Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
Analysis ID:	1543086
MD5:	8bc8dfa75b6b62a90785f46221075ed3
SHA1:	f55a2670f6b5945aab4033a66bc035ce0cf10e8d
SHA256:	9db830145716b1d60d3472934f02b289838d8bbef2fd9f50def9f6af6886529c
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality for read data from the clipboard

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe (PID: 4280 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe" MD5: 8BC8DFA75B6B62A90785F46221075ED3)

cmd.exe (PID: 6640 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1892 cmdline: sc stop mongoose MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 4140 cmdline: sc stop mongoose MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

PING.EXE (PID: 4764 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

sc.exe (PID: 5840 cmdline: sc delete mongoose echo 3:27:02.65 MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

PING.EXE (PID: 3128 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

sc.exe (PID: 5068 cmdline: sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

PING.EXE (PID: 6532 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

sc.exe (PID: 320 cmdline: sc start mongoose MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

PING.EXE (PID: 1020 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

mongoose-2.11.exe (PID: 6556 cmdline: c:\Mongoose\mongoose-2.11.exe -- MD5: A494D4D9AC522F13A3FA5E1C2C0CB467)

cleanup

Sigma Signatures

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto , CommandLine: sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6640, ParentProcessName: cmd.exe, ProcessCommandLine: sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto , ProcessId: 5068, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.9% probability

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_00410B5F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

12_2_00410B5F

Source: SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

File created: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\readme.txt.txt

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040501B SetLastError,malloc,GetFileAttributesW,wcscat,FindFirstFileW,free,	12_2_0040501B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_004114C1 recv,WSAGetLastError,

12_2_004114C1

Source: mongoose-2.11.exe0.0.dr, mongoose.conf.0.dr, mongoose.conf0.0.dr	String found in binary or memory: http://code.google.com/p/mongoose/wiki/MongooseManual
Source: readme.txt.txt.0.dr	String found in binary or memory: http://localhost/clientaccesspolicy.xml
Source: SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EE8

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_004019DB __p___argv,OpenSCManagerA,GetModuleFileNameA,strncat,strncat,strncat,CreateServiceA,ChangeServiceConfig2A,OpenServiceA,DeleteService,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_004019DB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_004046F9	0_2_004046F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_004068FF	0_2_004068FF
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040D44D	12_2_0040D44D
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_00412456	12_2_00412456
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040E87B	12_2_0040E87B
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_00411829	12_2_00411829
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_004164F6	12_2_004164F6
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_00413084	12_2_00413084
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040D943	12_2_0040D943
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040E903	12_2_0040E903
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040EDEE	12_2_0040EDEE
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040E666	12_2_0040E666
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_00402609	12_2_00402609
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_004116D7	12_2_004116D7
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040DE89	12_2_0040DE89
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_00412349	12_2_00412349
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_004133C5	12_2_004133C5

Source: SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.troj.evad.winEXE@24/12@0/1

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_00401B0A GetLastError,FormatMessageA,MessageBoxA,

12_2_00401B0A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041FC

Source: C:\Mongoose\mongoose-2.11.exe

Code function: __p___argv,OpenSCManagerA,GetModuleFileNameA,strncat,strncat,strncat,CreateServiceA,ChangeServiceConfig2A,OpenServiceA,DeleteService,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_004019DB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_004011DD __p___argv,__p___argv,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,_snprintf,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetCursorPos,SetForegroundWindow,TrackPopupMenu,PostMessageA,DestroyMenu,Shell_NotifyIconA,PostQuitMessage,__p___argv,__p___argv,strcmp,StartServiceCtrlDispatcherA,exit,__p___argv,__p___argc,DefWindowProcA,

12_2_004011DD

Source: C:\Mongoose\mongoose-2.11.exe

12_2_004011DD

Source: C:\Mongoose\mongoose-2.11.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

File created: C:\Users\user\AppData\Local\Temp\nss8F7C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" "

Source: SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mongoose-2.11.exe	String found in binary or memory: --help
Source: mongoose-2.11.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete mongoose echo 3:27:02.65
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start mongoose
Source: unknown	Process created: C:\Mongoose\mongoose-2.11.exe c:\Mongoose\mongoose-2.11.exe --
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete mongoose echo 3:27:02.65	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start mongoose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Mongoose\mongoose-2.11.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Mongoose\mongoose-2.11.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_00416A00 push eax; ret

12_2_00416A2E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	File created: C:\Mongoose\mongoose-2.11.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	File created: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose-2.11.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

File created: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\readme.txt.txt

Jump to behavior

Source: C:\Mongoose\mongoose-2.11.exe

12_2_004011DD

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Mongoose\mongoose-2.11.exe

Window / User API: threadDelayed 9680

Jump to behavior

Source: C:\Mongoose\mongoose-2.11.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_12-8211

Source: C:\Mongoose\mongoose-2.11.exe

API coverage: 8.4 %

Source: C:\Mongoose\mongoose-2.11.exe TID: 6128	Thread sleep count: 256 > 30	Jump to behavior
Source: C:\Mongoose\mongoose-2.11.exe TID: 6128	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Mongoose\mongoose-2.11.exe TID: 6128	Thread sleep count: 9680 > 30	Jump to behavior
Source: C:\Mongoose\mongoose-2.11.exe TID: 6128	Thread sleep time: -9680000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Mongoose\mongoose-2.11.exe	Last function: Thread delayed
Source: C:\Mongoose\mongoose-2.11.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Mongoose\mongoose-2.11.exe	Code function: 12_2_0040501B SetLastError,malloc,GetFileAttributesW,wcscat,FindFirstFileW,free,	12_2_0040501B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\	Jump to behavior

Source: mongoose-2.11.exe, 0000000C.00000002.4519330539.000000000074A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

API call chain: ExitProcess graph end node

graph_0-2908

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop mongoose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete mongoose echo 3:27:02.65	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start mongoose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405A2E

Source: C:\Mongoose\mongoose-2.11.exe

Code function: 12_2_004034CD socket,bind,listen,calloc,closesocket,GetLastError,strerror,closesocket,GetLastError,strerror,

12_2_004034CD

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	15 Windows Service	15 Windows Service	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Service Execution	1 Scripting	11 Process Injection	11 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Mongoose\mongoose-2.11.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose-2.11.exe	4%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	false	URL Reputation: safe	unknown
http://localhost/clientaccesspolicy.xml	readme.txt.txt.0.dr	false		unknown
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe	false	URL Reputation: safe	unknown
http://code.google.com/p/mongoose/wiki/MongooseManual	mongoose-2.11.exe0.0.dr, mongoose.conf.0.dr, mongoose.conf0.0.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543086
Start date and time:	2024-10-27 08:26:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
Detection:	MAL
Classification:	mal52.troj.evad.winEXE@24/12@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Simulations

Behavior and APIs

Time	Type	Description
03:27:44	API Interceptor	13017404x Sleep call for process: mongoose-2.11.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	599
Entropy (8bit):	4.723069750790691
Encrypted:	false
SSDEEP:	12:MMHdVuafexgdGzu/4WWEytAytZhA4Wvyt5fHebzXdEpLvzX8as7:JdVuvFuBWh1Zhugcv7
MD5:	E21B4D0F290636E1BCEA13E87CB15BA1
SHA1:	836E33BE6493DCA62C685B2B124DA68A5DA660A5
SHA-256:	833D5E8CB7792AC371CB71468AD4E9E55BFBB1CC6DE1322EDD899390FD594EE2
SHA-512:	5DBFB66F81D43CF87B6C3895978E8E765569B040DA91F3092025677C9C82787BD4DD8BF363AFBCA06BDCE2D0AC97DF86F519102824382354250403C97E869182
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<access-policy>.. <cross-domain-access>.. <policy>.. <allow-from http-methods=""> -->.. <allow-from http-request-headers="">.. <domain uri="http://.c-pos.co.uk" />.. <domain uri="http://.cysrln03-dev-andyr-vm" />.. <domain uri="http://.cysrln02-dev-vm" /> -->.. <domain uri="http://" /> -->.. <domain uri="*" />.. </allow-from>.. <grant-to>.. <socket-resource port="4502" protocol="tcp" />.. </grant-to>.. </policy>.. </cross-domain-access>..</access-policy>..

C:\Mongoose\mongoose-2.11.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.481986535863945
Encrypted:	false
SSDEEP:	1536:I1+uJsNBVhYzmR58pFXP38kdfNfYo2T6+oOfObH/II7JuvhlTSoSICS4ASSoCj++:NvQmR52yq32TiNgI7kvHlAa6/b49
MD5:	A494D4D9AC522F13A3FA5E1C2C0CB467
SHA1:	B35891685317A524557E30C24366AFF761220D6B
SHA-256:	320446AD4E82DABBEAB0536194BDCF81796EB5341CE87EC00F46949BFF11E7B9
SHA-512:	B01B37D16FDE6445403156D110FCA080C08894187C7FA84F0C6AE026C0EAC541CCC20AB36783789F68E6D2A3662D0CCBB8AE88E36F1ACA361F4E6984B64B8A7E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tz.j.).j.).j.).v.).j.)4v.).j.)_u.).j.).u.).j.).j.).j.).l.).j.)_u.).j.)Rich.j.)........PE..L.....L.................`........../j.......p....@.........................................................................D........................................................................................p...............................text...V\.......`.................. ..`.rdata...E...p...P...p..............@..@.data....8.......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Mongoose\mongoose.conf

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	858
Entropy (8bit):	4.853420547501007
Encrypted:	false
SSDEEP:	12:VuRU+s0ZNA2PwN1cm7vG8VpJDozTzXrfAvcmAzp+On3lhnfjXrf6Xp5osvUGZKJ1:MUCNoj5v/0HkEP3l9P6HosMGAp3L
MD5:	2B2AE0570C8420AD5545E1D48BBB6B97
SHA1:	B1522B301ABBDB06CD86AE50C2375CB041B211C8
SHA-256:	2A5A85847F7B116345980BCF902110F567356BC0EB589ADE5DFA2FACD06DA53A
SHA-512:	C7E996EFD7BF6B929EF0954E95B8DE892E8698F451F92A6AB0523520CC0EE83B99DB445D7F367D738B07BBAAC7F80BC569645956DDEEAB1F7166885AA7AFE8D2
Malicious:	false
Preview:	# Mongoose web server configuration file...# Lines starting with '#' and empty lines are ignored...# For detailed description of every option, visit..# http://code.google.com/p/mongoose/wiki/MongooseManual....# cgi_extensions .cgi,.pl,.php..# cgi_environment <value>..# put_delete_passwords_file <value>..# cgi_interpreter <value>..# protect_uri <value>..# authentication_domain mydomain.com..# ssi_extensions .shtml,.shtm..access_log_file access_log.txt..# ssl_chain_file <value>..# enable_directory_listing yes..# error_log_file <value>..# global_passwords_file <value>..# index_files index.html,index.htm,index.cgi..# enable_keep_alive no..# access_control_list <value>..# max_request_size 16384..# extra_mime_types <value>..listening_ports 127.0.0.1:80..document_root c:\mongoose\html..# ssl_certificate <value>..# num_threads 10..# run_as_user <value>..

C:\Mongoose_log.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	835
Entropy (8bit):	4.605011740436264
Encrypted:	false
SSDEEP:	24:fK+DsVG+DsVG+DsVbJegV0HvGZLa/qOVxk/:fDs5s5sRJd0H0LcVxY
MD5:	4C572ABD722A1CF4D68A3DB1B23B1FB1
SHA1:	0BAFF175C4E1E6AEA90D937053543649101099CE
SHA-256:	F2229D686B705A7531DFDA2EF1E2D7731EC195D5DED729F4BED42E3F53E8BDE4
SHA-512:	B8AC0B064F36EBB37119ABAF4E89E48C3F1D1E5D0A6B7BFC5AC722FA1EC6BD8FFD984F674FCE2BEC55860790172A5CE26937E51397C446225D9B7B4F5EF62792
Malicious:	false
Preview:	.. ..------------- ..Time of Install: 27/10/2024 3:26:58.33 ..------------- .. .. ..[SC] OpenService FAILED 1060:....The specified service does not exist as an installed service..... ..[SC] OpenService FAILED 1060:....The specified service does not exist as an installed service..... ..[SC] OpenService FAILED 1060:....The specified service does not exist as an installed service..... ..[SC] CreateService SUCCESS.. ....SERVICE_NAME: mongoose .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 4 RUNNING .. (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x0.. PID : 6556.. FLAGS : .. ..

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\Mongoose.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	826
Entropy (8bit):	4.6792883413336614
Encrypted:	false
SSDEEP:	12:7ejoj3jtYMmgSj3jojoc8joc8joLqFIejoLqFs84SAUqMjoLqFAjoLqFl:7OM1J6VPO10WE
MD5:	3F59744A13416C2C271CDA7BB056BE67
SHA1:	348772DDFF387DCB8FAE8D72A08D98D0675A9825
SHA-256:	771039EB3C68794543C9B8A197A0BC8381DF9B3C037EEDAA3A3AA7F44AA9980E
SHA-512:	6530F6CA35CA0F6ED81538227C6DC110BFF38B5EF792F09C7F0972F74585B3C51B73D7DAD896FF5660F934DEC97B315FE3FA56E6C2AF2E37EC8AD3C68E9D944C
Malicious:	false
Preview:	@echo off..cls....@echo off..echo. >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt..echo ------------- >>C:\Mongoose_log.txt..echo Time of Install: %Date% %time% >>C:\Mongoose_log.txt..echo ------------- >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt....sc stop mongoose >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt....sc stop mongoose >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt....ping -n 5 127.0.0.1 >nul....sc delete mongoose echo %time% >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt....ping -n 5 127.0.0.1 >nul....sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt....ping -n 5 127.0.0.1 >nul....sc start mongoose >>C:\Mongoose_log.txt..echo. >>C:\Mongoose_log.txt....ping -n 5 127.0.0.1 >nul

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose-2.11.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.481986535863945
Encrypted:	false
SSDEEP:	1536:I1+uJsNBVhYzmR58pFXP38kdfNfYo2T6+oOfObH/II7JuvhlTSoSICS4ASSoCj++:NvQmR52yq32TiNgI7kvHlAa6/b49
MD5:	A494D4D9AC522F13A3FA5E1C2C0CB467
SHA1:	B35891685317A524557E30C24366AFF761220D6B
SHA-256:	320446AD4E82DABBEAB0536194BDCF81796EB5341CE87EC00F46949BFF11E7B9
SHA-512:	B01B37D16FDE6445403156D110FCA080C08894187C7FA84F0C6AE026C0EAC541CCC20AB36783789F68E6D2A3662D0CCBB8AE88E36F1ACA361F4E6984B64B8A7E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tz.j.).j.).j.).v.).j.)4v.).j.)_u.).j.).u.).j.).j.).j.).l.).j.)_u.).j.)Rich.j.)........PE..L.....L.................`........../j.......p....@.........................................................................D........................................................................................p...............................text...V\.......`.................. ..`.rdata...E...p...P...p..............@..@.data....8.......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.conf

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	858
Entropy (8bit):	4.853420547501007
Encrypted:	false
SSDEEP:	12:VuRU+s0ZNA2PwN1cm7vG8VpJDozTzXrfAvcmAzp+On3lhnfjXrf6Xp5osvUGZKJ1:MUCNoj5v/0HkEP3l9P6HosMGAp3L
MD5:	2B2AE0570C8420AD5545E1D48BBB6B97
SHA1:	B1522B301ABBDB06CD86AE50C2375CB041B211C8
SHA-256:	2A5A85847F7B116345980BCF902110F567356BC0EB589ADE5DFA2FACD06DA53A
SHA-512:	C7E996EFD7BF6B929EF0954E95B8DE892E8698F451F92A6AB0523520CC0EE83B99DB445D7F367D738B07BBAAC7F80BC569645956DDEEAB1F7166885AA7AFE8D2
Malicious:	false
Preview:	# Mongoose web server configuration file...# Lines starting with '#' and empty lines are ignored...# For detailed description of every option, visit..# http://code.google.com/p/mongoose/wiki/MongooseManual....# cgi_extensions .cgi,.pl,.php..# cgi_environment <value>..# put_delete_passwords_file <value>..# cgi_interpreter <value>..# protect_uri <value>..# authentication_domain mydomain.com..# ssi_extensions .shtml,.shtm..access_log_file access_log.txt..# ssl_chain_file <value>..# enable_directory_listing yes..# error_log_file <value>..# global_passwords_file <value>..# index_files index.html,index.htm,index.cgi..# enable_keep_alive no..# access_control_list <value>..# max_request_size 16384..# extra_mime_types <value>..listening_ports 127.0.0.1:80..document_root c:\mongoose\html..# ssl_certificate <value>..# num_threads 10..# run_as_user <value>..

