilloolli.com/api.php?status=1&wallets=0&av=1	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xilloolli.com/api.php?status=1&wa	DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45C6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/country	DBUfLVzZhf.exe	false		unknown
http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php	DBUfLVzZhf.exe	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45F3000.00000004.00000800.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://xilloolli.com/api-debug.php	DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com	DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4609000.00000004.00000800.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D45F3000.00000004.00000800.00020000.00000000.sdmp, DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com/api.php	DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com/api.php?status=1&wallets=0&av=10v	DBUfLVzZhf.exe, 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://oklibed.com	DBUfLVzZhf.exe	false		unknown
https://github.com/reproteq/DiffPatchWpf3Copyright	DBUfLVzZhf.exe	false		unknown
https://ipinfo.io/ip	DBUfLVzZhf.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	xilloolli.com	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542940
Start date and time:	2024-10-26 22:45:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DBUfLVzZhf.exe renamed because original name is a hash value
Original Sample Name:	ac52bcde75a75288f6cedfe766870179ceb2f18b.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 25 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target DBUfLVzZhf.exe, PID 6084 because it is empty
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: DBUfLVzZhf.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
	19387759999PO-RFQ-INVOICE-doc.exe	Get hash	malicious	FormBook	Browse	www.zonguldakescortg.xyz/483l/
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.fnsds.org/
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xilloolli.com	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	MHQMJCOxjl.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.97.3
	73OPQbICEW.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	MHQMJCOxjl.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.97.3
	73OPQbICEW.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.95.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	7950COPY.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	GK059kPZ5B.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	TP77MvSzt2.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.851169000689334
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	DBUfLVzZhf.exe
File size:	235'520 bytes
MD5:	ac775ce03263340619836c9d01e8b2c3
SHA1:	ac52bcde75a75288f6cedfe766870179ceb2f18b
SHA256:	b966428056fbf13e8c0684e477c0ed6fd3b742762eac490b3beca8224e342927
SHA512:	fe66593cc1c500144eacde42746596683ae5776de9547a57d8b9b2ab0f2bf71ad48472fd903f39d70d120979aa7ba3d30b02e21ed6416e3860df27941b883083
SSDEEP:	768:x5SMwiB8FR+dNeDFXmqcyU6GRZkIKugg0Apk/OIaEyEb3GOd53BRnW2i38SmFhme:TH8qoxTYW4zApoePnzhpmy
TLSH:	1934D5ABE32F6809CD2A32F5C8E443B45E605F116E10D6F964BDF2C5123499BFD189AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....,..........."...0.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	1761174505056997

