Edit tour

Windows Analysis Report
SR3JZpolPo.exe

Overview

General Information

Sample name:	SR3JZpolPo.exe renamed because original name is a hash value
Original sample name:	8c798159c3a931358b6893cf0ac112a99f4723c8.exe
Analysis ID:	1542942
MD5:	1df7578e410bb0e6415443f4ad5889cd
SHA1:	8c798159c3a931358b6893cf0ac112a99f4723c8
SHA256:	d388566fa25f7f0c4ede9eede268b3b027daba62d2319c315d39374358037c24
Tags:	dllexeJohnWalkerTexasLoaderJWTLJWTLoaderReversingLabsuser-NDA0E
Infos:

Detection

JohnWalkerTexasLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected JohnWalkerTexasLoader

AI detected suspicious sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SR3JZpolPo.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\SR3JZpolPo.exe" MD5: 1DF7578E410BB0E6415443F4AD5889CD)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SR3JZpolPo.exe	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.1280833003.000002741E902000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security
00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security
Process Memory Space: SR3JZpolPo.exe PID: 3632	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.SR3JZpolPo.exe.2741e900000.0.unpack	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SR3JZpolPo.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SR3JZpolPo.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Source: SR3JZpolPo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: SR3JZpolPo.exe

Source: global traffic

HTTP traffic detected: GET /api.php?status=1&wallets=0&av=1 HTTP/1.1Host: xilloolli.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /api.php?status=1&wallets=0&av=1 HTTP/1.1Host: xilloolli.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xilloolli.com

Source: SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.00000274209B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.00000274209B6000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.00000274209C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com
Source: SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api-debug.php
Source: SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php
Source: SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wa
Source: SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xilloolli.com/api.php?status=1&wallets=0&av=1
Source: SR3JZpolPo.exe	String found in binary or memory: http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php
Source: SR3JZpolPo.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: SR3JZpolPo.exe	String found in binary or memory: https://ipinfo.io/country
Source: SR3JZpolPo.exe	String found in binary or memory: https://ipinfo.io/ip
Source: SR3JZpolPo.exe	String found in binary or memory: https://oklibed.com

Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC665DC6	2_2_00007FFAAC665DC6
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC666B72	2_2_00007FFAAC666B72
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC6658C9	2_2_00007FFAAC6658C9
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC661320	2_2_00007FFAAC661320
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC6612FB	2_2_00007FFAAC6612FB
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC6612D1	2_2_00007FFAAC6612D1

Source: SR3JZpolPo.exe

Static PE information: No import functions for PE file found

Source: SR3JZpolPo.exe, 00000002.00000000.1280871233.000002741E924000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs SR3JZpolPo.exe
Source: SR3JZpolPo.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs SR3JZpolPo.exe

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

Mutant created: NULL

Source: SR3JZpolPo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SR3JZpolPo.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SR3JZpolPo.exe

ReversingLabs: Detection: 47%

Source: SR3JZpolPo.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SR3JZpolPo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SR3JZpolPo.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SR3JZpolPo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SR3JZpolPo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: SR3JZpolPo.exe

Source: SR3JZpolPo.exe

Static PE information: 0x8D227D3E [Thu Jan 12 15:29:02 2045 UTC]

Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC54D2A5 pushad ; iretd		2_2_00007FFAAC54D2A6
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Code function: 2_2_00007FFAAC66849B push E95BE9CAh; ret		2_2_00007FFAAC6684A9

Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Memory allocated: 2741EC70000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Memory allocated: 27438530000 memory reserve \| memory write watch			Jump to behavior

Source: SR3JZpolPo.exe, 00000002.00000002.2536795766.0000027438E0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: SR3JZpolPo.exe, 00000002.00000002.2536795766.0000027438E0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: calMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBLMEM
Source: SR3JZpolPo.exe, 00000002.00000002.2536795766.0000027438DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBo
Source: SR3JZpolPo.exe, 00000002.00000002.2538132368.000002743D2C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Users\user\Desktop\SR3JZpolPo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SR3JZpolPo.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SR3JZpolPo.exe, 00000002.00000002.2538132368.000002743D2C7000.00000004.00000020.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2534257717.000002741EB82000.00000004.00000020.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2537637555.000002743B40D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SR3JZpolPo.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: SR3JZpolPo.exe, type: SAMPLE
Source: Yara match	File source: 2.0.SR3JZpolPo.exe.2741e900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1280833003.000002741E902000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SR3JZpolPo.exe PID: 3632, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match	File source: SR3JZpolPo.exe, type: SAMPLE
Source: Yara match	File source: 2.0.SR3JZpolPo.exe.2741e900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1280833003.000002741E902000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SR3JZpolPo.exe PID: 3632, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SR3JZpolPo.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Walgentz
SR3JZpolPo.exe	100%	Avira	TR/Agent.pkavf