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\readme.txt.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	248
Entropy (8bit):	4.5610289004086155
Encrypted:	false
SSDEEP:	6:C/DJr2ApUik7TXN/ItPLFKWqVgTdEJ7CiG/ocw5jAkOBFpuzn:C/9nmik7TCtPQ97VGQcCAlgz
MD5:	A60C691A345715B616C28D020775236F
SHA1:	91932D83EC23BF133826025108FB51D23C1AE38D
SHA-256:	BE7829E5AD893F6DB48969E6B1E969C0E118EDCBEA485A2770BD30F09FF997F7
SHA-512:	28E747FA0C76E25AE6A6A02713B047AC271ABF148CCA5744901404952377923D61C12D34B20E681EFE7A9EED406382672BB5D542F23A0DCCC0EA4C4514CEE459
Malicious:	false
Preview:	1) after install of cnp sw (ensure opos print option and port set to 4502)..2) Copy this dir to c:\..3) run mongoose.exe + install as service..4) test http://localhost/clientaccesspolicy.xml loads....JB --- opos needs to be installed with a printer

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	4.9404427828211634
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeT0s+sEAFSkIrxMVlmJHaVzvv:/2fAokItULVDv
MD5:	1D785D889CA617298A68D26DFEF974C4
SHA1:	1CC36474033E2767B059019B12782CE558F1EA34
SHA-256:	FE52FE8317F9F07F4AB830F6E3B1F1013BE4AA2A82DD5C86AA805648FC053230
SHA-512:	EF34C2479BE5BA45B41584887354DE53EA15EC53EA74D57042FF57EB8A609B93DAC9A55297300C29320CE14966FB7704C9952BDC7C6E2DDD0DCA929884091CF3
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.674253821777677
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
File size:	103'398 bytes
MD5:	8bc8dfa75b6b62a90785f46221075ed3
SHA1:	f55a2670f6b5945aab4033a66bc035ce0cf10e8d
SHA256:	9db830145716b1d60d3472934f02b289838d8bbef2fd9f50def9f6af6886529c
SHA512:	d7d7d60607ed444a3344e19228b7f4efea9b1a12743b78ff9ddf658faf7c4e8e5ad8e32f1e2fa305381a76f84ab9572d42126981a10b29dd6eb87956921aece2
SSDEEP:	1536:EpgpHzb9dZVX9fHMvG0D3XJkcPfkFtxRMXfDGSwv5A8bvEOsBsPsGe/ehY5Td:ygXdZt9P6D3XJkcXkFKKWrZB0s7p
TLSH:	98A3F123F9C1CDF3D9C616351EB7DB7CDBF2D2A602552A1F97142FB62951046CE1A082
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007F605882AEA6h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007F605882AB59h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007F605882AB47h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007F60588282BCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007F605882A63Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F6058828315h
cmp cl, 00000020h
jne 00007F60588282B8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F60588282ACh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x6c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	856b32eb77dfd6fb67f21d6543272da5	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	dc77f8a1e6985a4361c55642680ddb4f	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	7922d4ce117d7d5b3ac2cffe4b0b5e4f	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x6c8	0x800	d00928665e5bfdca7840eaef91429e30	False	0.345703125	data	2.917343976333205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37148	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x37430	0x100	data	English	United States	0.5234375
RT_DIALOG	0x37530	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x37650	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x376b0	0x14	data	English	United States	1.2

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:26:57
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"
Imagebase:	0x400000
File size:	103'398 bytes
MD5 hash:	8BC8DFA75B6B62A90785F46221075ED3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:26:58
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:26:58
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:26:58
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop mongoose
Imagebase:	0x180000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:26:58
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop mongoose
Imagebase:	0x180000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:26:58
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0x2a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:27:02
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc delete mongoose echo 3:27:02.65
Imagebase:	0x180000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:27:02
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0x2a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:27:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create Mongoose binPath= "c:\Mongoose\mongoose-2.11.exe --" start= auto
Imagebase:	0x180000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:27:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0x2a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:27:11
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start mongoose
Imagebase:	0x180000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:27:11
Start date:	27/10/2024
Path:	C:\Mongoose\mongoose-2.11.exe
Wow64 process (32bit):	true
Commandline:	c:\Mongoose\mongoose-2.11.exe --
Imagebase:	0x400000
File size:	131'072 bytes
MD5 hash:	A494D4D9AC522F13A3FA5E1C2C0CB467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:27:11
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0x2a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.7%
Total number of Nodes:	1212
Total number of Limit Nodes:	22

Executed Functions

Function 004030FA Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403119
SetErrorMode.KERNEL32(00008001), ref: 00403124
OleInitialize.OLE32(00000000), ref: 0040312B

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Name Setup,NSIS Error), ref: 00405A19

GetCommandLineA.KERNEL32(Name Setup,NSIS Error), ref: 00403168
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 0040317B
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000020), ref: 004031A6
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403239
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
DeleteFileA.KERNEL32(1033), ref: 0040326D
ExitProcess.KERNEL32(00000000), ref: 004032E6
CoUninitialize.COMBASE(00000000), ref: 004032EB
ExitProcess.KERNEL32 ref: 0040330B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000,00000000), ref: 00403317
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403323
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
DeleteFileA.KERNEL32(00428B98,00428B98,?,0042F000,?), ref: 00403380
CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,00428B98,00000001), ref: 00403394
CloseHandle.KERNEL32(00000000,00428B98,00428B98,?,00428B98,00000000), ref: 004033C1
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
ExitProcess.KERNEL32 ref: 00403475

Strings

/D=, xrefs: 004031FC
Name Setup, xrefs: 0040315E
SeShutdownPrivilege, xrefs: 00403428
", xrefs: 004031C8
C:\Users\user\Desktop, xrefs: 0040331C, 00403321, 00403344
C:\Users\user\AppData\Local\Temp\, xrefs: 0040322E, 00403233, 0040324D, 00403259, 00403316, 00403322, 0040332E, 00403335, 004033D5
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 0040316E, 00403174, 0040328A
_?=, xrefs: 00403294
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe, xrefs: 0040338F
1033, xrefs: 00403268
Error launching installer, xrefs: 004032A3
NCRC, xrefs: 004031E6
C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose, xrefs: 004032C8
\Temp, xrefs: 00403254
NSIS Error, xrefs: 00403159
~nsu.tmp, xrefs: 00403311

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe$Error launching installer$NCRC$NSIS Error$Name Setup$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-1820525569
Opcode ID: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
Opcode Fuzzy Hash: b54f9db6f0d8b9b5cada0f3be399c619291e87e839e1cbb66da7d28003e7be7a
Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00404F47
GetDlgItem.USER32(?,000003EE), ref: 00404F56
GetClientRect.USER32(?,?), ref: 00404F93
GetSystemMetrics.USER32(00000015), ref: 00404F9B
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404FBC
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FCD
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FE0
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FEE
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405001
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405023
ShowWindow.USER32(?,00000008), ref: 00405037
GetDlgItem.USER32(?,000003EC), ref: 00405058
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405068
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405081
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040508D
GetDlgItem.USER32(?,000003F8), ref: 00404F65

Part of subcall function 00403DF3: SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01

GetDlgItem.USER32(?,000003EC), ref: 004050AA
CreateThread.KERNEL32(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
CloseHandle.KERNEL32(00000000), ref: 004050BF
ShowWindow.USER32(00000000), ref: 004050E3
ShowWindow.USER32(0001042A,00000008), ref: 004050E8
ShowWindow.USER32(00000008), ref: 0040512F
SendMessageA.USER32(0001042A,00001004,00000000,00000000), ref: 00405161
CreatePopupMenu.USER32 ref: 00405172
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
GetWindowRect.USER32(0001042A,?), ref: 0040519A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051F9
OpenClipboard.USER32(00000000), ref: 00405209
EmptyClipboard.USER32 ref: 0040520F
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
GlobalLock.KERNEL32(00000000), ref: 00405222
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405236
GlobalUnlock.KERNEL32(00000000), ref: 0040524E
SetClipboardData.USER32(00000001,00000000), ref: 00405259
CloseClipboard.USER32 ref: 0040525F

Strings

{, xrefs: 0040514E

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
Opcode Fuzzy Hash: 502b3e781240547b4f79c84f5df072659d73b9fdff3a6a82af1c7000a0e1b831
Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

Function 004038EB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
ShowWindow.USER32(?), ref: 00403944
DestroyWindow.USER32 ref: 00403958
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
GetDlgItem.USER32(?,?), ref: 00403995
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039A9
IsWindowEnabled.USER32(00000000), ref: 004039B0
GetDlgItem.USER32(?,00000001), ref: 00403A5E
GetDlgItem.USER32(?,00000002), ref: 00403A68
SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AD3
GetDlgItem.USER32(?,00000003), ref: 00403B79
ShowWindow.USER32(00000000,?), ref: 00403B9A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BAC
EnableWindow.USER32(?,?), ref: 00403BC7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BDD
EnableMenuItem.USER32(00000000), ref: 00403BE4
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BFC
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C0F
lstrlenA.KERNEL32(00429FE0,?,00429FE0,Name Setup), ref: 00403C38
SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
ShowWindow.USER32(?,0000000A), ref: 00403D7B

Strings

Name Setup, xrefs: 00403C29

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Name Setup
API String ID: 3282139019-2681444277
Opcode ID: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
Opcode Fuzzy Hash: 0b6e4c35b8dcfffa61f252a23bc82b09b6935cd656e84c2cc0fc3574caf64574
Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

Function 00403555 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,00434400,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"), ref: 0040363B
lstrcmpiA.KERNEL32(?,.exe), ref: 0040364E
GetFileAttributesA.KERNEL32(: Completed), ref: 00403659
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 004036A2

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

RegisterClassA.USER32 ref: 004036E9
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040373A
ShowWindow.USER32(00000005,00000000), ref: 00403770
LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
RegisterClassA.USER32(0042E300), ref: 004037B2
DialogBoxParamA.USER32(?,00000000,004038EB,00000000), ref: 004037D1

Strings

_Nb, xrefs: 004036F8, 004036FD
C:\Users\user\AppData\Local\Temp\, xrefs: 00403559
.exe, xrefs: 00403648
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 00403561
.DEFAULT\Control Panel\International, xrefs: 004035B1
Control Panel\Desktop\ResourceLocale, xrefs: 00403589
1033, xrefs: 00403575, 004035C1
RichEd32, xrefs: 00403787
RichEdit, xrefs: 004037A3
<K, xrefs: 00403604
: Completed, xrefs: 00403609, 00403611, 0040361E, 00403668, 0040366E
RichEdit20A, xrefs: 00403794, 0040379A
RichEd20, xrefs: 0040377C

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: <K$"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-1531363995
Opcode ID: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
Opcode Fuzzy Hash: 3a2c45f0d62c5ae26582f53126e34280adb3cccee4e3bf9508370ae987846fa1
Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

Function 00402C22 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,00000400), ref: 00402C4F

Part of subcall function 004056E3: GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,80000000,00000003), ref: 004056E7
Part of subcall function 004056E3: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

GetFileSize.KERNEL32(00000000,00000000,SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,80000000,00000003), ref: 00402C9B

Strings

Inst, xrefs: 00402D07
Null, xrefs: 00402D19
soft, xrefs: 00402D10
SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe, xrefs: 00402C8F
C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 00402C2C
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
Error launching installer, xrefs: 00402C72

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe$soft
API String ID: 4283519449-697607320
Opcode ID: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
Opcode Fuzzy Hash: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

Function 00402E5B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EC2
GetTickCount.KERNEL32 ref: 00402F69
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F92
wsprintfA.USER32 ref: 00402FA2
WriteFile.KERNEL32(00000000,00000000,00418EC2,7FFFFFFF,00000000), ref: 00402FD0

Strings

KLA, xrefs: 00402F2F, 00402F41
@echo offcls@echo offecho. >>C:\Mongoose_log.txtecho. >>C:\Mongoose_log.txtecho ------------- >>C:\Mongoose_log.txtecho Time of Install: %Date% %time% >>C:\Mongoose_log.txtecho ------------- >>C:\Mongoose_log.txtecho. >>C:\Mongoose_log.txte, xrefs: 00402EDC
... %d%%, xrefs: 00402F9C

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$@echo offcls@echo offecho. >>C:\Mongoose_log.txtecho. >>C:\Mongoose_log.txtecho ------------- >>C:\Mongoose_log.txtecho Time of Install: %Date% %time% >>C:\Mongoose_log.txtecho ------------- >>C:\Mongoose_log.txtecho. >>C:\Mongoose_log.txte$KLA
API String ID: 4209647438-361745389
Opcode ID: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
Opcode Fuzzy Hash: 41e35a0a14bb3f2fd38d9c716afd6c3ba0ace6c0ea9dec4adf0e27dc0e0f292a
Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,open,C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Name Setup,NSIS Error), ref: 00405A19

Part of subcall function 00404DAA: lstrlenA.KERNEL32(Completed,00000000,00418EC2,759223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Completed,00000000,00418EC2,759223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(Completed,00402FB6,00402FB6,Completed,00000000,00418EC2,759223A0), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(Completed,Completed), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

Strings

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose, xrefs: 00401761
open C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat, xrefs: 00401801, 0040181D
open, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose$open$open C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat
API String ID: 1941528284-1143220767
Opcode ID: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
Opcode Fuzzy Hash: f324c85fc2f324614552c21af61c380c89f90457e6ef3776ce2ffda22f3967b2
Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

Function 00404DAA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Completed,00000000,00418EC2,759223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
lstrlenA.KERNEL32(00402FB6,Completed,00000000,00418EC2,759223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
lstrcatA.KERNEL32(Completed,00402FB6,00402FB6,Completed,00000000,00418EC2,759223A0), ref: 00404E06
SetWindowTextA.USER32(Completed,Completed), ref: 00404E18
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

Strings

Completed, xrefs: 00404DCA, 00404DDC, 00404DE2, 00404E05, 00404E11

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
Opcode Fuzzy Hash: 50dbff66748b602f0133f4c5fc9f36e40697bbb7724bf87a113127d5fb299ab7
Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405593: CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose
API String ID: 3751793516-1638439677
Opcode ID: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
Opcode Fuzzy Hash: 360e2cbe79de91032a44b72a5c5ff191f5bd6e6521d3b477c7bacda235078696
Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405725
GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040573F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405712, 00405715
nsa, xrefs: 0040571E
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 00405719

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4117334575
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030C7, 004030CC, 004030D2, 004030DE, 004030E6, 004030ED
1033, xrefs: 004030EE

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE

Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose,?), ref: 00401E07

Strings

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose, xrefs: 00401DF2

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose
API String ID: 587946157-1638439677
Opcode ID: 3dc99a1e9f4d2a7ff469985d076f4f0b18b0b581c00dd406e6359dc7570937ce
Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
Opcode Fuzzy Hash: 3dc99a1e9f4d2a7ff469985d076f4f0b18b0b581c00dd406e6359dc7570937ce
Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Function 00404E7C Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00404E8C

Part of subcall function 00403E0A: SendMessageA.USER32(00010424,00000000,00000000,00000000), ref: 00403E1C

CoUninitialize.COMBASE(00000404,00000000), ref: 00404ED8

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 40dbed6342c342f19cf155c60ec5393d5941e5f8c4ce0c4d617a2ddd15e81d86
Instruction ID: 553340d25051964c1d9f2091c6121c40533f6be98ef284e5afc8434be7077bea
Opcode Fuzzy Hash: 40dbed6342c342f19cf155c60ec5393d5941e5f8c4ce0c4d617a2ddd15e81d86
Instruction Fuzzy Hash: 33F096B3A0820086E71197A6DD01B567BA4BBD4312F55403AFF45622E1D775584286DD

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,80000000,00000003), ref: 004056E7
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00402EAA,000000FF,00000004,00000000,00000000,00000000), ref: 00403094

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5

Function 00403E0A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010424,00000000,00000000,00000000), ref: 00403E1C

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
Instruction ID: 4a69275ab6afdcc9dd23c2635c3fa87663c4bda3d9f509ac91b66b343a6ea2c2
Opcode Fuzzy Hash: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
Instruction Fuzzy Hash: 0FC04C717443016AEA20DB51DE45F0777589754B01F548465B604A50D0C674E410D65D

Function 00403DF3 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
Instruction ID: d5eec3387bf9f2af87c3deac1be3c081a68759b5cbc5052c90a1cd046c0f3978
Opcode Fuzzy Hash: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
Instruction Fuzzy Hash: BCB01275BC4201FBEE219B01DE09F457E62E764701F008074B305240F0C6B210A1DF0D

Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DE9,000081E4), ref: 004030BD

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Function 00403DE0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403BBD), ref: 00403DEA