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEC2CE5FA [Sun Jul 24 17:03:54 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x18ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2270c	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x207af	0x20800	0cd721aba87545a089a9b9ea9134933c	False	0.1777869591346154	data	4.281764200834581	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x18ca8	0x18e00	d46f216a7dfee89a5dd1ba2c032f2ffe	False	0.10476209170854271	data	3.1344838579936667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x24180	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3962765957446808
RT_ICON	0x245f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.23381801125703564
RT_ICON	0x256b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23278008298755187
RT_ICON	0x27c68	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.12133915918752952
RT_ICON	0x2bea0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.06113214243463859
RT_GROUP_ICON	0x3c6d8	0x4c	data	0.75
RT_VERSION	0x3c734	0x374	data	0.416289592760181
RT_MANIFEST	0x3cab8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 22:46:48.181339025 CEST	49711	80	192.168.2.6	188.114.96.3
Oct 26, 2024 22:46:48.186698914 CEST	80	49711	188.114.96.3	192.168.2.6
Oct 26, 2024 22:46:48.186806917 CEST	49711	80	192.168.2.6	188.114.96.3
Oct 26, 2024 22:46:48.206006050 CEST	49711	80	192.168.2.6	188.114.96.3
Oct 26, 2024 22:46:48.211397886 CEST	80	49711	188.114.96.3	192.168.2.6
Oct 26, 2024 22:46:49.235842943 CEST	80	49711	188.114.96.3	192.168.2.6
Oct 26, 2024 22:46:49.281084061 CEST	49711	80	192.168.2.6	188.114.96.3
Oct 26, 2024 22:48:29.260927916 CEST	49711	80	192.168.2.6	188.114.96.3
Oct 26, 2024 22:48:29.266916037 CEST	80	49711	188.114.96.3	192.168.2.6
Oct 26, 2024 22:48:29.266972065 CEST	49711	80	192.168.2.6	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 22:46:48.147811890 CEST	63767	53	192.168.2.6	1.1.1.1
Oct 26, 2024 22:46:48.171421051 CEST	53	63767	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 22:46:48.147811890 CEST	192.168.2.6	1.1.1.1	0xaa5c	Standard query (0)	xilloolli.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 22:46:48.171421051 CEST	1.1.1.1	192.168.2.6	0xaa5c	No error (0)	xilloolli.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 26, 2024 22:46:48.171421051 CEST	1.1.1.1	192.168.2.6	0xaa5c	No error (0)	xilloolli.com		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xilloolli.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	188.114.96.3	80	6084	C:\Users\user\Desktop\DBUfLVzZhf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 22:46:48.206006050 CEST	94	OUT	GET /api.php?status=1&wallets=0&av=1 HTTP/1.1 Host: xilloolli.com Connection: Keep-Alive
Oct 26, 2024 22:46:49.235842943 CEST	750	IN	HTTP/1.1 200 OK Date: Sat, 26 Oct 2024 20:46:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beCPlKIQLWiX4WDq%2F2AIt6sFiJrBg4psAYf7ea6V3E6XjolPZFRiP86gvLqnNwvOKFRagzVkdenVpigIp80KMTDr47RpWFtiZRT6VyBBl7oIfAqYCCRPfalAYsCuqsWo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8d4c429a813ab9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1197&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=94&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:46:45
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\DBUfLVzZhf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DBUfLVzZhf.exe"
Imagebase:	0x176d2340000
File size:	235'520 bytes
MD5 hash:	AC775CE03263340619836C9D01E8B2C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_JohnWalkerTexasLoader, Description: Yara detected JohnWalkerTexasLoader, Source: 00000000.00000000.2117061251.00000176D2342000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_JohnWalkerTexasLoader, Description: Yara detected JohnWalkerTexasLoader, Source: 00000000.00000002.3358819159.00000176D4171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD342D5DD6 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99be723ea0c26c456e6339451b6573316b2ed18281e94f25d8e00981b039a80b
Instruction ID: 99196af93f34a16923584b1f7528cc3433f3c91a79e3f74f4d599e8d64fe8746
Opcode Fuzzy Hash: 99be723ea0c26c456e6339451b6573316b2ed18281e94f25d8e00981b039a80b
Instruction Fuzzy Hash: B1F1C630609A8D8FEBA8EF28C8557E977D1FF56310F04426EE85DC7291DF7998418B81

Function 00007FFD342D6B82 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbd4cc2d8745d80b79291781bc13d1b57f98f9ade3b5b84a881c6e2fec525e4
Instruction ID: 3e00d80145ef5935f0c943cafb492f206d785f46c7da406b54c6fcc361909199
Opcode Fuzzy Hash: 5fbd4cc2d8745d80b79291781bc13d1b57f98f9ade3b5b84a881c6e2fec525e4
Instruction Fuzzy Hash: 97E1C730A09A8E8FEBA8EF28D8657E977D1FF56310F04426ED85DC7291CF79A4448781

Function 00007FFD342E0A41 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

3L_H, xrefs: 00007FFD342E0BEF

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: 3L_H
API String ID: 0-4286477518
Opcode ID: 5ee3bb736e18b6e9106626fa288ccd6020cc65b1e8689664f4e20bb9ef8541db
Instruction ID: 20690528385f9b1452fb1c9c858d270ccbc38b427f4d9dab0a701c42ccab2022
Opcode Fuzzy Hash: 5ee3bb736e18b6e9106626fa288ccd6020cc65b1e8689664f4e20bb9ef8541db
Instruction Fuzzy Hash: 97B1C520F0E9894FD755E76884B16AA7BE1EF4B304F0405BAD14DEB2D3CD2DAC829351