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xilloolli.com	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xilloolli.com/api.php?status=1&wallets=0&av=1	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xilloolli.com/api.php?status=1&wa	SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420804000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/country	SR3JZpolPo.exe	false		unknown
http://xilloolli.com/api.phpEhttp://xilloolli.com/api-debug.php	SR3JZpolPo.exe	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.00000274209B6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://xilloolli.com/api-debug.php	SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com	SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.00000274209B6000.00000004.00000800.00020000.00000000.sdmp, SR3JZpolPo.exe, 00000002.00000002.2535087346.00000274209C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://xilloolli.com/api.php	SR3JZpolPo.exe, 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://oklibed.com	SR3JZpolPo.exe	false		unknown
https://github.com/reproteq/DiffPatchWpf3Copyright	SR3JZpolPo.exe	false		unknown
https://ipinfo.io/ip	SR3JZpolPo.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	xilloolli.com	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542942
Start date and time:	2024-10-26 22:46:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SR3JZpolPo.exe renamed because original name is a hash value
Original Sample Name:	8c798159c3a931358b6893cf0ac112a99f4723c8.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SR3JZpolPo.exe, PID 3632 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SR3JZpolPo.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse	77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xilloolli.com	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	MHQMJCOxjl.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.97.3
	73OPQbICEW.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	MHQMJCOxjl.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.97.3
	73OPQbICEW.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.95.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	7950COPY.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	GK059kPZ5B.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	TP77MvSzt2.exe	Get hash	malicious	Stealc	Browse	104.21.56.70

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.839856571614485
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	SR3JZpolPo.exe
File size:	235'008 bytes
MD5:	1df7578e410bb0e6415443f4ad5889cd
SHA1:	8c798159c3a931358b6893cf0ac112a99f4723c8
SHA256:	d388566fa25f7f0c4ede9eede268b3b027daba62d2319c315d39374358037c24
SHA512:	ee0d841c72a87be578b105e73b6dccbaedd470368c46d3a9a584e4cb647331f21deacb519b49f31d6e8d6c4b88c905afb9d2a83161b5660fe888bc530285527a
SSDEEP:	768:s/KcA8cwAfZR6jTcyU6GIm6q/ugg0Apk/OIaEyEb3GOd53BRnW2i38SmFhgzgg0X:fwSXU1BBjzApoeP9zhpmy
TLSH:	8E34C5ABE32F6809CD2A32F1C8E443B45E605F116E10D6F964BDF2D5123499BFD189AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...>}"..........."...0.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	1761174505056997

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8D227D3E [Thu Jan 12 15:29:02 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x18ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2243c	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x204df	0x20600	6aec3c9709d18c4c34d1726f3c85bb63	False	0.17729699565637067	data	4.265481202089609	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x18ca8	0x18e00	d46f216a7dfee89a5dd1ba2c032f2ffe	False	0.10476209170854271	data	3.1344838579936667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x24180	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3962765957446808
RT_ICON	0x245f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.23381801125703564
RT_ICON	0x256b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23278008298755187
RT_ICON	0x27c68	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.12133915918752952
RT_ICON	0x2bea0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.06113214243463859
RT_GROUP_ICON	0x3c6d8	0x4c	data	0.75
RT_VERSION	0x3c734	0x374	data	0.416289592760181
RT_MANIFEST	0x3cab8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 22:47:50.043335915 CEST	49699	80	192.168.2.7	188.114.97.3
Oct 26, 2024 22:47:50.048825026 CEST	80	49699	188.114.97.3	192.168.2.7
Oct 26, 2024 22:47:50.048964024 CEST	49699	80	192.168.2.7	188.114.97.3
Oct 26, 2024 22:47:50.050508022 CEST	49699	80	192.168.2.7	188.114.97.3
Oct 26, 2024 22:47:50.055932045 CEST	80	49699	188.114.97.3	192.168.2.7
Oct 26, 2024 22:47:51.117850065 CEST	80	49699	188.114.97.3	192.168.2.7
Oct 26, 2024 22:47:51.165055990 CEST	49699	80	192.168.2.7	188.114.97.3
Oct 26, 2024 22:49:31.139292002 CEST	49699	80	192.168.2.7	188.114.97.3
Oct 26, 2024 22:49:31.377965927 CEST	80	49699	188.114.97.3	192.168.2.7
Oct 26, 2024 22:49:31.378154993 CEST	49699	80	192.168.2.7	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 22:47:49.972908974 CEST	61300	53	192.168.2.7	1.1.1.1
Oct 26, 2024 22:47:50.030539989 CEST	53	61300	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 22:47:49.972908974 CEST	192.168.2.7	1.1.1.1	0x1d3f	Standard query (0)	xilloolli.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 22:47:50.030539989 CEST	1.1.1.1	192.168.2.7	0x1d3f	No error (0)	xilloolli.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 26, 2024 22:47:50.030539989 CEST	1.1.1.1	192.168.2.7	0x1d3f	No error (0)	xilloolli.com		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xilloolli.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	188.114.97.3	80	3632	C:\Users\user\Desktop\SR3JZpolPo.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 22:47:50.050508022 CEST	94	OUT	GET /api.php?status=1&wallets=0&av=1 HTTP/1.1 Host: xilloolli.com Connection: Keep-Alive
Oct 26, 2024 22:47:51.117850065 CEST	752	IN	HTTP/1.1 200 OK Date: Sat, 26 Oct 2024 20:47:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtGE2M5zrzhxIGPXpA2ucgbZNMZ3Dt3NO4ebcCWmufxSe7qcN4GvyFPOaaGwSRwJWd%2F1aq4vQJD4eV6HuaTNoHUlsOGNlYUjRagWSS72GgRfro18PIt2BCe5%2BxoDnK3f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d8d4dc52c424635-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1222&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=94&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	2
Start time:	16:47:47
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\SR3JZpolPo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SR3JZpolPo.exe"
Imagebase:	0x2741e900000
File size:	235'008 bytes
MD5 hash:	1DF7578E410BB0E6415443F4AD5889CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_JohnWalkerTexasLoader, Description: Yara detected JohnWalkerTexasLoader, Source: 00000002.00000000.1280833003.000002741E902000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_JohnWalkerTexasLoader, Description: Yara detected JohnWalkerTexasLoader, Source: 00000002.00000002.2535087346.0000027420531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFAAC665DC6 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db33cff9880f4fbf456409f66d080ea6d9ea8e184de1fe382c8e9370ba95a4e
Instruction ID: 27908fe5a9129bc1f61276fe6ab146a5a449913fabf267f2132070a3733869df
Opcode Fuzzy Hash: 6db33cff9880f4fbf456409f66d080ea6d9ea8e184de1fe382c8e9370ba95a4e
Instruction Fuzzy Hash: 26F1A370908A8D8FEBA9DF28D8567E977D1FF55300F04926EE84DC7291CB34E9458B81