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
Instruction ID: 5393fb3fd4ec66336373a3cea7bd514d8462fd9d014250aae94180e38f4c2131
Opcode Fuzzy Hash: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
Instruction Fuzzy Hash: AFA002755051009BCA515B50DF048457A61A754701B458475F1459017487315861EB6A

Function 0040347B Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032EB,00000000), ref: 00403486

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
Opcode Fuzzy Hash: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E

Non-executed Functions

Function 004046F9 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404710
GetDlgItem.USER32(?,00000408), ref: 0040471D
GlobalAlloc.KERNEL32(00000040,00000002), ref: 00404769
LoadBitmapA.USER32(0000006E), ref: 0040477C
SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
SendMessageA.USER32(?,00001109,00000002), ref: 004047D3
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047DF
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047F1
DeleteObject.GDI32(?), ref: 004047F6
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404821
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040482D
SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C2
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048ED
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404901
GetWindowLongA.USER32(?,000000F0), ref: 00404930
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
ShowWindow.USER32(?,00000005), ref: 0040494F
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A52
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404AB7
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404ACC
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AF0
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B16
ImageList_Destroy.COMCTL32(00000000), ref: 00404B2B
GlobalFree.KERNEL32(00000000), ref: 00404B3B
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404BAB
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C54
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C63
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
ShowWindow.USER32(?,00000000), ref: 00404CD1
GetDlgItem.USER32(?,000003FE), ref: 00404CDC
ShowWindow.USER32(00000000), ref: 00404CE3

Strings

e?K, xrefs: 00404C89
, xrefs: 00404CBB
N, xrefs: 0040498D
M, xrefs: 004048A9

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$e?K
API String ID: 1638840714-2675625110
Opcode ID: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
Opcode Fuzzy Hash: 9006264d80cea567de8ea85ae76f5f4e6db86d56f38ece968a838e3dcd762fad
Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58

Function 00405A2E Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,Completed,00000000,00404DE2,Completed,00000000), ref: 00405AD6
GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405B51
GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405B64
SHGetSpecialFolderLocation.SHELL32(?,00418EC2), ref: 00405BA0
SHGetPathFromIDListA.SHELL32(00418EC2,: Completed), ref: 00405BAE
CoTaskMemFree.OLE32(00418EC2), ref: 00405BB9
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
lstrlenA.KERNEL32(: Completed,00000000,Completed,00000000,00404DE2,Completed,00000000), ref: 00405C2D

Strings

e?K, xrefs: 00405A3B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B20
Completed, xrefs: 00405A5F
<K, xrefs: 00405A4C
: Completed, xrefs: 00405A57, 00405B1E, 00405B3B, 00405B50, 00405B63, 00405B7F, 00405BAA, 00405BDA, 00405BE0, 00405BF8, 00405C0B, 00405C26, 00405C2C, 00405C37, 00405C61
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BD5

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: <K$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$e?K
API String ID: 900638850-1680338167
Opcode ID: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
Opcode Fuzzy Hash: 836fece74e7b83efcc8e6abf991d18e4324180e390ed0b8ba3fefc28c16e2b61
Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

Function 004041FC Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404248
SetWindowTextA.USER32(?,?), ref: 00404275
SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
CoTaskMemFree.OLE32(00000000), ref: 00404335
lstrcmpiA.KERNEL32(: Completed,00429FE0), ref: 00404367
lstrcatA.KERNEL32(?,: Completed), ref: 00404373
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383

Part of subcall function 004052B1: GetDlgItemTextA.USER32(?,?,00000400,004043B6), ref: 004052C4

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404457
SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0

Strings

e?K, xrefs: 0040449F
: Completed, xrefs: 00404361, 00404366, 00404371
A, xrefs: 00404323

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: : Completed$A$e?K
API String ID: 2246997448-3218851189
Opcode ID: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
Opcode Fuzzy Hash: 6ab1eb65d489d7f474ee6da6f1ce318879e7bc5207f6923fd53d8865a327c9bb
Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 0040534F
lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 00405399
lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 004053BA
lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 004053C0
FindFirstFileA.KERNEL32(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 004053D1
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405483
FindClose.KERNEL32(?), ref: 00405494

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 0040533B
\*.*, xrefs: 00405393

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3962766423
Opcode ID: fb5f0b97fd6045d75f3de5e206462d23269cef9c6319140f549f9214963cb2b4
Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
Opcode Fuzzy Hash: fb5f0b97fd6045d75f3de5e206462d23269cef9c6319140f549f9214963cb2b4
Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose
API String ID: 123533781-1638439677
Opcode ID: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
Opcode Fuzzy Hash: e2440bd97a0de28c640c01a9d5d42cc8b810f7137a49c2ac781f9d5420d32ae4
Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,0042C030,0042B3E8,00405623,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 00405D12
FindClose.KERNEL32(00000000), ref: 00405D1E

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
Opcode Fuzzy Hash: 91dde0ba118db7d7ebc8a8be9eaa396cb067559f4d74f26d235d81ef142ed7f1
Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A

Function 00406128 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44

Function 004068FF Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94

Function 00403F06 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC3
GetSysColor.USER32(?), ref: 00403FD4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF2
lstrlenA.KERNEL32(?), ref: 00403FFC
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400A
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404019
GetDlgItem.USER32(?,0000040A), ref: 0040407C
SendMessageA.USER32(00000000), ref: 0040407F
GetDlgItem.USER32(?,000003E8), ref: 004040AA
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EA
LoadCursorA.USER32(00000000,00007F02), ref: 004040F9
SetCursor.USER32(00000000), ref: 00404102
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
LoadCursorA.USER32(00000000,00007F00), ref: 00404122
SetCursor.USER32(00000000), ref: 00404125
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404151
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404165

Strings

e?K, xrefs: 00403F26
<K, xrefs: 00403F37
: Completed, xrefs: 004040D5
open, xrefs: 0040410D
N, xrefs: 00404098

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: <K$: Completed$N$e?K$open
API String ID: 3615053054-227913076
Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Name Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Name Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Name Setup
API String ID: 941294808-4002928617
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054EF,?,00000000,000000F1,?), ref: 004057A7
GetShortPathNameA.KERNEL32(?,0042C170,00000400), ref: 004057B0
GetShortPathNameA.KERNEL32(00000000,0042BBE8,00000400), ref: 004057CD
wsprintfA.USER32 ref: 004057EB
GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040584B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004058A3
GlobalFree.KERNEL32(00000000), ref: 004058AA
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004058B1

Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Strings

[Rename], xrefs: 0040585B, 0040586D
%s=%s, xrefs: 004057E1

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
Opcode Fuzzy Hash: 6cb39701302fa091149022549eefa5da3c0be633e3a468fc33eaceea222ec053
Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD

Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

Strings

*?|<>/":, xrefs: 00405CB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6F, 00405CAA
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2769233796
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D

Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403E42
GetSysColor.USER32(00000000), ref: 00403E5E
SetTextColor.GDI32(?,00000000), ref: 00403E6A
SetBkMode.GDI32(?,?), ref: 00403E76
GetSysColor.USER32(?), ref: 00403E89
SetBkColor.GDI32(?,?), ref: 00403E99
DeleteObject.GDI32(?), ref: 00403EB3
CreateBrushIndirect.GDI32(?), ref: 00403EBD

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00008200,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
Opcode Fuzzy Hash: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9

Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404694
GetMessagePos.USER32 ref: 0040469C
ScreenToClient.USER32(?,?), ref: 004046B6
SendMessageA.USER32(?,00001111,00000000,?), ref: 004046C8
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046EE

Strings

f, xrefs: 004046CA

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(000193E2,00000064,000193E6), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404DAA: lstrlenA.KERNEL32(Completed,00000000,00418EC2,759223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Completed,00000000,00418EC2,759223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(Completed,00402FB6,00402FB6,Completed,00000000,00418EC2,759223A0), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(Completed,Completed), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-3806887055
Opcode ID: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
Opcode Fuzzy Hash: 6d46612d3a10ff1fde0679903579df7a40cee65c269d183f8d6d4642c898af7f
Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

Function 0040381E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Name Setup), ref: 004038B6

Strings

Name Setup, xrefs: 004038A5
e?K, xrefs: 00403893
C:\Users\user\AppData\Local\Temp\, xrefs: 0040381F
1033, xrefs: 00403822, 0040382C, 0040389D

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$Name Setup$e?K
API String ID: 530164218-1873200483
Opcode ID: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
Opcode Fuzzy Hash: 48b09981901e30c4345b6e5c0cee300cf490ae76efe8ca9e2f713c31fa19992d
Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
Opcode Fuzzy Hash: 945e42f754af583b5ec13e30839ce2662c59fcb97218ebcfb2175b3756829da0
Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69

Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
wsprintfA.USER32 ref: 0040462D
SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640

Strings

%u.%u%s%s, xrefs: 0040460F

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
Opcode Fuzzy Hash: 308c210494ba65c8d6c58fead7846ea59173cd15c70e93c8128561061e7c40a4
Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
CloseHandle.KERNEL32(?), ref: 0040529E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C
Error launching installer, xrefs: 0040527F

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-7751565
Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9

Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 0040550E
lstrcatA.KERNEL32(?,00409010), ref: 0040551F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040A380,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 81d27fc1e3ab509f11f0648c0d675ea1f801cb77e08bc1b8ef6c2a36b769e97e
Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
Opcode Fuzzy Hash: 81d27fc1e3ab509f11f0648c0d675ea1f801cb77e08bc1b8ef6c2a36b769e97e
Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28

Function 00405593 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000), ref: 004055A1
CharNextA.USER32(00000000), ref: 004055A6
CharNextA.USER32(00000000), ref: 004055B5

Strings

ES@, xrefs: 0040559C, 004055A0

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: ES@
API String ID: 3213498283-1851447614
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
Opcode Fuzzy Hash: bbbcfc34ac2d637fe9c3dcd2aae23fbeb0c3268bdde6826654245cc777324362
Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D

Function 00404CFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404D30
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E

Part of subcall function 00403E0A: SendMessageA.USER32(00010424,00000000,00000000,00000000), ref: 00403E1C

Strings

, xrefs: 00404D08

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,open C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

open C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWritelstrlen
String ID: open C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.bat
API String ID: 427699356-1009940584
Opcode ID: 01a20a6393f6cf1e01e81d8ef9af866549bd590d312b5bd55c7394e971cc1238
Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
Opcode Fuzzy Hash: 01a20a6393f6cf1e01e81d8ef9af866549bd590d312b5bd55c7394e971cc1238
Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D

Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
GlobalFree.KERNEL32(00000000), ref: 004034E1

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe", xrefs: 004034D2

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe"
API String ID: 1100898210-4288195720
Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD

Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,80000000,00000003), ref: 0040554C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe,80000000,00000003), ref: 0040555A

Strings

C:\Users\user\Desktop, xrefs: 00405546

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD

Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405678
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405686
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Memory Dump Source

Source File: 00000000.00000002.2064108994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2064095141.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064122993.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064136165.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2064185192.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

Analysis Process: mongoose-2.11.exePID: 6556, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	1815
Total number of Limit Nodes:	15

Executed Functions

Function 004011DD Relevance: 59.7, APIs: 26, Strings: 8, Instructions: 169
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__p___argv.MSVCRT ref: 004011EE
CreatePopupMenu.USER32 ref: 00401240
AppendMenuA.USER32(00000000,00000001,00000067,Mongoose web server v.2.11), ref: 00401258
AppendMenuA.USER32(00000000,00000800,00000067,0041EA48), ref: 00401267
_snprintf.MSVCRT ref: 00401292
AppendMenuA.USER32(00000000,00000001,00000067,?), ref: 004012A7
AppendMenuA.USER32(00000000,00000000,00000068,Install), ref: 004012BA
AppendMenuA.USER32(00000000,00000000,00000069,Deinstall), ref: 004012CD
AppendMenuA.USER32(00000000,00000800,00000067,0041EA48), ref: 004012DC
AppendMenuA.USER32(00000000,00000000,00000066,Edit config file), ref: 004012E7
AppendMenuA.USER32(00000000,00000000,00000065,Exit), ref: 004012F2
GetCursorPos.USER32(?), ref: 004012F8
SetForegroundWindow.USER32(?), ref: 00401301
TrackPopupMenu.USER32(00000000,00000000,?,?,00000000,?,00000000), ref: 00401314
PostMessageA.USER32(?,00000000,00000000,00000000), ref: 00401320
DestroyMenu.USER32(00000000), ref: 00401327

Part of subcall function 00401919: fopen.MSVCRT ref: 00401933
Part of subcall function 00401919: fclose.MSVCRT ref: 0040193C
Part of subcall function 00401919: _snprintf.MSVCRT ref: 004019BB
Part of subcall function 00401919: WinExec.KERNEL32(?,00000005), ref: 004019CB

__p___argv.MSVCRT ref: 0040137F
__p___argv.MSVCRT ref: 0040138E
strcmp.MSVCRT ref: 00401395
StartServiceCtrlDispatcherA.ADVAPI32(0041C018,00000001,?), ref: 004013B0
exit.MSVCRT ref: 004013B7
__p___argv.MSVCRT ref: 004013BD
__p___argc.MSVCRT ref: 004013C1
DefWindowProcA.USER32(?,?,?,?,00000000), ref: 004013DA

Strings

not, xrefs: 0040127B, 00401280
Exit, xrefs: 004012E9
Install, xrefs: 004012AE
NT service: %s installed, xrefs: 00401281
Mongoose web server v.2.11, xrefs: 0040124C
Edit config file, xrefs: 004012DE
HA, xrefs: 00401274
Deinstall, xrefs: 004012C1

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Menu$Append$__p___argv$PopupWindow_snprintf$CreateCtrlCursorDestroyDispatcherExecForegroundMessagePostProcServiceStartTrack__p___argcexitfclosefopenstrcmp
String ID: Deinstall$Edit config file$Exit$HA$Install$Mongoose web server v.2.11$NT service: %s installed$not
API String ID: 3027329245-2341887206
Opcode ID: c12703516d0bcbe26c4a5e167041d00d1514cbb1c8d54a5a830500ee4c167f7a
Instruction ID: b3b0f60b90a3ab617dc186cc2026bf5c19435290f6956d2a4900c6a0cd96bf70
Opcode Fuzzy Hash: c12703516d0bcbe26c4a5e167041d00d1514cbb1c8d54a5a830500ee4c167f7a
Instruction Fuzzy Hash: 58516071640208FFEB10AFA1DC89EAE3EB9AB08745F108477F901A61F0C7788D51DB69

Function 004034CD Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 132
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040365F: strchr.MSVCRT ref: 00403678
Part of subcall function 0040365F: memchr.MSVCRT ref: 004036B4

Part of subcall function 0040370D: memset.MSVCRT ref: 0040371E
Part of subcall function 0040370D: sscanf.MSVCRT ref: 0040374B
Part of subcall function 0040370D: htonl.WS2_32(00000000), ref: 00403788
Part of subcall function 0040370D: strchr.MSVCRT ref: 004037A0
Part of subcall function 0040370D: htons.WS2_32(?), ref: 004037DB

socket.WS2_32(00000002,00000001,00000006), ref: 00403529
bind.WS2_32(00000000,?,?), ref: 00403540
listen.WS2_32(00000000,00000014), ref: 0040354D
calloc.MSVCRT ref: 0040355B
closesocket.WS2_32(00000000), ref: 00403586
GetLastError.KERNEL32 ref: 0040358C
strerror.MSVCRT ref: 00403593
closesocket.WS2_32(00000000), ref: 00403611
GetLastError.KERNEL32(?,00000000), ref: 00403617
strerror.MSVCRT ref: 0040361E

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

Strings

%s: cannot bind to %.*s: %s, xrefs: 004035A8
line 3298, xrefs: 004035A3
[IP_ADDRESS:]PORT[s|p], xrefs: 004035D3
%s: %s, xrefs: 0040362B
line 3303, xrefs: 00403626
line 3283, xrefs: 004035E0
%s: %.*s: invalid port spec. Expecting list of: %s, xrefs: 004035E5
Cannot add SSL socket, is -ssl_cert option set?, xrefs: 004035FB

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$ErrorLastclosesocketstrchrstrerror$_vsnprintfbindcallocfclosefputchtonlhtonsinet_ntoalistenmemchrmemsetsocketsscanftime
String ID: %s: %.*s: invalid port spec. Expecting list of: %s$%s: %s$%s: cannot bind to %.*s: %s$Cannot add SSL socket, is -ssl_cert option set?$[IP_ADDRESS:]PORT[s|p]$line 3283$line 3298$line 3303
API String ID: 4281905591-1965145212
Opcode ID: 798cd53ed21bf49a532603f4919389de453ca77fb5d7323985f74bb22d618b02
Instruction ID: 630a0e11554f8b9424e38d9dd4c25bbb11b9cc353d9a06a98028f573021a26d5
Opcode Fuzzy Hash: 798cd53ed21bf49a532603f4919389de453ca77fb5d7323985f74bb22d618b02
Instruction Fuzzy Hash: A8417471544300BFC610AF60DC45A5BBFACAB48B06F10493FF946B62E1EA79D641875E