Function 00007FFD342D7FAD Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

L_h, xrefs: 00007FFD342D8110

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: L_h
API String ID: 0-554164850
Opcode ID: b5c8092bc028b95dcdc1e23db96e57775a2abdea561b6523b3a6e7fdb06accce
Instruction ID: 50aa0ea5b94b8751336e85bcf0e5e055b10531ea0d0fb2c5b1b2344ef4974c31
Opcode Fuzzy Hash: b5c8092bc028b95dcdc1e23db96e57775a2abdea561b6523b3a6e7fdb06accce
Instruction Fuzzy Hash: AC810215E0F6C64FE796A66844B55B97FE09F53214B0900F7C5ACFB1A3DC6E6C0A8321

Function 00007FFD342DC700 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

X64, xrefs: 00007FFD342DC7B8

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: X64
API String ID: 0-3684969848
Opcode ID: 3993980fb89de647912745e8ab91ae069529875880ae264cfb9370a609888d21
Instruction ID: aa5be4b892aa1264f4431e83023bcbd97ca25833820a3b3ad8bf79e61863313a
Opcode Fuzzy Hash: 3993980fb89de647912745e8ab91ae069529875880ae264cfb9370a609888d21
Instruction Fuzzy Hash: 7D514B72F0E9894FF794EB6C94A55B97BD0EF5B310B0001BBD01DE7292DE29AC018740

Function 00007FFD342DC550 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

X64, xrefs: 00007FFD342DC56F

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: X64
API String ID: 0-3684969848
Opcode ID: 45f4ead09d32cce4d49ddc3179ea2c2afcefa89f617bf0b1cb7347ce86511995
Instruction ID: a788ab0fb83f079fbe9ce45815d8fb2295b0e7455acb2c1f5c0729a43d25ef08
Opcode Fuzzy Hash: 45f4ead09d32cce4d49ddc3179ea2c2afcefa89f617bf0b1cb7347ce86511995
Instruction Fuzzy Hash: 6E21F517B1E5960AE23072BE78611FA7B95DF83330B084177D38DDA183CD1E648A82D5

Function 00007FFD342DD835 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

p:4, xrefs: 00007FFD342DD86A

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: p:4
API String ID: 0-1139921050
Opcode ID: fae33d808fee7a25db6a9dd5af78fec8dd8d7033d2c9b080fd48fec4e73673d0
Instruction ID: d4a94b3ad15c13a5749e3ff12c4a34b602e0220eec82869c0d6f0e88fdd9c683
Opcode Fuzzy Hash: fae33d808fee7a25db6a9dd5af78fec8dd8d7033d2c9b080fd48fec4e73673d0
Instruction Fuzzy Hash: CC213722B1FE890FE396AA7C486A2757BD1DF97161B4802FBC09DD71E3DC1D98068381

Function 00007FFD342DC878 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

X64, xrefs: 00007FFD342DC879

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: X64
API String ID: 0-3684969848
Opcode ID: aa2b7dd81add6542cfc3895477ff7f9d941fe2959c8642a35e9180d437c23be1
Instruction ID: 1a6861844cfa1fe97d129e1a3e2a392c059a66bf9063fe17a5639edcd18960a7
Opcode Fuzzy Hash: aa2b7dd81add6542cfc3895477ff7f9d941fe2959c8642a35e9180d437c23be1
Instruction Fuzzy Hash: 98014772F0E9584FEB54DA1CA4A15F873D1EB9B710B00017AE11EE3396DE1AEC0147C1

Function 00007FFD342DC535 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

X64, xrefs: 00007FFD342DC56F

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: X64
API String ID: 0-3684969848
Opcode ID: e1c364808fab0d322bdda70ab8d7c69762c5334ecf92f0b43c4e0723cedc65d5
Instruction ID: c27bf556025c0ba0e6cb0cd870ba0fcff678e58e0ee98f51e0bac46ac8c149e8
Opcode Fuzzy Hash: e1c364808fab0d322bdda70ab8d7c69762c5334ecf92f0b43c4e0723cedc65d5
Instruction Fuzzy Hash: 25F0A716B0F6C60FE756963E08F92642EC1AF57350F8901FEC659EB1D3D81ED8458341