Function 00007FFAAC666B72 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fe847307314f06c9151ed1fdac1ddc450362c3555925608975c8178a7666f8
Instruction ID: b87036ad3e7e28059b925e54ab6fb22cc01b0622e1a08d0f10731e455d4872e5
Opcode Fuzzy Hash: 96fe847307314f06c9151ed1fdac1ddc450362c3555925608975c8178a7666f8
Instruction Fuzzy Hash: F6E1C030909A8D8FEBA9DF28D8567E977E1EF55310F04826EE84DC7291CE74E8458BC1

Function 00007FFAAC6703F1 Relevance: 31.9, Strings: 25, Instructions: 620COMMON

Download Yara Rule

Strings

x"U0, xrefs: 00007FFAAC6709BB
p+U0, xrefs: 00007FFAAC67056D
P+U0, xrefs: 00007FFAAC670708
P+U0, xrefs: 00007FFAAC670505
h+U0, xrefs: 00007FFAAC670553
X+U0, xrefs: 00007FFAAC67051F
8+U0, xrefs: 00007FFAAC6704B7
`+U0, xrefs: 00007FFAAC670539
0+U0, xrefs: 00007FFAAC670684
X+U0, xrefs: 00007FFAAC670729
x+U0, xrefs: 00007FFAAC670587
H+U0, xrefs: 00007FFAAC6706E7
8+U0, xrefs: 00007FFAAC6706A5
h+U0, xrefs: 00007FFAAC67076B
x+U0, xrefs: 00007FFAAC6707AD
+U0, xrefs: 00007FFAAC670642
0+U0, xrefs: 00007FFAAC67049D
@+U0, xrefs: 00007FFAAC6704D1
+U0, xrefs: 00007FFAAC67046C
p+U0, xrefs: 00007FFAAC67078C
H+U0, xrefs: 00007FFAAC6704EB
(+U0, xrefs: 00007FFAAC670663
`+U0, xrefs: 00007FFAAC67074A
@+U0, xrefs: 00007FFAAC6706C6
(+U0, xrefs: 00007FFAAC670483

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: +U0$ +U0$(+U0$(+U0$0+U0$0+U0$8+U0$8+U0$@+U0$@+U0$H+U0$H+U0$P+U0$P+U0$X+U0$X+U0$`+U0$`+U0$h+U0$h+U0$p+U0$p+U0$x"U0$x+U0$x+U0
API String ID: 0-183780905
Opcode ID: 96dd8f7f259d857d006e758254d958d77ff0b310960af5dcee71dd30e284a5c3
Instruction ID: 703687a8769603ef229ba38ff78ae61a0f220f4e136d44c3667f6f67c4da6253
Opcode Fuzzy Hash: 96dd8f7f259d857d006e758254d958d77ff0b310960af5dcee71dd30e284a5c3
Instruction Fuzzy Hash: C6127C51A0D5498FF74D9B6C9060B75BAC2EF9B380F1895BAE04EC72E7CC18EC4A4365