Function 0040156D Relevance: 65.0, APIs: 20, Strings: 17, Instructions: 208
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00401588
fprintf.MSVCRT ref: 00401598
fprintf.MSVCRT ref: 004015A8
fprintf.MSVCRT ref: 004015B8
fprintf.MSVCRT ref: 004015C8
fprintf.MSVCRT ref: 004015D8
fprintf.MSVCRT ref: 0040160A
fprintf.MSVCRT ref: 00401628
fprintf.MSVCRT ref: 00401638
exit.MSVCRT ref: 0040163F
_snprintf.MSVCRT ref: 00401682
strrchr.MSVCRT ref: 00401691
fopen.MSVCRT ref: 004016D0
_errno.MSVCRT ref: 004016EA
strerror.MSVCRT ref: 004016F2
fprintf.MSVCRT ref: 00401720
fgets.MSVCRT ref: 0040173C
sscanf.MSVCRT ref: 00401774

Strings

mongoose -A <htpasswd_file> <realm> <user> <passwd>, xrefs: 0040159F
mongoose <config_file>, xrefs: 004015AF
%s: line %d is invalid, xrefs: 00401786
See http://code.google.com/p/mongoose/wiki/MongooseManual for more details., xrefs: 0040161F
mongoose.conf, xrefs: 0040169D
Mongoose version %s (c) Sergey Lyubka, xrefs: 0040157F
Usage:, xrefs: 0040158F
Example: mongoose -s cert.pem -p 80,443s -d no, xrefs: 0040162F
Loading config file %s, xrefs: 0040171A
#, xrefs: 00401748
OPTIONS:, xrefs: 004015CF
HA, xrefs: 004015F2
-%s %s (default: "%s"), xrefs: 00401604
Cannot open config file %s: %s, xrefs: 004016FA
%s %[^#], xrefs: 0040176E
mongoose [-option value ...], xrefs: 004015BF
c:\Mongoose\mongoose.conf, xrefs: 00401677, 00401681, 004016CF, 004016F9, 00401716, 00401785

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$_errno_snprintfexitfgetsfopensscanfstrerrorstrrchr
String ID: -%s %s (default: "%s")$ mongoose -A <htpasswd_file> <realm> <user> <passwd>$ mongoose <config_file>$ mongoose [-option value ...]$#$%s %[^#]$%s: line %d is invalid$Cannot open config file %s: %s$Example: mongoose -s cert.pem -p 80,443s -d no$HA$Loading config file %s$Mongoose version %s (c) Sergey Lyubka$OPTIONS:$See http://code.google.com/p/mongoose/wiki/MongooseManual for more details.$Usage:$c:\Mongoose\mongoose.conf$mongoose.conf
API String ID: 4061444988-3999420203
Opcode ID: 2baf541621830d366c973037c9738947ce14974c9cfa0915dae2c3178250e76d
Instruction ID: df13d1741afd1f7eee6ef90c1a9593053dbc86eaa52b3bc6240777a356ad1431
Opcode Fuzzy Hash: 2baf541621830d366c973037c9738947ce14974c9cfa0915dae2c3178250e76d
Instruction Fuzzy Hash: D56192B2D40215BBDB119B98DC85FDA7BB8AF08304F148067F505E72A1E778D980CB9D

Function 00401646 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 143
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.MSVCRT ref: 00401682
strrchr.MSVCRT ref: 00401691
_snprintf.MSVCRT ref: 004016C1
fopen.MSVCRT ref: 004016D0
_errno.MSVCRT ref: 004016EA
strerror.MSVCRT ref: 004016F2
fprintf.MSVCRT ref: 00401720
fgets.MSVCRT ref: 0040173C
sscanf.MSVCRT ref: 00401774
fgets.MSVCRT ref: 004017B4

Strings

Loading config file %s, xrefs: 0040171A
#, xrefs: 00401748
Cannot open config file %s: %s, xrefs: 004016FA
%s: line %d is invalid, xrefs: 00401786
mongoose.conf, xrefs: 0040169D, 004016A6
%s %[^#], xrefs: 0040176E
c:\Mongoose\mongoose.conf, xrefs: 00401677, 00401681, 004016B6, 004016C0, 004016CF, 004016F9, 00401716, 00401785
%.*s%c%s, xrefs: 004016B1

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _snprintffgets$_errnofopenfprintfsscanfstrerrorstrrchr
String ID: #$%.*s%c%s$%s %[^#]$%s: line %d is invalid$Cannot open config file %s: %s$Loading config file %s$c:\Mongoose\mongoose.conf$mongoose.conf
API String ID: 3319206403-3217560927
Opcode ID: 3d3b91bb5b6c84cf3dbc0ed4eb0d5c7b8d1013268f4f5cf9eb79fe3c35852779
Instruction ID: 1028c2ae47c57b1951b2b5dc92a25f65961a07d5799eeeaf5bcbdda15485909e
Opcode Fuzzy Hash: 3d3b91bb5b6c84cf3dbc0ed4eb0d5c7b8d1013268f4f5cf9eb79fe3c35852779
Instruction Fuzzy Hash: ED41C371940218BFDB219B94CC85BDA7BB8EF05304F5480B7F944A72E1D7789E90CBA9

Function 004010B2 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 91
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004011C1: _snprintf.MSVCRT ref: 004011D3

memset.MSVCRT ref: 004010C9
LoadIconA.USER32(00000000,00007F00), ref: 004010DE
RegisterClassA.USER32(?), ref: 004010F3
CreateWindowExA.USER32(00000000,?,Mongoose web server v.2.11,00CF0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040110B
ShowWindow.USER32(00000000,00000000,?,?,00000000), ref: 00401115
GetModuleHandleA.KERNEL32(00000000,000000C8,00000001,00000010,00000010,00000000,?,?,00000000), ref: 00401146
LoadImageA.USER32(00000000,?,?,00000000), ref: 0040114D
_snprintf.MSVCRT ref: 0040116B
Shell_NotifyIconA.SHELL32(00000000,0041E9F0), ref: 00401184
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00401197
TranslateMessage.USER32(?), ref: 004011A1
DispatchMessageA.USER32(?), ref: 004011AB

Strings

Mongoose web server v.2.11, xrefs: 004010EA, 00401106, 00401153

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Message$IconLoadWindow_snprintf$ClassCreateDispatchHandleImageModuleNotifyRegisterShell_ShowTranslatememset
String ID: Mongoose web server v.2.11
API String ID: 4091936274-2848873769
Opcode ID: 465eb1b4d5896550f5dae889aa67613aec9c38f9b51bcd54aa65b02fd433deeb
Instruction ID: c81dbd0f87c7e809291cad0e189476809b7a1cb4c995ae344f42c1a4fc6c77f6
Opcode Fuzzy Hash: 465eb1b4d5896550f5dae889aa67613aec9c38f9b51bcd54aa65b02fd433deeb
Instruction Fuzzy Hash: 8B216DB6942229BBD7109BA2EC4DEDF3F7CEF49744F008565FA05A6190C7B85006CBAD

Function 00416A2F Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00416A5C
__p__fmode.MSVCRT ref: 00416A71
__p__commode.MSVCRT ref: 00416A7F
__setusermatherr.MSVCRT ref: 00416AAB
_initterm.MSVCRT ref: 00416AC1
__getmainargs.MSVCRT ref: 00416AE4
_initterm.MSVCRT ref: 00416AF4
GetStartupInfoA.KERNEL32(?), ref: 00416B33
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00416B57
exit.MSVCRT ref: 00416B67
_XcptFilter.MSVCRT ref: 00416B79

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: bd5cb691d8af13c4f9e70bb1e19a4dc403c33a907dcbea3e278e747aad2a9e87
Instruction ID: fdf2fb2138757aa62f0b2f98c97dd9d781ac8ee512a3acf9c520c0a961696f3f
Opcode Fuzzy Hash: bd5cb691d8af13c4f9e70bb1e19a4dc403c33a907dcbea3e278e747aad2a9e87
Instruction Fuzzy Hash: B9417E71944354AFC720AFA4DC45AEA7FB8EB09710F21852FE98197391D7389881CB58

Function 004013E6 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

exit.MSVCRT ref: 00401429

Part of subcall function 0040156D: fprintf.MSVCRT ref: 00401588
Part of subcall function 0040156D: fprintf.MSVCRT ref: 00401598
Part of subcall function 0040156D: fprintf.MSVCRT ref: 004015A8
Part of subcall function 0040156D: fprintf.MSVCRT ref: 004015B8
Part of subcall function 0040156D: fprintf.MSVCRT ref: 004015C8
Part of subcall function 0040156D: fprintf.MSVCRT ref: 004015D8
Part of subcall function 0040156D: fprintf.MSVCRT ref: 0040160A
Part of subcall function 0040156D: fprintf.MSVCRT ref: 00401628
Part of subcall function 0040156D: fprintf.MSVCRT ref: 00401638
Part of subcall function 0040156D: exit.MSVCRT ref: 0040163F
Part of subcall function 0040156D: _snprintf.MSVCRT ref: 00401682

strcmp.MSVCRT ref: 0040143D
strcmp.MSVCRT ref: 00401450
signal.MSVCRT ref: 0040147C
signal.MSVCRT ref: 00401481
free.MSVCRT ref: 004014AB

Strings

Failed to start Mongoose. Maybe some options are assigned bad values?Try to run with '-e error_log.txt' and check error_log.txt for more information., xrefs: 004014C5
pr4v, xrefs: 0040146E
--help, xrefs: 00401448

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$exitsignalstrcmp$_snprintffree
String ID: --help$Failed to start Mongoose. Maybe some options are assigned bad values?Try to run with '-e error_log.txt' and check error_log.txt for more information.$pr4v
API String ID: 3458989752-243818466
Opcode ID: e9e4e1881729414940f7b5fe6451e51a54a1c25a2b98b9dd1953868935ea6681
Instruction ID: 82d21cab4819b9b5620618a306a2e9bdff39ec7c61b6e0ba9b4bb3b8a13f6aaf
Opcode Fuzzy Hash: e9e4e1881729414940f7b5fe6451e51a54a1c25a2b98b9dd1953868935ea6681
Instruction Fuzzy Hash: 1721F331A40314AEDB30ABA5DC46BA63BB8EF41714F50803FF949A61F1D7389984CA59

Function 00403289 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 004032A1
calloc.MSVCRT ref: 004032AE
atoi.MSVCRT(?,00000000,Function_00006F4A,00000000,000004E0,00000000,000004E8,00000000,00000070,00000000,0000006C,00000000,00000000,00000000,00000000,00000000), ref: 004033BF
GetLastError.KERNEL32(00000000,Function_00003C80,00000000), ref: 004033D6
atoi.MSVCRT(?,00000000,Function_00003C80,00000000), ref: 004033FA

Part of subcall function 00401B7E: strcmp.MSVCRT ref: 00401B97
Part of subcall function 00401B7E: strcmp.MSVCRT ref: 00401BA9

Part of subcall function 00403408: strlen.MSVCRT ref: 0040340C

Strings

Cannot start worker thread: %d, xrefs: 004033DD
%s: option value cannot be NULL, xrefs: 004032FD
Invalid option: %s, xrefs: 004032F5

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: atoistrcmp$ErrorLastStartupcallocstrlen
String ID: %s: option value cannot be NULL$Cannot start worker thread: %d$Invalid option: %s
API String ID: 1280764243-3226165084
Opcode ID: 6564aebbaadb434432a1d126d3be8bee44e2fae7180af9b28c3024287ac3e484
Instruction ID: 0db026bc6bc77ed40038cf6359e0936edcd257cf8d38cba91543af228e63f920
Opcode Fuzzy Hash: 6564aebbaadb434432a1d126d3be8bee44e2fae7180af9b28c3024287ac3e484
Instruction Fuzzy Hash: 774181716003016AD711AF769C86E9B3EAC9F4531AF14443BB906B62C2DB7CDB41866D

Function 00403C80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

atoi.MSVCRT(?), ref: 00403C8A
calloc.MSVCRT ref: 00403C9B
time.MSVCRT(00000000,?,00000238), ref: 00403CD4
htons.WS2_32(?), ref: 00403CEF
memcpy.MSVCRT(0000001C,0000025C,00000004), ref: 00403D08
htonl.WS2_32(0000001C), ref: 00403D12
free.MSVCRT ref: 00403D48

Strings

VD, xrefs: 00403D3C

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: atoicallocfreehtonlhtonsmemcpytime
String ID: VD
API String ID: 1951994481-297103433
Opcode ID: 67328113d7cf1e419171672e71b18e28e361dedae0a9da691245c0ec84345ebc
Instruction ID: 3c7bce99130b73eb495c973d56a6fd04ac09ea3a1156c8a4c93082bd7bac16f3
Opcode Fuzzy Hash: 67328113d7cf1e419171672e71b18e28e361dedae0a9da691245c0ec84345ebc
Instruction Fuzzy Hash: DD215E71504711AFC711AF31D889BDB7BECBF49305F00053AF95AE2281DB78A605CA69

Function 00401883 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strchr.MSVCRT ref: 00401896
strncpy.MSVCRT ref: 004018B4
_stat.MSVCRT(?,?), ref: 004018C8

Strings

@, xrefs: 004018D4
Invalid root directory: "%s", xrefs: 004018DB

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _statstrchrstrncpy
String ID: @$Invalid root directory: "%s"
API String ID: 3719870297-2171919715
Opcode ID: a14d0238bfb74ff801bb54141e4b5d70e0bf060e2b823dbaf53cd27b427c333e
Instruction ID: ce19ffdefb482cfea4e55ac77e2e2ee80468468da0517748b0d798a15216cdf5
Opcode Fuzzy Hash: a14d0238bfb74ff801bb54141e4b5d70e0bf060e2b823dbaf53cd27b427c333e
Instruction Fuzzy Hash: 5FF0C2335042196ADB14AAA5AC09EDB3BECDB4A734F108037E900F61D1DA78974586EC

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Mongoose web server v.2.11,00401082), ref: 0040102A
SetServiceStatus.SECHOST(00000000,0041E9A8), ref: 00401042
Sleep.KERNELBASE(000003E8), ref: 00401052
SetServiceStatus.ADVAPI32(0041E9A8), ref: 0040107D

Strings

Mongoose web server v.2.11, xrefs: 00401007

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Service$Status$CtrlHandlerRegisterSleep
String ID: Mongoose web server v.2.11
API String ID: 2346796585-2848873769
Opcode ID: fc53310aeff9b701d5d238f7a9316dcb6b176575eb79809b336af9f8bb26df8d
Instruction ID: b746e6ba5b5d7dd8439937ef474e3dcd0d1bf0518f675fd0017a2ab6bd371a1d
Opcode Fuzzy Hash: fc53310aeff9b701d5d238f7a9316dcb6b176575eb79809b336af9f8bb26df8d
Instruction Fuzzy Hash: ECF049B8925280DAD750AB13EC08B823EA4EBC4325F00C13AEA08662F0C3790541DF5E

Function 00401801 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 0040180C
strcmp.MSVCRT ref: 0040181F

Strings

document_root, xrefs: 00401804
Too many options specified, xrefs: 0040186E

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp
String ID: Too many options specified$document_root
API String ID: 1004003707-3944412641
Opcode ID: febac9a286801631834c776c15bb2ec41fd7ee757ee78aa8ec04ab71d1ecd3fa
Instruction ID: 8e5f3c9edfc55107dc5a630e6bb6574d5787e743508526015ebc562af2661075
Opcode Fuzzy Hash: febac9a286801631834c776c15bb2ec41fd7ee757ee78aa8ec04ab71d1ecd3fa
Instruction Fuzzy Hash: 1A01A233180215BBDB153F9AEC42A9A77A4AF10368F21C13BF811751F0D73DDA9196D9

Function 00406F4A Relevance: 4.6, APIs: 3, Instructions: 87
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32(00000002,?,00000000,00000000,000000FF), ref: 00406FA7
Sleep.KERNEL32(000003E8), ref: 00406FB6
__WSAFDIsSet.WS2_32(?,?), ref: 00406FCF