Function 00007FFD342E0441 Relevance: .8, Instructions: 760COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9b5eef77493dfcd9b60b772ee978cd559a2034fdb65502beb50287ca94ffd2
Instruction ID: 5a2f0e04535b9f3a2c860b40c8802946b031839a9802656a7c3dba2bd6f35c11
Opcode Fuzzy Hash: 4b9b5eef77493dfcd9b60b772ee978cd559a2034fdb65502beb50287ca94ffd2
Instruction Fuzzy Hash: 7D32F410B0E6890FE75AA7A85471A6A7BD1DF87304F1804FEE18EEB2D3CD5DAC459312

Function 00007FFD342D25A8 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2329ef79cff9c95dc8a76434cc0958784fea5bfc14cf27041744b6253b942229
Instruction ID: 827ab3b4cf5655b732b3f91e46b887efb5f1bb9a1344e4c6ff42007ee5098cd3
Opcode Fuzzy Hash: 2329ef79cff9c95dc8a76434cc0958784fea5bfc14cf27041744b6253b942229
Instruction Fuzzy Hash: 0FD12421E0E68A0FEB55EB6848B56B97BE0DF57300F0401FAD15DEB2E3DD2DA8458361

Function 00007FFD342D16FA Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ec3a5fde4b8e558db97ca5452ebfb4bd3b69e1c3f12eb29991571f8451b3ab
Instruction ID: cebd7036302ff6a6c88b4aaa9bde8ca7cf0aa9f7487c0c014d4bb84947fce99d
Opcode Fuzzy Hash: 71ec3a5fde4b8e558db97ca5452ebfb4bd3b69e1c3f12eb29991571f8451b3ab
Instruction Fuzzy Hash: 7A713762B0FA8A4FF756E7A848B66B97BD1EF57200B0405FAD05DEB5D3CD1D68058301

Function 00007FFD342D36CC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ebb786bfdde1f97705ac6c41cdf14dfea3a4816ff73aaddec973341baf1449
Instruction ID: ff2882f0929eed3ae8a2bf5bc587b116e46d668f69e3d1e28c4259b686deede4
Opcode Fuzzy Hash: 97ebb786bfdde1f97705ac6c41cdf14dfea3a4816ff73aaddec973341baf1449
Instruction Fuzzy Hash: 81518331D08A1C8FDB68DF58D855BE9BBF1FB59310F0082AAD04DE3252DE35A9858F81

Function 00007FFD342DB4A4 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bceb5d9e88580eb1935700f9edce6943d1301368d758c7f9530d3fc454112523
Instruction ID: d613e275861de0e4e34333ae28cc25fb97fc3d5d4bb32d831789509f08c7453b
Opcode Fuzzy Hash: bceb5d9e88580eb1935700f9edce6943d1301368d758c7f9530d3fc454112523
Instruction Fuzzy Hash: F8513E7090DB8C8FDB58DF58D889AE9BBE0FB69311F10412EE14DC3252C774A441CB91

Function 00007FFD342D27E8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c09f4adcf8d3a94a4d127464d5912e0a00ec70f4ac03ca9be5590270f91375
Instruction ID: 06da91b04c00dbb0a37ae8d5ca930fdefdf681c7e3663461d0286fa375cc2794
Opcode Fuzzy Hash: d8c09f4adcf8d3a94a4d127464d5912e0a00ec70f4ac03ca9be5590270f91375
Instruction Fuzzy Hash: C541D731F1AD0E4FEB94EB6884A52BD77E1FF9A300B400076D51DE3292DE2DAC419760