Function 00007FFAAC6709E1 Relevance: 4.0, Strings: 3, Instructions: 299COMMON

Download Yara Rule

Strings

+U0, xrefs: 00007FFAAC670A80
+U0, xrefs: 00007FFAAC670AA1
x"U0, xrefs: 00007FFAAC670C3C

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: x"U0$+U0$+U0
API String ID: 0-2357848508
Opcode ID: 683bfd748492e4421ee10039f26b56d5aed38a1aab8bf5b9db3330d2c2b5c298
Instruction ID: f59b2307536e19f9670fd54e5621709c8133c74ad41ce2cffc9d5ea3300b2a0e
Opcode Fuzzy Hash: 683bfd748492e4421ee10039f26b56d5aed38a1aab8bf5b9db3330d2c2b5c298
Instruction Fuzzy Hash: 0F91A061A0D9598FFB8AD72CD4516B8B7D2EF9A340F0465BAD00DC72D3CD29EC4A8391

Function 00007FFAAC667F9D Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

ZS0, xrefs: 00007FFAAC668002
[S0, xrefs: 00007FFAAC668109
ZS0, xrefs: 00007FFAAC66801E

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: [S0$ZS0$ZS0
API String ID: 0-815626831
Opcode ID: 0e0dbb8770a8e2ec960293dcd0880d0ee15f8948d6c4ca584debc4bb32e51ba7
Instruction ID: 0cf3bf0ae6dc86e6b9a4171c1cdf16c306181760d78427398f20047548e72a8e
Opcode Fuzzy Hash: 0e0dbb8770a8e2ec960293dcd0880d0ee15f8948d6c4ca584debc4bb32e51ba7
Instruction Fuzzy Hash: C9518F55D0E68A8FF78EDB3884645A5AFE1AF57340B09A4F3C44DCA1E7DE28AC4C8354

Function 00007FFAAC6702CD Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

ZS0, xrefs: 00007FFAAC670325

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: ZS0
API String ID: 0-4248540203
Opcode ID: d59cb4a09e0452bbf1f019af07392f3676bc35ccb68fd45e17cb6c5b3a1b8244
Instruction ID: bb459f0f1b06dfbbc4c4d8795c36c8448743bd38c77e7353025ae2a4b11a5ed9
Opcode Fuzzy Hash: d59cb4a09e0452bbf1f019af07392f3676bc35ccb68fd45e17cb6c5b3a1b8244
Instruction Fuzzy Hash: 38411861E0DA5A8FF78AE76884166B9BBD1FF56300F4466B7E00DC72D3DD18AC084391

Function 00007FFAAC66C20A Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFAAC66C22A

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 1e04dacc8ee32b44c85d691e7ac3a6eba725c436158bd139104821ba2db824fb
Instruction ID: 5f06bfa7c96d7cf3b92cdae69ee1d66058204228d0c5fbbcc9e28d4ff9fa62a4
Opcode Fuzzy Hash: 1e04dacc8ee32b44c85d691e7ac3a6eba725c436158bd139104821ba2db824fb
Instruction Fuzzy Hash: 4D01F53190855887EB29BFBCA8095FB7FD4EF46325F04517AE54DC6153DF28941682C8

Function 00007FFAAC66C868 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

\M_L, xrefs: 00007FFAAC66C873

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: \M_L
API String ID: 0-2593406389
Opcode ID: 99eebc18349f74a3e79f7b744c59f6892d9365d60ff217b7a5ac28fe22defba9
Instruction ID: 6c87b5031e035b276ae9a6625224a12c8b76bed5ee2cd5532d1f86336aeeae24
Opcode Fuzzy Hash: 99eebc18349f74a3e79f7b744c59f6892d9365d60ff217b7a5ac28fe22defba9
Instruction Fuzzy Hash: 6201D471B0CD189FEB59DB5CA8115B8B7E1EB9A740B04616BD00EC7392DD10EC0583C1

Function 00007FFAAC66F44D Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

(U0, xrefs: 00007FFAAC66F41B

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: (U0
API String ID: 0-4229205907
Opcode ID: 518a8792fdd3dbc884d33081c5f9c9eccf9db87262addc0e7b71ffbed2ca8302
Instruction ID: be27f9cbe74c17e1f12bbd7c240bfa025aecfa75407c4078a4f05c7b6f5e6751
Opcode Fuzzy Hash: 518a8792fdd3dbc884d33081c5f9c9eccf9db87262addc0e7b71ffbed2ca8302
Instruction Fuzzy Hash: 0901A565D0E6899FE74AD72484155F8BFE0EF5A340F04A4B6D40DCB1A3DD28A9084392