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Sleepselect
String ID:
API String ID: 3651608395-0
Opcode ID: c54da4b483b65c0ab9b3c7e633be1f93ccc3620827f2dbb8e8b9078a25ac45cf
Instruction ID: 4283d8713967163e2ba3648652a9297ff0c3089b56806b789f56bf6a6070e9df
Opcode Fuzzy Hash: c54da4b483b65c0ab9b3c7e633be1f93ccc3620827f2dbb8e8b9078a25ac45cf
Instruction Fuzzy Hash: 2931C4B2804609ABC720EFA5C881DEBB7BDAF00314F11453FF146A3181D738BA51CB59

Function 0040349D Relevance: 3.0, APIs: 2, Instructions: 19
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00000070,00000070,00000000,00000000), ref: 004034AE
CloseHandle.KERNELBASE(00000000), ref: 004034BB

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: fcbd532bf3ec9640bf4904635f01fe5e4db24dbf2e7bb2f4c9c5930b3b3c6ccb
Instruction ID: bc9f89bd7913208e9571a17ceead3d1314e1f8da3389e7b609bd28edb318a6c9
Opcode Fuzzy Hash: fcbd532bf3ec9640bf4904635f01fe5e4db24dbf2e7bb2f4c9c5930b3b3c6ccb
Instruction Fuzzy Hash: BCD05E32999B32A7E2224B506C05F8B6E609F18B91F028510BA04AD1E0C664CD9586E9

Function 00403448 Relevance: 1.5, APIs: 1, Instructions: 12
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,0040391B,00000000,00000000,00403360,00000000,00000000), ref: 0040344E

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f24674c1958c31e43000196e10ad25bfa6aa6e9b22db0195e4c8837c04cba69a
Instruction ID: 9848c7f95141e3b988b8d6b029c04f5785c2e4b51aa7fefa3a5202728d7aa73f
Opcode Fuzzy Hash: f24674c1958c31e43000196e10ad25bfa6aa6e9b22db0195e4c8837c04cba69a
Instruction Fuzzy Hash: 69C08C3434930157E30C8B348D16B0A36E4AB48B01F20C02CB60BDA2D0CAB09C109618

Non-executed Functions

Function 004019DB Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,-80000001,76325C80,00000000), ref: 00401A0F
GetModuleFileNameA.KERNEL32(00000000,?,00000118), ref: 00401A3E
strncat.MSVCRT ref: 00401A57
strncat.MSVCRT ref: 00401A67
CreateServiceA.ADVAPI32(00000068,0041C028,0041C028,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00401A8D
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,Mongoose web server v.2.11), ref: 00401AA1
CloseServiceHandle.ADVAPI32(00000000), ref: 00401AFA
CloseServiceHandle.ADVAPI32(00000069), ref: 00401AFF

Part of subcall function 00401B0A: GetLastError.KERNEL32(00000400,?,00000100,00000000), ref: 00401B26
Part of subcall function 00401B0A: FormatMessageA.KERNEL32(00001200,00000000,00000000), ref: 00401B34
Part of subcall function 00401B0A: MessageBoxA.USER32(00000000,?,Error,00000000), ref: 00401B4A

Strings

i, xrefs: 00401AA9
Mongoose web server v.2.11, xrefs: 004019F0, 00401A9D

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Service$CloseHandleMessagestrncat$ChangeConfig2CreateErrorFileFormatLastManagerModuleNameOpen
String ID: Mongoose web server v.2.11$i
API String ID: 714193591-3586339273
Opcode ID: a7d25674349965e659f51cf7e0bffeaf1afb26e83de53252aeabfadec2a5615c
Instruction ID: 238eb56d3514fed8b205fb28953995f0121f8702d0a1a630f391fe02de2bd528
Opcode Fuzzy Hash: a7d25674349965e659f51cf7e0bffeaf1afb26e83de53252aeabfadec2a5615c
Instruction Fuzzy Hash: E5310372A45218FBDB209FA4DC85BDE7ABCFB08354F118476F601B2160D3789E50DB69

Function 0040DE89 Relevance: 13.9, APIs: 8, Strings: 1, Instructions: 369COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(0041C13C,0041C038,00000004,0041C038,0041C038,0041C13C,0040E45A,0041C038,0041C13C,?,<=@,0041C038,00000000), ref: 0040DEA7
memcpy.MSVCRT(0041C038,Mongoose web server v.%s,00000004,0041C13C,0041C038,00000004,0041C038,0041C038,0041C13C,0040E45A,0041C038,0041C13C,?,<=@,0041C038,00000000), ref: 0040DEB6
memcpy.MSVCRT(?,0041C040,00000004,0041C038,Mongoose web server v.%s,00000004,0041C13C,0041C038,00000004,0041C038,0041C038,0041C13C,0040E45A,0041C038,0041C13C,?), ref: 0040DEC5
memcpy.MSVCRT(0041C13C,0041C02C,00000004,?,0041C040,00000004,0041C038,Mongoose web server v.%s,00000004,0041C13C,0041C038,00000004,0041C038,0041C038,0041C13C,0040E45A), ref: 0040DED4
memcpy.MSVCRT(0040E45A,0041C13C,00000004,0041C13C,?,0041C038,0041C13C,0041C13C,?,0041C038,0041C13C), ref: 0040E398
memcpy.MSVCRT(0040E45E,0041C038,00000004,0040E45A,0041C13C,00000004,0041C13C,?,0041C038,0041C13C,0041C13C,?,0041C038,0041C13C), ref: 0040E3A6
memcpy.MSVCRT(0040E462,?,00000004,0040E45E,0041C038,00000004,0040E45A,0041C13C,00000004,0041C13C,?,0041C038,0041C13C,0041C13C,?,0041C038), ref: 0040E3B4
memcpy.MSVCRT(0040E44E,0041C13C,00000004,0040E462,?,00000004,0040E45E,0041C038,00000004,0040E45A,0041C13C,00000004,0041C13C,?,0041C038,0041C13C), ref: 0040E3C2

Strings

Mongoose web server v.%s, xrefs: 0040DEB1

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: Mongoose web server v.%s
API String ID: 3510742995-2175243079
Opcode ID: e0de17d777144d2e9099a0aad09dfe8ea885b82285641bbc473e9373a3a49cf7
Instruction ID: 11632d8f44d237656281d3a92e057c836be0e97cde5e591e001609247cbc8d56
Opcode Fuzzy Hash: e0de17d777144d2e9099a0aad09dfe8ea885b82285641bbc473e9373a3a49cf7
Instruction Fuzzy Hash: 44F19772900265ABCB00CFA9ECD08DE77B1EF4A301B45C52FE64957691C734EA11DBA4

Function 0040D943 Relevance: 10.4, APIs: 8, Instructions: 370COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000004,?,?,?,?,?,?,?,?,?,0041C038,0041C038,?,00401DA4), ref: 0040D966
memcpy.MSVCRT(?,FFFFFF1D,00000004,?,?,00000004,?,?,?,?,?,?,?,?,?,0041C038), ref: 0040D974
memcpy.MSVCRT(?,?,00000004,?,FFFFFF1D,00000004,?,?,00000004,?,?,?), ref: 0040D982
memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,FFFFFF1D,00000004,?,?,00000004,?,?,?), ref: 0040D990
memcpy.MSVCRT(?,?,00000004,?,?,?,?,?,?,?,?), ref: 0040DE50
memcpy.MSVCRT(FFFFFF1D,?,00000004,?,?,00000004,?,?,?,?,?,?,?,?), ref: 0040DE5E
memcpy.MSVCRT(?,?,00000004,FFFFFF1D,?,00000004,?,?,00000004,?,?,?,?,?,?,?), ref: 0040DE6C
memcpy.MSVCRT(?,?,00000004,?,?,00000004,FFFFFF1D,?,00000004,?,?,00000004,?,?,?,?), ref: 0040DE7A

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 87e92e811f9f662f4f1b9f8f707ae50d97cc192f18cb8d45e9d99136d26c9ebc
Instruction ID: 7eb74d126974f385b962462bdec1fefd5e0b7245d53fd0843a95915955db48a9
Opcode Fuzzy Hash: 87e92e811f9f662f4f1b9f8f707ae50d97cc192f18cb8d45e9d99136d26c9ebc
Instruction Fuzzy Hash: 18F1B976900225ABDB01CFAADCC04DE77F6EF8A311B46C56AEA4857351C734FA11CBA4

Function 0040501B Relevance: 9.1, APIs: 6, Instructions: 53fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008), ref: 00405031
malloc.MSVCRT ref: 0040503E

Part of subcall function 00401FEB: strlen.MSVCRT ref: 0040201B
Part of subcall function 00401FEB: fprintf.MSVCRT ref: 0040207C
Part of subcall function 00401FEB: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00401FBC), ref: 004020A2

GetFileAttributesW.KERNEL32(00000104,00000000,?,00000104), ref: 0040506A
wcscat.MSVCRT ref: 00405088
FindFirstFileW.KERNEL32(?,00000004), ref: 0040509B
free.MSVCRT ref: 004050AD

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: File$AttributesByteCharErrorFindFirstLastMultiWidefprintffreemallocstrlenwcscat
String ID:
API String ID: 392836878-0
Opcode ID: e79b47d1286230eb7d141f15a89abe5fc7a5f6592ced7b812b44449566576ae1
Instruction ID: 6205375535422fb98c65416112280eb74cae250845da2a52f834980c0f9ca461
Opcode Fuzzy Hash: e79b47d1286230eb7d141f15a89abe5fc7a5f6592ced7b812b44449566576ae1
Instruction Fuzzy Hash: E211E172804718ABDB219B64DC49BCF7BB8EB08710F104237F592E11D1DB7899848ED9

Function 00401B0A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000400,?,00000100,00000000), ref: 00401B26
FormatMessageA.KERNEL32(00001200,00000000,00000000), ref: 00401B34
MessageBoxA.USER32(00000000,?,Error,00000000), ref: 00401B4A

Strings

Error, xrefs: 00401B42

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: Error
API String ID: 3971115935-2619118453
Opcode ID: 4ccfe3fa539967b1ae96428d2f5248a1eebe62ae31662a1700949b05acea0baa
Instruction ID: 763ea1061007aa920f46b8dc7f88ff7b1de4ebba141e84736df05a43fb68c6f2
Opcode Fuzzy Hash: 4ccfe3fa539967b1ae96428d2f5248a1eebe62ae31662a1700949b05acea0baa
Instruction Fuzzy Hash: 39E012753C83087BF311A7909C0BFE53A7CA70CB46F1000A1B745EA0D1D6E066858BBE

Function 00410B5F Relevance: 4.5, APIs: 3, Instructions: 27encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00410B04,?,?,00000020,00000000,?), ref: 00410B70
CryptGenRandom.ADVAPI32(00000000,?,?), ref: 00410B88
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00410B9B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 30b063b7c377ade30999de5261aa69e96fa3445498b83d155d090c18a643c283
Instruction ID: a71b62a3c0dc8fed6adabca901635108085f1f366887e3670e039babefef7bde
Opcode Fuzzy Hash: 30b063b7c377ade30999de5261aa69e96fa3445498b83d155d090c18a643c283
Instruction Fuzzy Hash: EAE0123124C311FEEA310FA0DC04FD67BA5AF097A8F218926F295B40E4D2B5A4D0961D

Function 004114C1 Relevance: 3.0, APIs: 2, Instructions: 31networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 004114D2
WSAGetLastError.WS2_32(?,?,?,00000000), ref: 004114DC

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: ed0bf3bbaab8c12acd455cb48166f4a06002cce13a8dd5f765726d1e335034f3
Instruction ID: 633b258b162bd797bd3c45fa1815db1eeecf56bba4e2147d0149f59b7c395aed
Opcode Fuzzy Hash: ed0bf3bbaab8c12acd455cb48166f4a06002cce13a8dd5f765726d1e335034f3
Instruction Fuzzy Hash: 59F0393120C1017ADE2947B88C85AAE2242EB85738F308B1BF637D12F1EA3CC981611B

Function 00407760 Relevance: 91.3, APIs: 43, Strings: 9, Instructions: 342stringfileCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00407797
strncpy.MSVCRT ref: 004077B4
strncpy.MSVCRT ref: 004077C4
fopen.MSVCRT ref: 004077D1
fgets.MSVCRT ref: 004077F3
strlen.MSVCRT ref: 00407803
strncmp.MSVCRT ref: 00407814
ftell.MSVCRT ref: 0040782A
strncpy.MSVCRT ref: 00407851
strncpy.MSVCRT ref: 00407861
fseek.MSVCRT ref: 00407868
fgets.MSVCRT ref: 00407875
strlen.MSVCRT ref: 00407885
strncmp.MSVCRT ref: 00407896
fgets.MSVCRT ref: 004078AA
ftell.MSVCRT ref: 004078B1
fgets.MSVCRT ref: 004078C9
strlen.MSVCRT ref: 004078E6
strncmp.MSVCRT ref: 004078F4
fgets.MSVCRT ref: 0040790E
strstr.MSVCRT ref: 0040792A
strstr.MSVCRT ref: 00407938
strstr.MSVCRT ref: 0040794F
strstr.MSVCRT ref: 00407988
memcpy.MSVCRT(?,00000000,00000000), ref: 0040799A
memcpy.MSVCRT(?,?,00000020,?,00000000,00000000), ref: 004079B1
strstr.MSVCRT ref: 004079C6
fgets.MSVCRT ref: 004079F5
ftell.MSVCRT ref: 004079FA
fgets.MSVCRT ref: 00407A10
strlen.MSVCRT ref: 00407A20
strncmp.MSVCRT ref: 00407A31
ftell.MSVCRT ref: 00407A3F
fgets.MSVCRT ref: 00407A4F
malloc.MSVCRT ref: 00407A7E
fseek.MSVCRT ref: 00407A98
fread.MSVCRT ref: 00407AA5
malloc.MSVCRT ref: 00407AB4
free.MSVCRT ref: 00407ADC
fclose.MSVCRT ref: 00407AE3
free.MSVCRT ref: 00407B06
fclose.MSVCRT ref: 00407B13
fclose.MSVCRT ref: 00407B1F

Strings

-----END CERTIFICATE-----, xrefs: 0040779B
Proc-Type, xrefs: 004078D6
-----END PRIVATE KEY-----, xrefs: 0040785B
-----BEGIN RSA PRIVATE KEY-----, xrefs: 004077AE
-----END RSA PRIVATE KEY-----, xrefs: 004077B8
DES, xrefs: 00407924
-----BEGIN CERTIFICATE-----, xrefs: 00407791
-----BEGIN PRIVATE KEY-----, xrefs: 0040784B
AES, xrefs: 00407949

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fgets$strncpystrstr$ftellstrlenstrncmp$fclose$freefseekmallocmemcpy$fopenfread
String ID: -----BEGIN CERTIFICATE-----$-----BEGIN PRIVATE KEY-----$-----BEGIN RSA PRIVATE KEY-----$-----END CERTIFICATE-----$-----END PRIVATE KEY-----$-----END RSA PRIVATE KEY-----$AES$DES$Proc-Type
API String ID: 2511635278-3331026054
Opcode ID: 0625b4b3e10c662d94f6aa3efc5f993f840230278a3a7afb6e35378b699bb929
Instruction ID: 06edf912bd889ffcaba2f9a4d916694d605f8109571f26fba2d413c4cecf1970
Opcode Fuzzy Hash: 0625b4b3e10c662d94f6aa3efc5f993f840230278a3a7afb6e35378b699bb929
Instruction Fuzzy Hash: 6DC15F71D04209ABDB10DFA5DD45BDE7BB8AB04714F208166FA04B72C1D738AA458FA9

Function 00406096 Relevance: 75.5, APIs: 9, Strings: 34, Instructions: 260stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 004047A4: memcmp.MSVCRT(?,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004047E6

htons.WS2_32(?), ref: 0040612C
inet_ntoa.WS2_32(?), ref: 00406158
strrchr.MSVCRT ref: 00406191
strrchr.MSVCRT ref: 0040619B
getenv.MSVCRT ref: 0040625B
getenv.MSVCRT ref: 00406276
getenv.MSVCRT ref: 00406291
getenv.MSVCRT ref: 004062AC
toupper.MSVCRT ref: 00406327