Function 00007FFD341BE2D2 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362364471.00007FFD341BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd341bd000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c531a725026500a1522fc3cc3c4247401114a356b9c3635cefc76d0a60b8ec5
Instruction ID: 34b190561f205c4ba18c487dbec5bfa7fee7ba8b68c876fc054b4cefc2fded2a
Opcode Fuzzy Hash: 5c531a725026500a1522fc3cc3c4247401114a356b9c3635cefc76d0a60b8ec5
Instruction Fuzzy Hash: 1641E43190DB844FE75A9B2898959523FF0EF57320B1501EFD08CCB1A3DA69A846C7A2

Function 00007FFD342DF49D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7936a562153961c2ecce526cfdaa45fdeda7c370817cc813f52e447c7d970c3b
Instruction ID: a2881454d606e10c4ab9fc2bab702235608867a7b6a0bdd2f8bcd9cf2dbb1f23
Opcode Fuzzy Hash: 7936a562153961c2ecce526cfdaa45fdeda7c370817cc813f52e447c7d970c3b
Instruction Fuzzy Hash: 89413B70A0864C8FDB58EF98D455BEDBBB1FB59311F00816ED00EE7252DB75A486CB81

Function 00007FFD342E02DD Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ae60b9bb52bd739c03b55616750231ff26239ca10c9a478266f5689fb7a2c1
Instruction ID: 4a4da5f24643c102ff9d54f8dbc54422113202adb769459bb1cea846217acae4
Opcode Fuzzy Hash: b9ae60b9bb52bd739c03b55616750231ff26239ca10c9a478266f5689fb7a2c1
Instruction Fuzzy Hash: E431D115F0EA990FE755A7A848766AABBE0EF5B200F4801FBE14CE76D3CD1D6C019352

Function 00007FFD342DD574 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448a03da2478eb7c90a9097c4f5741dacceddc6139d0a740610a7f90ec264868
Instruction ID: 199f15379ee1783645f41c462dfa339adea28c021e6dbdb77c1cda62dad08052
Opcode Fuzzy Hash: 448a03da2478eb7c90a9097c4f5741dacceddc6139d0a740610a7f90ec264868
Instruction Fuzzy Hash: FA21B59CE5F0E621E90836A354F21FA25914F47642F80043AF3FEF91D38C1EB008B1AA

Function 00007FFD342D2708 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31eef561e0db99db17399f219f1897a7dadfe8b7b038ed34f7b0f20f7afde0ef
Instruction ID: b6040f10a1ed2e20a408b54be7813d14fb00f7533cbf0e15d4e617226420017e
Opcode Fuzzy Hash: 31eef561e0db99db17399f219f1897a7dadfe8b7b038ed34f7b0f20f7afde0ef
Instruction Fuzzy Hash: D8119E31E0E2064FFBA4DA28C8E053637D0DF87380F0401B9E459E72D1FE29E8459252

Function 00007FFD342D8135 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9ef476f4dd04139be9eb66a92f2faf1731e2443d6b848f2a5fe923ac566db3
Instruction ID: 29b4097a770451b0883787bae4849acd95dde7244fe42fbe27f787db708fefff
Opcode Fuzzy Hash: 8e9ef476f4dd04139be9eb66a92f2faf1731e2443d6b848f2a5fe923ac566db3
Instruction Fuzzy Hash: E3F0AF16F1F7CA4FE752A6A408721A43FA1AF87250B8605F3C46DEB0E3EC1D980D4322

Function 00007FFD342DCA40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c86b84f26849c7546cb4bb1534dfb8e3b7253e6bddb415d8580d64186731bc
Instruction ID: e83e37de24b5bb6f33813a9a309bd15afb535ca2d9c4862e822c2256583fcb97
Opcode Fuzzy Hash: b1c86b84f26849c7546cb4bb1534dfb8e3b7253e6bddb415d8580d64186731bc
Instruction Fuzzy Hash: 4DF0346290E3E24FE72B5B7428751A03F705B13215B0A01EBC898EB0E7E40C5C88C3A3