Function 00007FFAAC668125 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

[S0, xrefs: 00007FFAAC668109

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: [S0
API String ID: 0-1456508744
Opcode ID: c970f17d20a036bf5d3036bd2c69daebfbda0e2ac84bcab8893b41d28c5c7d6d
Instruction ID: e77ca33b2e333b25e0880c5d14d2e6a674f3c87224fe750525a4e9acc9e14f6f
Opcode Fuzzy Hash: c970f17d20a036bf5d3036bd2c69daebfbda0e2ac84bcab8893b41d28c5c7d6d
Instruction Fuzzy Hash: D8018E56D0E7C68FE35B873888215A5BFE0AF57250B0D94F3C49CCA0D3DA1C98098392

Function 00007FFAAC666786 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ab48da5fc8a298f562444579da55383fb9823b1b3707aaf83c5d4c469a4a8a
Instruction ID: ca7a66d112decb2905ed511fb0b618cb3d01c5f42bda6a0a4e5f8d2f2df1253a
Opcode Fuzzy Hash: 12ab48da5fc8a298f562444579da55383fb9823b1b3707aaf83c5d4c469a4a8a
Instruction Fuzzy Hash: F3B1C570508A4D8FEB69DF28D8557E97BE1FF55310F04926EE84EC7292CA34E845CB82

Function 00007FFAAC6626DF Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6080bf4caadf7fd7dc432307ba6b4df40779bf62ef3a32c9b94d9efb0e1d730
Instruction ID: 6f0d95cbdcb82e80346df694051e10db5ae97c74288103e18a8377abc30f264c
Opcode Fuzzy Hash: e6080bf4caadf7fd7dc432307ba6b4df40779bf62ef3a32c9b94d9efb0e1d730
Instruction Fuzzy Hash: 1081287190E64A8FF79ADB288855579FFE1EF57340B0461BAD04DC72E2DE28DC4A8381

Function 00007FFAAC66C51F Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1d1989e9deeda38dee5736478f0f97c2fae3f5522314c80d67b86d61510a2b
Instruction ID: 1456c3f3460917af516b40087d8ce1cc6e1dc155a9cc44ee209b33357a3db993
Opcode Fuzzy Hash: 7f1d1989e9deeda38dee5736478f0f97c2fae3f5522314c80d67b86d61510a2b
Instruction Fuzzy Hash: D1612927A0D9659BF31AEB7CB4511F9BF90EF86330B08A5B7D14DC7193CE18A44A42D0

Function 00007FFAAC6636BC Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760d659f88338a8c3574d927aad9b1b2197ce476e3089e1a3262e1ea4fc87127
Instruction ID: 760680063c7f68741cd9dbe0cb59387c5804f8da2e305e4afce3809c0cf828f2
Opcode Fuzzy Hash: 760d659f88338a8c3574d927aad9b1b2197ce476e3089e1a3262e1ea4fc87127
Instruction Fuzzy Hash: 57518170908A5C8FEB59DF68D845BE9BBF1FB59310F1082AAD04DD3252DE34A9858FC1

Function 00007FFAAC6616C5 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dbba44ff7a587e8726ed13133c004bf5bb39eb2c8d05077d1f5e60315058bb
Instruction ID: 79276afc6e85d9bc13c69b2e8ba05360ed590c80a8e1816ebba5e184d37d4f1a
Opcode Fuzzy Hash: 11dbba44ff7a587e8726ed13133c004bf5bb39eb2c8d05077d1f5e60315058bb
Instruction Fuzzy Hash: 7C51A761A0DA898FF79ED76884656B9FBD1EF56300F1891BAD04DC72D3DD18EC098381

Function 00007FFAAC661732 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f45a37da4d0aabccc5a52f6d11df1142616aa31723e9856499c35f435c74af
Instruction ID: 54959c4cc71c5cf07381b175a1bb4a78423f9f9af18c02946bc1d83b5ee3263c
Opcode Fuzzy Hash: 08f45a37da4d0aabccc5a52f6d11df1142616aa31723e9856499c35f435c74af
Instruction Fuzzy Hash: 4951C261A0DA898FF78EE72884656B9FBD1EF56300F1890BAD04DC72D3DD18ED098391

Function 00007FFAAC66C6F0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e063939b854359e21f016759e2d9b99547a495ba1440213713260f17799887
Instruction ID: 1494d531ab7e34f94b7e33c4225cdc65151fd9fdf989544214f7391b9b232988
Opcode Fuzzy Hash: 72e063939b854359e21f016759e2d9b99547a495ba1440213713260f17799887
Instruction Fuzzy Hash: 6551D171E09E199FF7A9DF6C98455B9BBE1EF5A350B04627AD00DC32A2DE24AC0583D0