Strings

SYSTEMROOT, xrefs: 0040628C
%.*s, xrefs: 00406364
PATH_TRANSLATED=%s, xrefs: 004061CE
CONTENT_LENGTH=%s, xrefs: 00406242
COMSPEC, xrefs: 00406271
PERLLIB, xrefs: 004062A7
PATH, xrefs: 00406256
HTTP_%s=%s, xrefs: 00406302
REDIRECT_STATUS=200, xrefs: 00406115
Content-Type, xrefs: 004061FE
GATEWAY_INTERFACE=CGI/1.1, xrefs: 004060FA
REQUEST_URI=%s, xrefs: 0040617B
PATH=%s, xrefs: 00406263
SYSTEMROOT=%s, xrefs: 00406299
SERVER_ROOT=%.*s, xrefs: 004060D9
REMOTE_USER=%s, xrefs: 004062CC
DOCUMENT_ROOT=%.*s, xrefs: 004060EA
PUT, xrefs: 0040609C
QUERY_STRING=%s, xrefs: 00406224
off, xrefs: 004061E3, 004061EF
PERLLIB=%s, xrefs: 004062B6
SCRIPT_NAME=%.*s%s, xrefs: 004061B2
SERVER_PORT=%d, xrefs: 00406136
SERVER_PROTOCOL=HTTP/1.1, xrefs: 00406106
HTTPS=%s, xrefs: 004061F0
REMOTE_PORT=%d, xrefs: 0040616D
REQUEST_METHOD=%s, xrefs: 00406144
CONTENT_TYPE=%s, xrefs: 0040620E
SERVER_NAME=%s, xrefs: 004060C8
Content-Length, xrefs: 00406232
AUTH_TYPE=Digest, xrefs: 004062D7
SCRIPT_FILENAME=%s, xrefs: 004061C0
COMSPEC=%s, xrefs: 0040627E
REMOTE_ADDR=%s, xrefs: 0040615F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: getenv$strrchr$htonsinet_ntoamemcmptoupper
String ID: %.*s$AUTH_TYPE=Digest$COMSPEC$COMSPEC=%s$CONTENT_LENGTH=%s$CONTENT_TYPE=%s$Content-Length$Content-Type$DOCUMENT_ROOT=%.*s$GATEWAY_INTERFACE=CGI/1.1$HTTPS=%s$HTTP_%s=%s$PATH$PATH=%s$PATH_TRANSLATED=%s$PERLLIB$PERLLIB=%s$PUT$QUERY_STRING=%s$REDIRECT_STATUS=200$REMOTE_ADDR=%s$REMOTE_PORT=%d$REMOTE_USER=%s$REQUEST_METHOD=%s$REQUEST_URI=%s$SCRIPT_FILENAME=%s$SCRIPT_NAME=%.*s%s$SERVER_NAME=%s$SERVER_PORT=%d$SERVER_PROTOCOL=HTTP/1.1$SERVER_ROOT=%.*s$SYSTEMROOT$SYSTEMROOT=%s$off
API String ID: 2682622969-2207420381
Opcode ID: d41ee1b85019d6e4a25e2537261692bf93959dffc74d76a611ff6d55b3fb199b
Instruction ID: b0a25b9eb5586ebf6524b6ddf73e8a91bb3a14c26a3d2b7d1985fad6d9e0b155
Opcode Fuzzy Hash: d41ee1b85019d6e4a25e2537261692bf93959dffc74d76a611ff6d55b3fb199b
Instruction Fuzzy Hash: 4681B2B1A402017FEB017BA58C82EBB7778AF54714B11403FFD16B21C2D77CA961A6AD

Function 0040A4A5 Relevance: 70.7, APIs: 1, Strings: 46, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0040A6D6

Strings

peer subject name mismatch, xrefs: 0040A5F0
premaster secret version mismatch error, xrefs: 0040A614
error during decryption, xrefs: 0040A578
record layer version error, xrefs: 0040A620
verify mac problem, xrefs: 0040A50C
unsupported cipher suite, xrefs: 0040A4DC
verify problem on finished, xrefs: 0040A500
parse error on header, xrefs: 0040A518
handshake layer not ready yet, complete first, xrefs: 0040A608
unknown type in record hdr, xrefs: 0040A56C
out of memory, xrefs: 0040A4F4
verify problem based on signature, xrefs: 0040A650
error during encryption, xrefs: 0040A590
malformed buffer input error, xrefs: 0040A638
gettimeofday() error, xrefs: 0040A68F
build message failure, xrefs: 0040A5D8
need peer's key, xrefs: 0040A5A8
error during rsa priv op, xrefs: 0040A5C0
client hello malformed, xrefs: 0040A5E4
zlib init error, xrefs: 0040A674
psk server hint error, xrefs: 0040A662
don't have enough data to complete task, xrefs: 0040A560
expected data, not there, xrefs: 0040A554
non-blocking socket wants data to be read, xrefs: 0040A5FC
bad index to key rounds, xrefs: 0040A4E8
revcd alert fatal error, xrefs: 0040A584
getitimer() error, xrefs: 0040A698
psk key callback error, xrefs: 0040A66B
cant decode peer key, xrefs: 0040A6BC
psk client identity error, xrefs: 0040A659
error state on socket, xrefs: 0040A548
non-blocking socket write buffer full, xrefs: 0040A62C
weird handshake type, xrefs: 0040A53C
fread problem, xrefs: 0040A59C
peer sent close notify alert, xrefs: 0040A6C5
setitimer() error, xrefs: 0040A6AA
can't match cipher suite, xrefs: 0040A5CC
zlib decompress error, xrefs: 0040A686
record layer length error, xrefs: 0040A6B3
unknown error number, xrefs: 0040A6CE
sigaction() error, xrefs: 0040A6A1
need the private key, xrefs: 0040A5B4
verify problem on certificate, xrefs: 0040A644
peer didn't send cert, xrefs: 0040A530
zlib compress error, xrefs: 0040A67D
wrong client/server type, xrefs: 0040A524

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strncpy
String ID: bad index to key rounds$build message failure$can't match cipher suite$cant decode peer key$client hello malformed$don't have enough data to complete task$error during decryption$error during encryption$error during rsa priv op$error state on socket$expected data, not there$fread problem$getitimer() error$gettimeofday() error$handshake layer not ready yet, complete first$malformed buffer input error$need peer's key$need the private key$non-blocking socket wants data to be read$non-blocking socket write buffer full$out of memory$parse error on header$peer didn't send cert$peer sent close notify alert$peer subject name mismatch$premaster secret version mismatch error$psk client identity error$psk key callback error$psk server hint error$record layer length error$record layer version error$revcd alert fatal error$setitimer() error$sigaction() error$unknown error number$unknown type in record hdr$unsupported cipher suite$verify mac problem$verify problem based on signature$verify problem on certificate$verify problem on finished$weird handshake type$wrong client/server type$zlib compress error$zlib decompress error$zlib init error
API String ID: 3301158039-364039421
Opcode ID: e6f1fa37ab2957cf8300f6eff9de2c7fbf376bd373020a0a0dc7b613a64dbda1
Instruction ID: e7a1c5c8748af2ae978f75a9bd96f1b358aa4c47acd9aa4faaa42a1dadc513c3
Opcode Fuzzy Hash: e6f1fa37ab2957cf8300f6eff9de2c7fbf376bd373020a0a0dc7b613a64dbda1
Instruction Fuzzy Hash: 9F41F478FC8B14B2E1240541AD07FAB66661714FC2F7849637B967DAC042FE62A3380F

Function 0040D1B0 Relevance: 58.6, APIs: 1, Strings: 38, Instructions: 126stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0040D36E

Strings

ASN version error, invalid number, xrefs: 0040D2C4
ASN oid error, unknown sum id, xrefs: 0040D303
ASN parsing error, invalid input, xrefs: 0040D2B8
ASN input error, not enough data, xrefs: 0040D339
reading random device error, xrefs: 0040D1E0
ASN bit string error, wrong id, xrefs: 0040D2FA
mp_read error state, xrefs: 0040D21C
mp_init error state, xrefs: 0040D210
ASN date error, current date after, xrefs: 0040D31E
mp_to_xxx error state, can't convert, xrefs: 0040D234
windows crypt generation error, xrefs: 0040D1F8
ASN sig error, unsupported hash type, xrefs: 0040D34B
ASN object id error, invalid id, xrefs: 0040D2DC
mp_mod error state, can't mod, xrefs: 0040D270
windows crypt init error, xrefs: 0040D1EC
ASN sig error, unsupported key type, xrefs: 0040D354
ASN tag error, not null, xrefs: 0040D2E8
ASN expect error, not zero, xrefs: 0040D2F1
opening random device error, xrefs: 0040D1D4
ASN sig error, confirm failure, xrefs: 0040D342
mp_sub error state, can't subtract, xrefs: 0040D240
RSA buffer error, output too small or input too big, xrefs: 0040D2AC
RSA wrong block type for RSA function, xrefs: 0040D2A0
ASN date error, current date before, xrefs: 0040D315
mp_cmp error state, xrefs: 0040D288
ASN date error, bad size, xrefs: 0040D30C
out of memory error, xrefs: 0040D294
ASN signature error, mismatched oid, xrefs: 0040D327
mp_exptmod error state, xrefs: 0040D228
unknown error number, xrefs: 0040D366
ASN key init error, invalid input, xrefs: 0040D35D
random device read would block error, xrefs: 0040D204
ASN time error, unkown time type, xrefs: 0040D330
ASN get big int error, invalid data, xrefs: 0040D2D0
mp_mulmod error state, can't multiply mod, xrefs: 0040D264
mp_add error state, can't add, xrefs: 0040D24C
mp_mul error state, can't multiply, xrefs: 0040D258
mp_invmod error state, can't inv mod, xrefs: 0040D27C

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strncpy
String ID: ASN bit string error, wrong id$ASN date error, bad size$ASN date error, current date after$ASN date error, current date before$ASN expect error, not zero$ASN get big int error, invalid data$ASN input error, not enough data$ASN key init error, invalid input$ASN object id error, invalid id$ASN oid error, unknown sum id$ASN parsing error, invalid input$ASN sig error, confirm failure$ASN sig error, unsupported hash type$ASN sig error, unsupported key type$ASN signature error, mismatched oid$ASN tag error, not null$ASN time error, unkown time type$ASN version error, invalid number$RSA buffer error, output too small or input too big$RSA wrong block type for RSA function$mp_add error state, can't add$mp_cmp error state$mp_exptmod error state$mp_init error state$mp_invmod error state, can't inv mod$mp_mod error state, can't mod$mp_mul error state, can't multiply$mp_mulmod error state, can't multiply mod$mp_read error state$mp_sub error state, can't subtract$mp_to_xxx error state, can't convert$opening random device error$out of memory error$random device read would block error$reading random device error$unknown error number$windows crypt generation error$windows crypt init error
API String ID: 3301158039-3443631539
Opcode ID: 5b72e3aba17b383f0d558ece8212d05e6e90c0cc42f884a62ec52b624125e9ff
Instruction ID: 1975c9eabfe9b03da948abcedc8dfc902c2944fa7a18c90636db9a8dd2115001
Opcode Fuzzy Hash: 5b72e3aba17b383f0d558ece8212d05e6e90c0cc42f884a62ec52b624125e9ff
Instruction Fuzzy Hash: 3E31CD38BCCF44B1E12405A65D23FAAA6516722F07FB0C9237F16BA0D191FD609A6C5F

Function 00405989 Relevance: 49.3, APIs: 19, Strings: 9, Instructions: 252stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406096: htons.WS2_32(?), ref: 0040612C
Part of subcall function 00406096: inet_ntoa.WS2_32(?), ref: 00406158
Part of subcall function 00406096: strrchr.MSVCRT ref: 00406191
Part of subcall function 00406096: strrchr.MSVCRT ref: 0040619B

strrchr.MSVCRT ref: 004059CD
_pipe.MSVCRT ref: 00405A24
_pipe.MSVCRT ref: 00405A3B
_fdopen.MSVCRT ref: 00405A86
_fdopen.MSVCRT ref: 00405A9D
setbuf.MSVCRT ref: 00405AB7
setbuf.MSVCRT ref: 00405ABE
strcmp.MSVCRT ref: 00405AD0
_close.MSVCRT ref: 00405C4F
_close.MSVCRT ref: 00405C5B
fclose.MSVCRT ref: 00405C6D
fclose.MSVCRT ref: 00405C86

Part of subcall function 00405C9C: TerminateProcess.KERNEL32(000000FF,000000FF,00405C3F,000000FF,00000000), ref: 00405CA4
Part of subcall function 00405C9C: CloseHandle.KERNEL32(?), ref: 00405CAE

_close.MSVCRT ref: 00405C7A
_close.MSVCRT ref: 00405C93

Strings

%s: %s, xrefs: 00405B9B
HTTP/1.1 %d OK, xrefs: 00405B74
PUT, xrefs: 00405A05
., xrefs: 004059EA
Status, xrefs: 00405B55
fopen: %s, xrefs: 00405C01
POST, xrefs: 00405AC8
Cannot create CGI pipe: %s, xrefs: 00405C16
CGI program sent malformed HTTP headers: [%.*s], xrefs: 00405B1D

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _close$strrchr$_fdopen_pipefclosesetbuf$CloseHandleProcessTerminatehtonsinet_ntoastrcmp
String ID: %s: %s$.$CGI program sent malformed HTTP headers: [%.*s]$Cannot create CGI pipe: %s$HTTP/1.1 %d OK$POST$PUT$Status$fopen: %s
API String ID: 886371925-1420429565
Opcode ID: a955a8f615620f707e8ab418eae0642e0079c25be4419ce2ce445c2cbda1678d
Instruction ID: 89ca7185bf190e9658fff9592c8cab39169cbb7ab8633a9bfa65a5190be44952
Opcode Fuzzy Hash: a955a8f615620f707e8ab418eae0642e0079c25be4419ce2ce445c2cbda1678d
Instruction Fuzzy Hash: 7C916C71C04619AADF119FA4CC45AEF7BB8EF04725F20426BF528B21D0D7789A818F99

Function 004043ED Relevance: 49.3, APIs: 11, Strings: 17, Instructions: 251stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00404401
strlen.MSVCRT ref: 0040441A
strstr.MSVCRT ref: 0040447F
strcmp.MSVCRT ref: 004044BF
strcmp.MSVCRT ref: 004044D2
strcmp.MSVCRT ref: 004044FF
GetLastError.KERNEL32(?,00000000), ref: 0040455C
strerror.MSVCRT ref: 00404563

Strings

HTTP/1.1 301 Moved PermanentlyLocation: %s/, xrefs: 004045CD
GET, xrefs: 00404663
PUT, xrefs: 004044B6, 004044BB, 004044FB
.htpasswd, xrefs: 00404479
Not Implemented, xrefs: 0040467E
DELETE, xrefs: 004044CA, 0040451C
remove(%s): %s, xrefs: 00404571
Method %s is not implemented, xrefs: 00404679
Directory Listing Denied, xrefs: 00404628
Forbidden, xrefs: 00404490
yes, xrefs: 00404600
POST, xrefs: 00404650
Access Forbidden, xrefs: 0040448B
Not Modified, xrefs: 004046DD
Not Found, xrefs: 004044A5, 004044AA, 004044AB, 004045AD
File not found, xrefs: 004045A3
Directory listing denied, xrefs: 00404623

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp$ErrorLaststrchrstrerrorstrlenstrstr
String ID: .htpasswd$Access Forbidden$DELETE$Directory Listing Denied$Directory listing denied$File not found$Forbidden$GET$HTTP/1.1 301 Moved PermanentlyLocation: %s/$Method %s is not implemented$Not Found$Not Implemented$Not Modified$POST$PUT$remove(%s): %s$yes
API String ID: 3052132889-2522122181
Opcode ID: 2f47bf66a04e6effec4fc2ec711b0a34e01662a363c8bf4cea31b8b66c235e8a
Instruction ID: 2276f47d087f3cec3993cb5c19a9260cadb13ee9470fbdf07f3126a1a2beec67
Opcode Fuzzy Hash: 2f47bf66a04e6effec4fc2ec711b0a34e01662a363c8bf4cea31b8b66c235e8a
Instruction Fuzzy Hash: 6D7106F1540615BBE721A6A1CC42EEB77ACAF46308F10443BF705B21D1E77CDA828A6D

Function 00405CB9 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 172processfilestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405CD0
memset.MSVCRT ref: 00405CDC
GetCurrentProcess.KERNEL32(?,?,?,?,7633BBC0,00000200), ref: 00405CF2
_get_osfhandle.MSVCRT ref: 00405D10
DuplicateHandle.KERNEL32(?,00000000,?,?,?,7633BBC0,00000200), ref: 00405D1D
_get_osfhandle.MSVCRT ref: 00405D2E
DuplicateHandle.KERNEL32(?,00000000,?,?,7633BBC0,00000200), ref: 00405D35
fopen.MSVCRT ref: 00405D5D
fgets.MSVCRT ref: 00405D7D
strlen.MSVCRT ref: 00405D9F
_isctype.MSVCRT ref: 00405DC6
fclose.MSVCRT ref: 00405DF3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000200,00000000,?,?,?), ref: 00405E51
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,7633BBC0,00000200), ref: 00405E5B
_close.MSVCRT ref: 00405E8B
_close.MSVCRT ref: 00405E90
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,7633BBC0,00000200), ref: 00405E9D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,7633BBC0,00000200), ref: 00405EA2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,7633BBC0,00000200), ref: 00405EA7