Function 00007FFD342DCA29 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6881f28cbffac1ffb91674d0851af73ac6892a0ddbed6bf6837c09828c2294
Instruction ID: 309e81fb3d45ece694e9d802c3a5bf940a96f51683deaa9ff280a643bfd3f87d
Opcode Fuzzy Hash: bf6881f28cbffac1ffb91674d0851af73ac6892a0ddbed6bf6837c09828c2294
Instruction Fuzzy Hash: 15F08946F4F9D20BFB68A96E18A92F465809B43610F091176D9A8E71D2D84E6DC45381

Function 00007FFD342DF456 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749ac9d3abb6b6e6c9789985c803d97fb56037c0c908af95c12151af0d0b32a6
Instruction ID: fea6d69d32380cd12bd872d1ba562f0aeef5cbb28d00447003cc63f6e7ee8a83
Opcode Fuzzy Hash: 749ac9d3abb6b6e6c9789985c803d97fb56037c0c908af95c12151af0d0b32a6
Instruction Fuzzy Hash: 87F0A03495E688AFCB02AB7088654ED7BB0EF06300F4100EBE408D70A2EA3869598B81

Function 00007FFD342DD101 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c760e7d21cc1a5dd626695a1b2691e64c10612d778dabd65ac809967e5d1110
Instruction ID: e94237d101a8f0202788242163f36cdff200e8edc037a4d46c8f2faba5f21336
Opcode Fuzzy Hash: 2c760e7d21cc1a5dd626695a1b2691e64c10612d778dabd65ac809967e5d1110
Instruction Fuzzy Hash: CBE0869694F7C11FD75252340C3A2947F90BF17210F4D02FBC584CB4D3D90E84499712

Non-executed Functions

Function 00007FFD342DFF7C Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

=L_H, xrefs: 00007FFD342E0143

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: =L_H
API String ID: 0-530646013
Opcode ID: 447223c06d7a94613435c84b129f74e95ed919ea28b9534df225c3ea6a01e1f7
Instruction ID: 2d8c5d53394601e9efb52747140ac6d907b0da820eb9caa69a8866582046efa8
Opcode Fuzzy Hash: 447223c06d7a94613435c84b129f74e95ed919ea28b9534df225c3ea6a01e1f7
Instruction Fuzzy Hash: CDE1C044F0E9C64FD352A77848759AA6FE18F8B208B5804FAC25DFF2C7DC5E68068352

Function 00007FFD342D225D Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD342D22B0

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: d0ba725a549fc170528694cf2f6a2751cf44fc81c7db1fca3384d135d2d5632d
Instruction ID: a8ca7f54c984ec206d2db67b9d28c5ba5b1428b5e8a40c1481121b69ae8ca154
Opcode Fuzzy Hash: d0ba725a549fc170528694cf2f6a2751cf44fc81c7db1fca3384d135d2d5632d
Instruction Fuzzy Hash: 16B1055BB0F7D20AE762962C18F60E57F90EF5322570902F7C6D4D6093AD0F640BA272

Function 00007FFD342D12FA Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD342D1301

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: 8751565b550f18d6964cca6862b1b29668e571ce82f87d286b94a5f8e2dddb74
Instruction ID: e3d661042723dfcdd0001cb4c3164845c32eeadc9757e83480b37010e5852b9b
Opcode Fuzzy Hash: 8751565b550f18d6964cca6862b1b29668e571ce82f87d286b94a5f8e2dddb74
Instruction Fuzzy Hash: 8531063BA0F3D68FE712AB7C58A20E97FA0EF4332570902B7C184DA493D91A640AC751

Function 00007FFD342D12F8 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD342D1301

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: 1M_^
API String ID: 0-2690736931
Opcode ID: 978d3b9f43d8c2d3bff705c967d3019e395aebb8ab7aaaf236e7b5a501d4da13
Instruction ID: 4000ccb1afa5bf65f4c0e57c98c5d24f19506edf6270b079c59fe22dd48b74fe
Opcode Fuzzy Hash: 978d3b9f43d8c2d3bff705c967d3019e395aebb8ab7aaaf236e7b5a501d4da13
Instruction Fuzzy Hash: 3331E62BA0E7D68FE7526B7C58B20E97FA0DF4332570902B7C184DA493D91A640AC751