Function 00007FFAAC66B494 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51485560f4ef71348917cac143abc4ec8452da71eda29909f3bc0f2176926d5
Instruction ID: 1b8d0c333530ba3cb7a84521cd55d501829f0e95c170928f64512d288ffeecc9
Opcode Fuzzy Hash: e51485560f4ef71348917cac143abc4ec8452da71eda29909f3bc0f2176926d5
Instruction Fuzzy Hash: F0512E7090DB8C8FDB58DF58D889AA9BBE0FBA9311F10412EE54DC3252CB71A445CB91

Function 00007FFAAC6627D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cde54f81281496eb1f6e5e8f5bd8a2a6ec5cf2fdb9df4b4ed3895c5e612011
Instruction ID: 165849faa72906ab72ea63a1d22a110f3192a69616ec0025a43443d60b2b4fa6
Opcode Fuzzy Hash: b0cde54f81281496eb1f6e5e8f5bd8a2a6ec5cf2fdb9df4b4ed3895c5e612011
Instruction Fuzzy Hash: A741B571E1990E8FF799EB2884556B9F7E1FF99301B0491BAD40DD3291DE28DC4987C0

Function 00007FFAAC54E2D2 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2539892211.00007FFAAC54D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC54D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac54d000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cef5eca2a3aecf1c5dd63ebc8a7905fae24c051e91912dddda93f8d315066eb
Instruction ID: 19eae39d132e20b6c4145d2e248f06e464a76b852e4dcc66f1cea8b6e415d139
Opcode Fuzzy Hash: 6cef5eca2a3aecf1c5dd63ebc8a7905fae24c051e91912dddda93f8d315066eb
Instruction Fuzzy Hash: D141F33144DBC48FE3568B29D8469627FF5EF43220B0501EFE08CCB1A3D665A84AC792

Function 00007FFAAC660775 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4bd2aaa9ac3378e5fb18beb418701c3d136d5b6731f99a345058cf1c170495
Instruction ID: 26b899c5311f4ff1e1b286c6216bdb3394864e6e4c1cd55a6fb846c1eff13414
Opcode Fuzzy Hash: ab4bd2aaa9ac3378e5fb18beb418701c3d136d5b6731f99a345058cf1c170495
Instruction Fuzzy Hash: 4341AE6294E6D64EE31B837C98A40A47F90DF9326470A61FBC1D88F0A3ED18584B83D6

Function 00007FFAAC66D8D9 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a28506755077f0280981c914c0f3d0d6b785e1629fae2505f55de6295d04d4f
Instruction ID: b60ab5d8710f256c6cff1457e5b859cb86b7ec4cd511a986a404a946a2865384
Opcode Fuzzy Hash: 2a28506755077f0280981c914c0f3d0d6b785e1629fae2505f55de6295d04d4f
Instruction Fuzzy Hash: 6931F57190CA4D8FEB59DB6CD849AE9BBE1FF56310F04826ED04DD7692CA24E40587C1

Function 00007FFAAC66F48D Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5092b570ea42dd52a330300b4dc824fd63817582b519be543d98f8e0bdb7b041
Instruction ID: 75ba8d8302bb29174809e5fca6a5d587d7f26a9c9dfa1455f81791e927338932
Opcode Fuzzy Hash: 5092b570ea42dd52a330300b4dc824fd63817582b519be543d98f8e0bdb7b041
Instruction Fuzzy Hash: 45412B70A0864C8FDB58DF98D455BEDBBB1FB59310F00816ED00ED7252DB75A585CB81

Function 00007FFAAC662598 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6db040fb3b0e3c700df7fb7246564322eee1bb7a9976f14ce8c5650d4cd9d1
Instruction ID: 67561222f0e82fe2dce4c6bce307a1bbdfc5c00722365a2cace14fa703b4197f
Opcode Fuzzy Hash: 9c6db040fb3b0e3c700df7fb7246564322eee1bb7a9976f14ce8c5650d4cd9d1
Instruction Fuzzy Hash: A0316261A0D5064BFB99F738C018BB8A7D1AF56341F15A0F6D40DCB1D3ED299C8A43A1

Function 00007FFAAC66D825 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170d07695bf7fe7be6cad8e1be728d8a37dd7ab3bbaf2f563e5379ee4cfa42e1
Instruction ID: 7e910c542c83e8ae794512b7887a7f7a8a21c9da0c22894ed6653a4094b0b05d
Opcode Fuzzy Hash: 170d07695bf7fe7be6cad8e1be728d8a37dd7ab3bbaf2f563e5379ee4cfa42e1
Instruction Fuzzy Hash: 8B31D452A0EA894FE39AD73C8859675BFD1DB96250B0891FBD44DCB2E3DC18DC4983C1