Strings

line 1149, xrefs: 00405E69
HA, xrefs: 00405E02
lZ@, xrefs: 00405E13, 00405E40
#, xrefs: 00405D86
%s: CreateProcess(%s): %d, xrefs: 00405E6E
!, xrefs: 00405D8F
%s%s%s%c%s, xrefs: 00405E18
lZ@, xrefs: 00405CFF, 00405D09

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Handle$Close$DuplicateProcess_close_get_osfhandlememset$CreateCurrentErrorLast_isctypefclosefgetsfopenstrlen
String ID: !$#$%s%s%s%c%s$%s: CreateProcess(%s): %d$HA$lZ@$lZ@$line 1149
API String ID: 169626730-1423124989
Opcode ID: c038794c2cd251ca563de7eec8b3eb6590880ea42219e39299bfd52d1f518da8
Instruction ID: 633f74d37b786cf605677604e4736b3c9370b51969d049de13626e66391ad64f
Opcode Fuzzy Hash: c038794c2cd251ca563de7eec8b3eb6590880ea42219e39299bfd52d1f518da8
Instruction Fuzzy Hash: 68518DB2944218BFDB119F90DC89EEF7B78EF04315F104066FA05A6291D6799E848FA8

Function 004022F4 Relevance: 42.1, APIs: 14, Strings: 10, Instructions: 117stringnetworkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(?), ref: 0040232D
GetLastError.KERNEL32 ref: 00402339
strerror.MSVCRT ref: 00402340
socket.WS2_32(00000002,00000001,00000000), ref: 00402367
GetLastError.KERNEL32 ref: 00402374
strerror.MSVCRT ref: 0040237B

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

Strings

%s: calloc: %s, xrefs: 00402424
%s: SSL is not initialized, xrefs: 00402317
line 1543, xrefs: 0040234A
line 1545, xrefs: 00402382
line 1555, xrefs: 0040241F
%s: socket: %s, xrefs: 00402387
%s: gethostbyname(%s): %s, xrefs: 0040234F
line 1551, xrefs: 004023DE
%s: connect(%s:%d): %s, xrefs: 004023E3
line 1541, xrefs: 00402312

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$ErrorLaststrerror$_vsnprintffclosefputcgethostbynameinet_ntoasockettime
String ID: %s: SSL is not initialized$%s: calloc: %s$%s: connect(%s:%d): %s$%s: gethostbyname(%s): %s$%s: socket: %s$line 1541$line 1543$line 1545$line 1551$line 1555
API String ID: 22702776-2137221567
Opcode ID: 560963c9d139f978dd6e1ff3042e4a1d32f833f8f76a1e109bb17086254c2ea0
Instruction ID: 13a1a414ae75e44cd5ce26621fc4a298a2e9c8f23a9d3a71ea5778f7affc2ebb
Opcode Fuzzy Hash: 560963c9d139f978dd6e1ff3042e4a1d32f833f8f76a1e109bb17086254c2ea0
Instruction Fuzzy Hash: 50419471584215BFDB006F64DD8DADB3738BF15705B008076FE06B62E1E7B989418BAD

Function 00407332 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 292fileCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00407398
fopen.MSVCRT ref: 004073AC
fseek.MSVCRT ref: 004073C8
ftell.MSVCRT ref: 004073CB
fseek.MSVCRT ref: 004073D8
malloc.MSVCRT ref: 004073DB

Strings

AES-192-CBC, xrefs: 00407595
`3@, xrefs: 00407682, 00407638, 00407658, 00407620, 004074EF, 00407608, 004075C5, 0040757D, 00407538, 004074D9, 00407395
DES-EDE3-CBC, xrefs: 0040750A
MD5, xrefs: 00407486
AES-128-CBC, xrefs: 0040754D
AES-256-CBC, xrefs: 004075D4
DES-CBC, xrefs: 004074AB

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fseek$fopenfreeftellmalloc
String ID: AES-128-CBC$AES-192-CBC$AES-256-CBC$DES-CBC$DES-EDE3-CBC$MD5$`3@
API String ID: 3333732893-1192020056
Opcode ID: 484ba6a3c57c02b6c9866958ad81eedde6b879c02128f73b4e2a3efe078c56bd
Instruction ID: 9cac7e081f9dac57fbd914f346ab4ae59a965c0f17a9787744fdf5cf22731d1a
Opcode Fuzzy Hash: 484ba6a3c57c02b6c9866958ad81eedde6b879c02128f73b4e2a3efe078c56bd
Instruction Fuzzy Hash: 0CA15672D04219BACF11DBE4CC45FDEBB7CAB08314F1005A7F505B2190EB79AA94DB6A

Function 00404DA1 Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 197stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040501B: SetLastError.KERNEL32(00000008), ref: 00405031

GetLastError.KERNEL32(00000000,00000000,00000000,PUT), ref: 00404DCB
strerror.MSVCRT ref: 00404DD2
strcmp.MSVCRT ref: 00404E51
strcmp.MSVCRT ref: 00404E64
strcmp.MSVCRT ref: 00404E7B
realloc.MSVCRT ref: 00404EA6
memset.MSVCRT ref: 00404EFF

Strings

a, xrefs: 00404E22
<html><head><title>Index of %s</title><style>th {text-align: left;}</style></head><body><h1>Index of %s</h1><pre><table cellpadding="0"><tr><th><a href="?n%c">Name</a></th><th><a href="?d%c">Modified</a></th><th><a href="?s%c">Size</a></th></tr><tr><td colspan, xrefs: 00404F49
Error: opendir(%s): %s, xrefs: 00404DE0
PUT, xrefs: 00404DAA
.htpasswd, xrefs: 00404E73
, xrefs: 00404F17
Parent directory, xrefs: 00404F62
HTTP/1.1 200 OKConnection: closeContent-Type: text/html; charset=utf-8, xrefs: 00404E02
Error: cannot allocate memory, xrefs: 00404FFC
Cannot open directory, xrefs: 00404DE5, 00405006
%s%c%s, xrefs: 00404ECA
<tr><td><a href="%s%s">%s</a></td><td> %s</td><td>  %s</td></tr>, xrefs: 00404F71

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp$ErrorLast$memsetreallocstrerror
String ID: $%s%c%s$.htpasswd$<html><head><title>Index of %s</title><style>th {text-align: left;}</style></head><body><h1>Index of %s</h1><pre><table cellpadding="0"><tr><th><a href="?n%c">Name</a></th><th><a href="?d%c">Modified</a></th><th><a href="?s%c">Size</a></th></tr><tr><td colspan$<tr><td><a href="%s%s">%s</a></td><td> %s</td><td>  %s</td></tr>$Cannot open directory$Error: cannot allocate memory$Error: opendir(%s): %s$HTTP/1.1 200 OKConnection: closeContent-Type: text/html; charset=utf-8$PUT$Parent directory$a
API String ID: 3308412080-3775122214
Opcode ID: 8e276271ea34854413d26fbdec08550129e747bb9f1708f68fca426b4be5fbb7
Instruction ID: 0a049c7bb59596c2ac837f000157fc62c0ef18580605723adf4420b4e97d06e7
Opcode Fuzzy Hash: 8e276271ea34854413d26fbdec08550129e747bb9f1708f68fca426b4be5fbb7
Instruction Fuzzy Hash: F66194B1940209BFDF11AF65CC42ADFBBB5EF44304F24806BF914B2291D7789A909F99

Function 00402F6B Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 179stringCOMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 00402FA4
fclose.MSVCRT ref: 00402FBD
_errno.MSVCRT ref: 00402FD6
strerror.MSVCRT ref: 00402FDE

Part of subcall function 00401F9F: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041C478,000000FF,?,00000014,00000000,?,00000104), ref: 00401FCE
Part of subcall function 00401F9F: _wfopen.MSVCRT ref: 00401FDF

_errno.MSVCRT ref: 00403001
strerror.MSVCRT ref: 00403009
fgets.MSVCRT ref: 00403043
sscanf.MSVCRT ref: 0040307E
strcmp.MSVCRT ref: 00403096
strcmp.MSVCRT ref: 004030AB
fprintf.MSVCRT ref: 004030E1
fprintf.MSVCRT ref: 004030F7

Part of subcall function 00403194: MoveFileW.KERNEL32(?,?), ref: 004031D1

fgets.MSVCRT ref: 0040310B
fprintf.MSVCRT ref: 0040314B
fclose.MSVCRT ref: 00403159
fclose.MSVCRT ref: 0040315E

Strings

%[^:]:%[^:]:%*s, xrefs: 00403078
%s:%s:%s, xrefs: 00403059, 004030DD, 00403147
Cannot open %s: %s, xrefs: 00403018
%s.tmp, xrefs: 00402F99

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fclosefprintf$_errnofgetsstrcmpstrerror$ByteCharFileMoveMultiWide_snprintf_wfopensscanf
String ID: %[^:]:%[^:]:%*s$%s.tmp$%s:%s:%s$Cannot open %s: %s
API String ID: 1040975815-1398897490
Opcode ID: 686b21a836f19e691594bdc839e4b1e0711da7fcfcb99ff99a34cea6997bddd1
Instruction ID: 925f406cee9d15ba0998cdf605ae857f8100d02fff854eb34d00fbe5eddc56b1
Opcode Fuzzy Hash: 686b21a836f19e691594bdc839e4b1e0711da7fcfcb99ff99a34cea6997bddd1
Instruction Fuzzy Hash: 31514772901219BFDF11AFA0DD45EEE7B7CEF08355F104066F904A21A0E739AB549BA8

Function 00404B7B Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 161stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404BC8
_isctype.MSVCRT ref: 00404BE3
strlen.MSVCRT ref: 00404C2C
strlen.MSVCRT ref: 00404C3A
strlen.MSVCRT ref: 00404C4D
strcmp.MSVCRT ref: 00404C68
strcmp.MSVCRT ref: 00404C7D
strcmp.MSVCRT ref: 00404C96
strcmp.MSVCRT ref: 00404CAF
strcmp.MSVCRT ref: 00404CC8
strcmp.MSVCRT ref: 00404CE1
strcmp.MSVCRT ref: 00404CFA

Strings

response, xrefs: 00404C90
cnonce, xrefs: 00404C77
Digest , xrefs: 00404B99
uri, xrefs: 00404CA9
nonce, xrefs: 00404CF4
Authorization, xrefs: 00404B80
qop, xrefs: 00404CC2
username, xrefs: 00404C62

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp$strlen$_isctypememset
String ID: Authorization$Digest $cnonce$nonce$qop$response$uri$username
API String ID: 565432818-1180773434
Opcode ID: c31579c72db72d49b7f2849db31089ed999bd7f77b81f65a8f068daf0d92c2d6
Instruction ID: e679fb6d81753edb72cde198fad3ba71fcf6ffb8778a7efc634d105b1d4472bc
Opcode Fuzzy Hash: c31579c72db72d49b7f2849db31089ed999bd7f77b81f65a8f068daf0d92c2d6
Instruction Fuzzy Hash: CD418CF1549311BBE7119BA19D01BAE77689F85718B31007FF601BA2C2EB7CE941879C

Function 004053BF Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 168stringCOMMON

Download Yara Rule

APIs

time.MSVCRT(00000000,00000000,00000000,PUT), ref: 004053D4

Part of subcall function 004055CB: strlen.MSVCRT ref: 004055D7

Part of subcall function 00401F9F: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041C478,000000FF,?,00000014,00000000,?,00000104), ref: 00401FCE
Part of subcall function 00401F9F: _wfopen.MSVCRT ref: 00401FDF

GetLastError.KERNEL32(?,0041D694,?,?,?), ref: 00405421
strerror.MSVCRT ref: 00405428
fseek.MSVCRT ref: 00405493
localtime.MSVCRT(00000000,?,Range,?,0041D694,?,?,?), ref: 00405502
strftime.MSVCRT ref: 00405517
localtime.MSVCRT(00000010), ref: 00405524
strftime.MSVCRT ref: 00405539

Strings

Content-Range: bytes %I64d-%I64d/%I64d, xrefs: 004054E6
%a, %d %b %Y %H:%M:%S %Z, xrefs: 00405509, 0040552B
PUT, xrefs: 004053C8
HTTP/1.1 %d %sDate: %sLast-Modified: %sEtag: "%s"Content-Type: %.*sContent-Length: %I64dConnection: %sAccept-Ranges: bytes%s, xrefs: 0040558E
fopen(%s): %s, xrefs: 00405432
HEAD, xrefs: 00405599
%lx.%lx, xrefs: 0040554D
Range, xrefs: 00405450

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: localtimestrftime$ByteCharErrorLastMultiWide_wfopenfseekstrerrorstrlentime
String ID: %a, %d %b %Y %H:%M:%S %Z$%lx.%lx$Content-Range: bytes %I64d-%I64d/%I64d$HEAD$HTTP/1.1 %d %sDate: %sLast-Modified: %sEtag: "%s"Content-Type: %.*sContent-Length: %I64dConnection: %sAccept-Ranges: bytes%s$PUT$Range$fopen(%s): %s
API String ID: 2369655464-650397243
Opcode ID: 7987a64adadd334ef35be0e60877aee5dcd1fec68f5c7e0fb0ab34db947e4220
Instruction ID: 5baf913c6f3ccf0b6f5f85429a6d2f5d87d92ec1d7e4190584da1b8e740696b7
Opcode Fuzzy Hash: 7987a64adadd334ef35be0e60877aee5dcd1fec68f5c7e0fb0ab34db947e4220
Instruction Fuzzy Hash: ED511EB1900209BFDF019FA5CC45FDEBBB9EF08304F108066FA09B6150D739A6949F58

Function 00403A8C Relevance: 31.7, APIs: 4, Strings: 14, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?, q@,00000004,?,00000001,?,?,?,?,?,?,?,?,?,00407120,?), ref: 00403AB4
sscanf.MSVCRT ref: 00403B06
sscanf.MSVCRT ref: 00403B76
htonl.WS2_32(?), ref: 00403BBA

Strings

line 3394, xrefs: 00403BF6
%s: bad ip address: [%s], xrefs: 00403C61
%s: flag must be + or -: [%s], xrefs: 00403C1B
-, xrefs: 00403B1A
/%d, xrefs: 00403B70
%c%d.%d.%d.%d%n, xrefs: 00403AFB
q@, xrefs: 00403AA7, 00403AAF
%s: subnet must be [+|-]x.x.x.x[/x], xrefs: 00403BFB
%s: bad subnet mask: %d [%s], xrefs: 00403C3E
line 3397, xrefs: 00403C16
line 3405, xrefs: 00403C39
q@, xrefs: 00403AEF, 00403B34, 00403AF2
+, xrefs: 00403BE8
line 3400, xrefs: 00403C5C

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: sscanf$htonlmemcpy
String ID: q@$ q@$%c%d.%d.%d.%d%n$%s: bad ip address: [%s]$%s: bad subnet mask: %d [%s]$%s: flag must be + or -: [%s]$%s: subnet must be [+|-]x.x.x.x[/x]$+$-$/%d$line 3394$line 3397$line 3400$line 3405
API String ID: 359337409-965355043
Opcode ID: a4fbb34e6d32b9ff8a3e1206e17de83256c0cc8ee94067d24eda1260b434a218
Instruction ID: f08b20ad89a365d4353c46ea2b709063bd2c42ae41fc1999f3b94109c030d2ca
Opcode Fuzzy Hash: a4fbb34e6d32b9ff8a3e1206e17de83256c0cc8ee94067d24eda1260b434a218
Instruction Fuzzy Hash: DE518F72D44208AADF11AFA5CC42AEEBF7CAF08306F104137F910F61D1D7799A4186A8

Function 0040686E Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 141stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004047A4: memcmp.MSVCRT(?,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004047E6

sscanf.MSVCRT ref: 0040689D
sscanf.MSVCRT ref: 004068DB
GetLastError.KERNEL32(?,0041D694), ref: 00406995
strerror.MSVCRT ref: 0040699C

Part of subcall function 0040470C: strlen.MSVCRT ref: 00404716

fclose.MSVCRT ref: 004069FA

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

Strings

Rg@, xrefs: 004069D6, 004069DA
Cannot open SSI #include: [%s]: fopen(%s): %s, xrefs: 004069AD
Bad SSI #include: [%s], xrefs: 00406A04
file="%[^"]", xrefs: 004068D5
"%[^"]", xrefs: 004068FE
%.*s%c%s, xrefs: 004068BC
virtual="%[^"]", xrefs: 00406897