Function 00007FFD342D1180 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e755016dccd2233f308394146d9bd870a04995cf3a8651031b114c22886d3a
Instruction ID: 0ffb0b6662c54d4aed8f3d720140af67d1ae23794cf88ad36d1f0b1ee6a415a2
Opcode Fuzzy Hash: 03e755016dccd2233f308394146d9bd870a04995cf3a8651031b114c22886d3a
Instruction Fuzzy Hash: 7F02276BB0F6DA4BE7126A6CA8B50F97B50DF9323570903B7C194DB493ED1B240BC291

Function 00007FFD342D11FA Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9866d9fd898acf53c8cf7b417f678526cbaf1bde9be2cc7f26b4318b82f3bebc
Instruction ID: 8e0d9e0f53cb3ce2b804f7da529a192920ba5d6edd6962f63f57c1f20bd99880
Opcode Fuzzy Hash: 9866d9fd898acf53c8cf7b417f678526cbaf1bde9be2cc7f26b4318b82f3bebc
Instruction Fuzzy Hash: 1461DA37B0E6AA8BD7117F7CA8A10E9BB64DF4333570903B7C588DA443D91A644AC791

Function 00007FFD342D12D3 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bce9bc0b3e5e48bf0849fa2aec39a1d53b63f6d80490ce5fdf9d3aad050523
Instruction ID: 9cb597e5214df37fb571741a5e71356d1251f72cc14c8b3390a0174314853d90
Opcode Fuzzy Hash: d7bce9bc0b3e5e48bf0849fa2aec39a1d53b63f6d80490ce5fdf9d3aad050523
Instruction Fuzzy Hash: 1941F92B70F7D64FE7126A6C68A10E9BF60DF8336570902B7C284DA493D91B640AC751

Function 00007FFD342D1300 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b60d23ac80196ee31c41ded4f4d0465be794756cd5d3a0f1f1ba876b2fc781
Instruction ID: f32fddeea4288a34779f8a841f9a79307d27f2f525cc9fe8dceaa7eeacb93255
Opcode Fuzzy Hash: 93b60d23ac80196ee31c41ded4f4d0465be794756cd5d3a0f1f1ba876b2fc781
Instruction Fuzzy Hash: A031C62BA0E7D68FE7526A7C58B20E97FA0DF4332570902B7C584DA493D91A640AC751

Function 00007FFD342D8850 Relevance: 10.2, Strings: 8, Instructions: 151COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD342D8872
L_^, xrefs: 00007FFD342D8862
L_^, xrefs: 00007FFD342D88C2
L_^, xrefs: 00007FFD342D897A
L_^, xrefs: 00007FFD342D8922
L_^, xrefs: 00007FFD342D896A
L_^, xrefs: 00007FFD342D8912
L_^, xrefs: 00007FFD342D89C9

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^
API String ID: 0-1065219198
Opcode ID: a56fef3468f7bad6f7f50795858e6e13c088520d0c010711011e7a6848f30708
Instruction ID: 5af682d36447ced257b5e75bd9660733118aaf353c29a1ad0f4772bddf7b79af
Opcode Fuzzy Hash: a56fef3468f7bad6f7f50795858e6e13c088520d0c010711011e7a6848f30708
Instruction Fuzzy Hash: 835195E7A0FAC60AE752565548F50E42B60EF53344B4D00F6CAF4FB1A7AE1E640B521B

Function 00007FFD342D88F2 Relevance: 8.9, Strings: 7, Instructions: 126COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD342D88C2
L_^, xrefs: 00007FFD342D88F2
L_^, xrefs: 00007FFD342D897A
L_^, xrefs: 00007FFD342D8922
L_^, xrefs: 00007FFD342D896A
L_^, xrefs: 00007FFD342D8912
L_^, xrefs: 00007FFD342D89C9