Function 00007FFAAC66D528 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07b764195709c382bbc32069fcc21824d7174f109433fe9d01c1fe4f7f8d41f
Instruction ID: 4cbb443a565af752bd75f51094759639c407f9c08357c4d28dd8f29a650bcf3e
Opcode Fuzzy Hash: c07b764195709c382bbc32069fcc21824d7174f109433fe9d01c1fe4f7f8d41f
Instruction Fuzzy Hash: 1141CE91D0F9E6A6FA0FBBB654620B9B9919F53345F94B07AF09D090C3CC0CE40D92E6

Function 00007FFAAC66CA30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2294b1c1c0d710ccdf9f6854c90f5bfed22a47fbd07c8efc4f5c3f468b12be7
Instruction ID: 7d0f9b030c72ff69f7f7a44b9668bcba7972f5e09ce8e503925e778f9af0bd52
Opcode Fuzzy Hash: c2294b1c1c0d710ccdf9f6854c90f5bfed22a47fbd07c8efc4f5c3f468b12be7
Instruction Fuzzy Hash: E0F0495280E7E18FE31B877418260A07F605B03240B0E60EBC488DB0E3D40CAC8883A3

Function 00007FFAAC66D0F1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932edba2176ce70c24adaf82abbf358ef49acbbcb6ac82074a52b979e78a6fb7
Instruction ID: a5cf42f2df2608901e2d5a3a8dd13027048cdce94cbf04189628143e2135e4a6
Opcode Fuzzy Hash: 932edba2176ce70c24adaf82abbf358ef49acbbcb6ac82074a52b979e78a6fb7
Instruction Fuzzy Hash: DCF044B184E7C18FF3169B209C27191BFA0BB52210F0992ABD08C4B1D2D75D950D8741

Function 00007FFAAC66CA19 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8098cfd9a951248ffe0f8f69610d01c4fb0b8c94a1db64f3ec505e420c7bec
Instruction ID: b3947a9c4cc3d1f52ce02125df93d36781c48fd70bd6766b598364b5bcced9ba
Opcode Fuzzy Hash: 7d8098cfd9a951248ffe0f8f69610d01c4fb0b8c94a1db64f3ec505e420c7bec
Instruction Fuzzy Hash: E9F0E941D1DE629BF76DEA5D14562B0B980E742350F4C7076D84CD75D7D84CACC803D2

Function 00007FFAAC66C540 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c2aaad873bdfc9f5d4d119500f8aad3854da4860cb90caa059a954990fca57
Instruction ID: 26792c489183d4ba504a79a3dadc9a7e08d436cf7901e29bb24884e565da06aa
Opcode Fuzzy Hash: e4c2aaad873bdfc9f5d4d119500f8aad3854da4860cb90caa059a954990fca57
Instruction Fuzzy Hash: 05E08600F5AD4657F74EEA6E0C59274BDC2DB9A750FD8B075D40DC62D1EC49DC9801C5

Non-executed Functions

Function 00007FFAAC6612FB Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

1N_^, xrefs: 00007FFAAC661301

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: 1N_^
API String ID: 0-2720521594
Opcode ID: 110da0a23d24a01f14e2126e0722e934afa4edd74179c540b99dbc873dc38bf0
Instruction ID: 5443a7b6c21425ea603e50fbbd68009cda02462e146899c4f9d3eaf413135571
Opcode Fuzzy Hash: 110da0a23d24a01f14e2126e0722e934afa4edd74179c540b99dbc873dc38bf0
Instruction Fuzzy Hash: A651726790E7E28BE717973C98A51D1BFA0DF1327970951F7C2C9CF0A3D904A80A8392

Function 00007FFAAC6658C9 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a24644639dd89aebf0c11d36755076c24e996a418a890bb063d20fd89c539a
Instruction ID: 6e9e98e426569e86672f55b7a63750d682b091aab702df2b119b9f61ab86929e
Opcode Fuzzy Hash: 93a24644639dd89aebf0c11d36755076c24e996a418a890bb063d20fd89c539a
Instruction Fuzzy Hash: 18D1C370908A8D8FEFA9DF28C8567E977D1FF55310F04926EE84DC3291CB74A9458B82

Function 00007FFAAC6612D1 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc9e60a889b34c58441aad2fa640e62e040c1c4d2218959e517cf9824eced42
Instruction ID: 7d8eaf10244e826ebd46f02e22169dc76506fdf8f5536ec5741ad9ffda82deee
Opcode Fuzzy Hash: ffc9e60a889b34c58441aad2fa640e62e040c1c4d2218959e517cf9824eced42
Instruction Fuzzy Hash: AF51626790E7E28BE717973C98A11D5BFA0DF5327570951F7C1C98F0A3D904A80A8391

Function 00007FFAAC661320 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8764acae2a00dbb842835e2a9ea87bc6edc87416862882621146cf1fc99e31
Instruction ID: 0d5794405bb8fd0285ceec275d34701b4efbad092a3b7a9aeec640ba246e7a50
Opcode Fuzzy Hash: ab8764acae2a00dbb842835e2a9ea87bc6edc87416862882621146cf1fc99e31
Instruction Fuzzy Hash: D751626790E7E28FE717973C98A51D1BFA0DF1316570951F7C1C9CF4A3D908A80A8392

Function 00007FFAAC66E411 Relevance: 10.2, Strings: 8, Instructions: 151COMMON

Download Yara Rule

Strings

P&U0, xrefs: 00007FFAAC66E48D
`&U0, xrefs: 00007FFAAC66E4DF
p&U0, xrefs: 00007FFAAC66E531
@&U0, xrefs: 00007FFAAC66E43B
h&U0, xrefs: 00007FFAAC66E508
H&U0, xrefs: 00007FFAAC66E464
X&U0, xrefs: 00007FFAAC66E4B6
8&U0, xrefs: 00007FFAAC66E3E1

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: 8&U0$@&U0$H&U0$P&U0$X&U0$`&U0$h&U0$p&U0
API String ID: 0-3703584600
Opcode ID: b85d4f67a3d61e484a7f40d1c9ac31f2c5971a06d8816b2a2fac4e3ea0c53b95
Instruction ID: 7d0160538d6d8d41dbf85d7c6eab4ed4ddbe156c7532f00b0116c51e9b77aa2e
Opcode Fuzzy Hash: b85d4f67a3d61e484a7f40d1c9ac31f2c5971a06d8816b2a2fac4e3ea0c53b95
Instruction Fuzzy Hash: 45414164E0EA464FF38ED73885145B5EEE1EF87340B58A0B6E51DCB2E6ED2CAC094351

Function 00007FFAAC66EA35 Relevance: 8.9, Strings: 7, Instructions: 135COMMON

Download Yara Rule

Strings

8'U0, xrefs: 00007FFAAC66EA5B
`'U0, xrefs: 00007FFAAC66EB28
H'U0, xrefs: 00007FFAAC66EAAD
@'U0, xrefs: 00007FFAAC66EA84
X'U0, xrefs: 00007FFAAC66EAFF
0'U0, xrefs: 00007FFAAC66EA03
P'U0, xrefs: 00007FFAAC66EAD6

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: 0'U0$8'U0$@'U0$H'U0$P'U0$X'U0$`'U0
API String ID: 0-2140147014
Opcode ID: e3f54ce7ca0fba2c13e611754203524be3273c89d95f0b411b94e5ccdb845eee
Instruction ID: b83d35d9fd244dd6484dd83d5fba2b86d4a99204f737a86206ca9d670d920c9d
Opcode Fuzzy Hash: e3f54ce7ca0fba2c13e611754203524be3273c89d95f0b411b94e5ccdb845eee
Instruction Fuzzy Hash: 6D417554E1E6868FF38ED72885145A1AED1FF9B340B19A0B7D41DCB1E6DD1CAC098351

Function 00007FFAAC66E2D8 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

(&U0, xrefs: 00007FFAAC66E38F
0&U0, xrefs: 00007FFAAC66E3B8
&U0, xrefs: 00007FFAAC66E366
8&U0, xrefs: 00007FFAAC66E3E1

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: &U0$(&U0$0&U0$8&U0
API String ID: 0-2109215330
Opcode ID: d7426943509952f975b949febf396db1a8011b3331c6c59fa6937970bc952a7c
Instruction ID: 807fe10e7b63ebdb285ff62003e0048ec3f3cfa06a854f6e9e44c9f200b57a68
Opcode Fuzzy Hash: d7426943509952f975b949febf396db1a8011b3331c6c59fa6937970bc952a7c
Instruction Fuzzy Hash: AB417364E0E94A4FF78ED72884145A1EED2EF97340B14A0B6E51DCB2E6DD2CBC094391

Function 00007FFAAC668BFA Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAC668C2A
M_^, xrefs: 00007FFAAC668C6A
M_^, xrefs: 00007FFAAC668C7A
M_^, xrefs: 00007FFAAC668BFA

Memory Dump Source

Source File: 00000002.00000002.2540347376.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac660000_SR3JZpolPo.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: 2f4c5c8353846a1bb6ca204ecd2565196884358e087f6595ceb3ff3a73135692
Instruction ID: 26cc95a1950e2489b271a27c6344003809ebc6850e55ad56a0426e3bf0f4e1bd
Opcode Fuzzy Hash: 2f4c5c8353846a1bb6ca204ecd2565196884358e087f6595ceb3ff3a73135692
Instruction Fuzzy Hash: 3D4174D290E7C34EE31793399C58AA57FE0AF63218B4E52F6C4ED861E3EE0954068395

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SR3JZpolPo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
SR3JZpolPo.exe