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^$L_^$L_^
API String ID: 0-358832956
Opcode ID: a6c2bc757736bb2af5c77a7fb7e752ebe140eefd4f682ae19bbe550e8807ad53
Instruction ID: 3e3bae642d4502b8a6acb8c1dd591561e044214266d48a85db7dae8725303017
Opcode Fuzzy Hash: a6c2bc757736bb2af5c77a7fb7e752ebe140eefd4f682ae19bbe550e8807ad53
Instruction Fuzzy Hash: 9B4176E7A0FAC60AE652561508F50E42B60EF63344B4D00F6CAF4BF1A7AD1E680B561B

Function 00007FFD342D8AFA Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD342D8BC9
L_^, xrefs: 00007FFD342D8B7A
L_^, xrefs: 00007FFD342D8AFA
L_^, xrefs: 00007FFD342D8B2A
L_^, xrefs: 00007FFD342D8B6A

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: d740908d8f61a377d1bda29d461cdd4cbd3fec4c6d7c2590bf4cfcc9955ea769
Instruction ID: 29bcc615fd24d4e65ee503a9e9b245f333b797d21001dfd90ed5b71b76681c53
Opcode Fuzzy Hash: d740908d8f61a377d1bda29d461cdd4cbd3fec4c6d7c2590bf4cfcc9955ea769
Instruction Fuzzy Hash: 064198FBF0FAC206F151565908E91B42B91EF63359B4900F9C7B8EB0E3AD5F640B5219

Function 00007FFD342D89FA Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD342D8A2A
L_^, xrefs: 00007FFD342D89FA
L_^, xrefs: 00007FFD342D8A7A
L_^, xrefs: 00007FFD342D8A6A
L_^, xrefs: 00007FFD342D8AC9

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: 19df141aaebeb12bc59d09487a829f0258b3269adde2120a04d2d1c4fbed19cc
Instruction ID: 337754d67aa98f499e34c140d4e3f4e187ce2d7a92711e7da4e08274f7ca1f6f
Opcode Fuzzy Hash: 19df141aaebeb12bc59d09487a829f0258b3269adde2120a04d2d1c4fbed19cc
Instruction Fuzzy Hash: 7141B9E7F0F9C307E256565908E90A86B90FF63354B4D01F6C6F8A70E3AD1F640B9256

Function 00007FFD342DCCF7 Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

`:4, xrefs: 00007FFD342DCD71
@:4, xrefs: 00007FFD342DCD51
p:4, xrefs: 00007FFD342DCD81
P:4, xrefs: 00007FFD342DCD61

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: @:4$P:4$`:4$p:4
API String ID: 0-2620099308
Opcode ID: 278e8c19a9842a61dfc00ae8a7ff4d5e66d7e9d1e9c15dfeab3e091822274573
Instruction ID: f47eb5848831077073fe84cc0ab05446a64ce60b0014c9778998a61497c55949
Opcode Fuzzy Hash: 278e8c19a9842a61dfc00ae8a7ff4d5e66d7e9d1e9c15dfeab3e091822274573
Instruction Fuzzy Hash: F8518866A0FAC44FE3219E685C566E97FF0EF57320F0441BFD189D7193C929A84AC782

Function 00007FFD342D8BFA Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD342D8C6A
L_^, xrefs: 00007FFD342D8C7A
L_^, xrefs: 00007FFD342D8BFA
L_^, xrefs: 00007FFD342D8C2A

Memory Dump Source

Source File: 00000000.00000002.3362641704.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd342d0000_DBUfLVzZhf.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 89e2b047fbf704c826f3eb7728c133a92af512ada5f80322df310ffd354c8f5d
Instruction ID: 1ba88b36c62f0170141ee49838bbe9c4714f86a9b8dd91115db95fa97a96b4e0
Opcode Fuzzy Hash: 89e2b047fbf704c826f3eb7728c133a92af512ada5f80322df310ffd354c8f5d
Instruction Fuzzy Hash: 963182F7B0BAC24EE257564908E91E43B91FF63344B4E00FAC6B4EB0A3AD2B540F5601

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DBUfLVzZhf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
DBUfLVzZhf.exe