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$fclosesscanf$ErrorLast_vsnprintffputcinet_ntoamemcmpstrerrorstrlentime
String ID: "%[^"]"$ file="%[^"]"$ virtual="%[^"]"$%.*s%c%s$Bad SSI #include: [%s]$Cannot open SSI #include: [%s]: fopen(%s): %s$Rg@
API String ID: 3220242722-3770262602
Opcode ID: c6b647496b7e2a028bbc22c3026968deaa3ddcbf300f18b2ba98b7a5114157ed
Instruction ID: a1efbb3680c02e2bff453eaffec654aae7fbdc328293c667888d75324f1fd531
Opcode Fuzzy Hash: c6b647496b7e2a028bbc22c3026968deaa3ddcbf300f18b2ba98b7a5114157ed
Instruction Fuzzy Hash: 5441A9F69002187BCB11EB608C85EDB376C9B55314F1141B7FA06F61C2E678DA948FA5

Function 0040668F Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 146COMMON

Download Yara Rule

APIs

fgetc.MSVCRT ref: 004066C7
memcmp.MSVCRT(?,<!--#,00000005), ref: 00406713
memcmp.MSVCRT(?,include,00000007), ref: 00406731
fgetc.MSVCRT ref: 00406845

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

Strings

<, xrefs: 00406814
<!--#, xrefs: 0040670D, 004067B6
SSI #include level is too deep (%s), xrefs: 004066A4
PUT, xrefs: 0040669C
%s: SSI tag is too large, xrefs: 004067D9
include, xrefs: 0040672B
%s: unknown SSI command: "%s", xrefs: 0040678F
exec, xrefs: 0040675F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$fgetcmemcmp$_vsnprintffclosefputcinet_ntoatime
String ID: %s: SSI tag is too large$%s: unknown SSI command: "%s"$<$<!--#$PUT$SSI #include level is too deep (%s)$exec$include
API String ID: 1741009251-3645676390
Opcode ID: cbc203ae559e5128f1b47167f0e3c4af9c511080d1774e2e2a0a1495936a111b
Instruction ID: c01bd65600cf02c84e4ca60ae2e6fd1c70176a9bd45ccc39fcd109c84131a774
Opcode Fuzzy Hash: cbc203ae559e5128f1b47167f0e3c4af9c511080d1774e2e2a0a1495936a111b
Instruction Fuzzy Hash: 45412BB2D01219AADF10BA60CD45BEE7B689F10348F028077FE16B61D1D2798E658B99

Function 00403E1E Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00403E34

Part of subcall function 00406BCA: free.MSVCRT ref: 00406BDA

Part of subcall function 00404138: _isctype.MSVCRT ref: 00404166

strcmp.MSVCRT ref: 00403EED
strcmp.MSVCRT ref: 00403F00
strtol.MSVCRT ref: 00403F49

Part of subcall function 004043ED: strchr.MSVCRT ref: 00404401
Part of subcall function 004043ED: strlen.MSVCRT ref: 0040441A
Part of subcall function 004043ED: strstr.MSVCRT ref: 0040447F

time.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00403F60

Strings

yes, xrefs: 00403E26
1.1, xrefs: 00403EF8
Bad Request, xrefs: 00403F9D
1.0, xrefs: 00403EE5
Request Too Large, xrefs: 00403FD0
Cannot parse HTTP request: [%.*s], xrefs: 00403F98
Content-Length, xrefs: 00403F31
HTTP version not supported, xrefs: 00403F10

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp$_isctypefreestrchrstrlenstrstrstrtoltime
String ID: 1.0$1.1$Bad Request$Cannot parse HTTP request: [%.*s]$Content-Length$HTTP version not supported$Request Too Large$yes
API String ID: 3210047668-172848610
Opcode ID: 7e703d405dd95234ecde791e90470daef65252fc4b9fa732b02c97d6b0e8fd10
Instruction ID: 89f3a0490ecb325aa62c9d102e1c027504e154a25bcb637ebf64d53d5247bb75
Opcode Fuzzy Hash: 7e703d405dd95234ecde791e90470daef65252fc4b9fa732b02c97d6b0e8fd10
Instruction Fuzzy Hash: 8941E670A45702AEC720BF618C85EA7BBA9AF0130AF20083FF15A711D1DB396A518A5D

Function 00405813 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 130COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405824
sscanf.MSVCRT ref: 0040585F
sscanf.MSVCRT ref: 00405887
sscanf.MSVCRT ref: 004058AF
sscanf.MSVCRT ref: 004058D7
time.MSVCRT(00000000), ref: 0040592D
localtime.MSVCRT(004046D4), ref: 0040593A
mktime.MSVCRT(?), ref: 0040594A

Strings

%*3s, %d %3s %d %d:%d:%d, xrefs: 004058A9
d, xrefs: 00405927
%d/%3s/%d %d:%d:%d, xrefs: 00405859
%d-%3s-%d %d:%d:%d, xrefs: 004058D1
%d %3s %d %d:%d:%d, xrefs: 00405881

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: sscanf$localtimememsetmktimetime
String ID: %*3s, %d %3s %d %d:%d:%d$%d %3s %d %d:%d:%d$%d-%3s-%d %d:%d:%d$%d/%3s/%d %d:%d:%d$d
API String ID: 2308227440-4021877339
Opcode ID: ba7f1855973b3a0a6b62e520855fe223cbb773b2814d9c847278fb52da3dd56d
Instruction ID: e233cfaf12ee3f62d8292cfd4d7c4490a84b9ab5367e884e92d9af0279f4cd8b
Opcode Fuzzy Hash: ba7f1855973b3a0a6b62e520855fe223cbb773b2814d9c847278fb52da3dd56d
Instruction Fuzzy Hash: 954190B6D0021CABCB11DBD5C885DEFBBBCEB08710F144567E616F2240E634AA85CFA5

Function 00401919 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 72fileprocessCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00401933
fclose.MSVCRT ref: 0040193C
fopen.MSVCRT ref: 0040194B
fprintf.MSVCRT ref: 00401962
fprintf.MSVCRT ref: 00401993
fclose.MSVCRT ref: 004019A3
_snprintf.MSVCRT ref: 004019BB
WinExec.KERNEL32(?,00000005), ref: 004019CB

Strings

<value>, xrefs: 00401984, 00401989
# %s %s, xrefs: 0040198D
# Mongoose web server configuration file.# Lines starting with '#' and empty lines are ignored.# For detailed description of every option, visit# http://code.google.com/p/mongoose/wiki/MongooseManual, xrefs: 0040195C
c:\Mongoose\mongoose.conf, xrefs: 00401928, 00401932, 0040194A, 004019AB
notepad.exe %s, xrefs: 004019AC

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fclosefopenfprintf$Exec_snprintf
String ID: # %s %s$# Mongoose web server configuration file.# Lines starting with '#' and empty lines are ignored.# For detailed description of every option, visit# http://code.google.com/p/mongoose/wiki/MongooseManual$<value>$c:\Mongoose\mongoose.conf$notepad.exe %s
API String ID: 3729112075-1207232489
Opcode ID: 2034fbd226cdbadba671e74a9c6999986974fda3e50559c9fbc882b7d8c389fa
Instruction ID: 3753513ac3c6f0837f2992d5d53ff091845cca147fa0e5b3da4a3c5000533862
Opcode Fuzzy Hash: 2034fbd226cdbadba671e74a9c6999986974fda3e50559c9fbc882b7d8c389fa
Instruction Fuzzy Hash: B2110172984309AFE7102764EC45FE27B6CDB45322F118477FC05A31E0EA7D98488BAD

Function 0040C9FE Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 235COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000002,?,?,20746962,?,?,?,?,?,?,?,?,73250000,?), ref: 0040CABB
memcpy.MSVCRT(?,/O=,00000003,?,?,0041C038,?,?,?,00000001,?,?,?,?,0040C836,?), ref: 0040CB6F
memcpy.MSVCRT(?,/OU=,00000004,?,?,0041C038,?,?,?,00000001,?,?,?,?,0040C836,?), ref: 0040CBB6
memcpy.MSVCRT(?,?,0041C038,?,?,0041C038,?,?,?,00000001,?,?,?,?,0040C836,?), ref: 0040CBD3
memcpy.MSVCRT(?,/emailAddress=,0000000E,?,?,?,00000001,?,?,?,?,0040C836,?,00000000,?,?), ref: 0040CC47
memcpy.MSVCRT(?,?,?,?,/emailAddress=,0000000E,?,?,?,00000001,?,?,?,?,0040C836,?), ref: 0040CC61

Strings

/CN=, xrefs: 0040CB49
/ST=, xrefs: 0040CB90
/OU=, xrefs: 0040CBAB
/C=, xrefs: 0040CB64
/O=, xrefs: 0040CB9E
/emailAddress=, xrefs: 0040CC41
/L=, xrefs: 0040CB83
/SN=, xrefs: 0040CB56

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: /C=$/CN=$/L=$/O=$/OU=$/SN=$/ST=$/emailAddress=
API String ID: 3510742995-3781244610
Opcode ID: 66fe7cd7d33252a9df22d45fc2c862b0f0e1074e550771a03dd2c0a38ecc6f3e
Instruction ID: eec6006a7a14da3ac42bb435d593a2175b2dd9abe7681775d92ea7c220317747
Opcode Fuzzy Hash: 66fe7cd7d33252a9df22d45fc2c862b0f0e1074e550771a03dd2c0a38ecc6f3e
Instruction Fuzzy Hash: 6C81B771A04209EBDB10DBA5DCC6FEBB7B8EF15304F10023BE954E7281D339A9558B59

Function 00408099 Relevance: 21.2, APIs: 8, Strings: 6, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 004080BF
strncmp.MSVCRT ref: 004080D7
strncmp.MSVCRT ref: 004080F0
memcpy.MSVCRT(00407491,?,00000001,?,?,?,?,?), ref: 004081ED
memcpy.MSVCRT(?,00000001,00000001,?,?,?,?,?), ref: 00408222

Strings

AES-192-CBC, xrefs: 0040811C
DES-EDE3-CBC, xrefs: 004080EA
MD5, xrefs: 004080B7
AES-128-CBC, xrefs: 00408107
AES-256-CBC, xrefs: 00408131
DES-CBC, xrefs: 004080D1

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strncmp$memcpy
String ID: AES-128-CBC$AES-192-CBC$AES-256-CBC$DES-CBC$DES-EDE3-CBC$MD5
API String ID: 2549481713-1991666797
Opcode ID: dab578d20aae787007d3367acb8d9b5f1aa2e1f13acb87f60d74b30c0de9dea9
Instruction ID: 4da21b7980687ad04be761c49a374ad44bf65784bc340256a40777f49e590189
Opcode Fuzzy Hash: dab578d20aae787007d3367acb8d9b5f1aa2e1f13acb87f60d74b30c0de9dea9
Instruction Fuzzy Hash: D8519072A40209ABDB20DEA5CE45FDF7778AF44714F20443FB944BB1C1EA78DA458B94

Function 00406408 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 98stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004039E1: GetFileAttributesExW.KERNEL32(?,00000000,?,00000000,?,00000104,00000000), ref: 00403A0F
Part of subcall function 004039E1: __aulldiv.LIBCMT ref: 00403A52

Part of subcall function 00406521: strchr.MSVCRT ref: 0040653C
Part of subcall function 00406521: memcpy.MSVCRT(?,00000000,00000000), ref: 00406556

GetLastError.KERNEL32(?,?,?,00000000,00000000,PUT), ref: 00406456
strerror.MSVCRT ref: 0040645D

Strings

wb+, xrefs: 00406483
PUT, xrefs: 0040640E
fopen(%s): %s, xrefs: 004064A4
HTTP/1.1 %d OK, xrefs: 0040643E, 00406502
Content-Range, xrefs: 004064AB
put_dir(%s): %s, xrefs: 00406465

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: AttributesErrorFileLast__aulldivmemcpystrchrstrerror
String ID: Content-Range$HTTP/1.1 %d OK$PUT$fopen(%s): %s$put_dir(%s): %s$wb+
API String ID: 2355206587-3832267214
Opcode ID: af9a72bd29ea63ced43f11305f6f7f22f49207e18c8f90eeab1001ffbe8e006d
Instruction ID: 4f51b300b3a5a71adb1564c1299078f1b5aa9a1f8950bcb9d2dde639eb2796a0
Opcode Fuzzy Hash: af9a72bd29ea63ced43f11305f6f7f22f49207e18c8f90eeab1001ffbe8e006d
Instruction Fuzzy Hash: FD31DFB1840204BBDB01AFA2DC41CEF7BADEF58308B10452BF502B21E1D67886508B6D

Function 00404327 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00404332
strcmp.MSVCRT ref: 00404343
strcmp.MSVCRT ref: 00404354
strcmp.MSVCRT ref: 00404365
strcmp.MSVCRT ref: 00404376
strcmp.MSVCRT ref: 00404387

Strings

GET, xrefs: 0040432C
PUT, xrefs: 00404370
<=@, xrefs: 00404328, 00404331, 00404342, 00404353, 00404364, 00404375, 00404386
POST, xrefs: 0040433D
DELETE, xrefs: 00404381
HEAD, xrefs: 0040434E
CONNECT, xrefs: 0040435F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp
String ID: <=@$CONNECT$DELETE$GET$HEAD$POST$PUT
API String ID: 1004003707-1120301421
Opcode ID: e1635dfffc2841786f9072f6dcee5a3dcac235695695e976b6e410eb0784f301
Instruction ID: 036bc0aeba7c57b4b9eb2d94cd2764d73116e49e78a166828600b6f22c3ef5eb
Opcode Fuzzy Hash: e1635dfffc2841786f9072f6dcee5a3dcac235695695e976b6e410eb0784f301
Instruction Fuzzy Hash: EDF04FFA75BB2325A134A0A56C03BDB12484F463B9732402FF904B4AD0CA7CC9C2049D

Function 00406AB3 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401F9F: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041C478,000000FF,?,00000014,00000000,?,00000104), ref: 00401FCE
Part of subcall function 00401F9F: _wfopen.MSVCRT ref: 00401FDF

localtime.MSVCRT(004041F8,?,0041C478,?,?), ref: 00406AEB
strftime.MSVCRT ref: 00406AFD
inet_ntoa.WS2_32(74C08400), ref: 00406B48
fprintf.MSVCRT ref: 00406B55
fputc.MSVCRT ref: 00406B79
fflush.MSVCRT ref: 00406B80
fclose.MSVCRT ref: 00406B87

Strings

%s - %s [%s] "%s %s HTTP/%s" %d %I64d, xrefs: 00406B4F
%d/%b/%Y:%H:%M:%S %z, xrefs: 00406AF2
User-Agent, xrefs: 00406B6B
Referer, xrefs: 00406B5F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: ByteCharMultiWide_wfopenfclosefflushfprintffputcinet_ntoalocaltimestrftime
String ID: %d/%b/%Y:%H:%M:%S %z$%s - %s [%s] "%s %s HTTP/%s" %d %I64d$Referer$User-Agent
API String ID: 406731650-2090738960
Opcode ID: ca605b9dd49a38241723ceab13e8d76410d3f0be0ef77ea796d9e2c3da8a38ff
Instruction ID: e358d8f61db2daedbb639b80aa4e44a43d31f75799867a7f036013d19bba80dd
Opcode Fuzzy Hash: ca605b9dd49a38241723ceab13e8d76410d3f0be0ef77ea796d9e2c3da8a38ff
Instruction Fuzzy Hash: F721B3B1204710BBDB10AB65DC49EBB7BBDAF88704B01842DF55BD2291D638F8108728

Function 004050FF Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 115stringCOMMON

Download Yara Rule

APIs

localtime.MSVCRT(00404FD1,?,?,?,76337310,00000000,00000104), ref: 004051C4
strftime.MSVCRT ref: 004051D9

Strings

%lu, xrefs: 00405150
[DIRECTORY], xrefs: 00405114
HA, xrefs: 00405200
%.1fk, xrefs: 00405173
%.1fM, xrefs: 00405196
%.1fG, xrefs: 004051AB
%d-%b-%Y %H:%M, xrefs: 004051CB
<tr><td><a href="%s%s%s">%s%s</a></td><td> %s</td><td>  %s</td></tr>, xrefs: 0040522F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: localtimestrftime
String ID: %.1fG$%.1fM$%.1fk$%d-%b-%Y %H:%M$%lu$<tr><td><a href="%s%s%s">%s%s</a></td><td> %s</td><td>  %s</td></tr>$HA$[DIRECTORY]
API String ID: 1424577559-2610314356
Opcode ID: 4e151a59139893a3dca14552b4f934b433ae60a159c5d92e8ccc55020b1d3953
Instruction ID: cf65dc2ddde2a3ace0d540f488ece434f9f7ecbb6dbb8f512d2ee75809582e52
Opcode Fuzzy Hash: 4e151a59139893a3dca14552b4f934b433ae60a159c5d92e8ccc55020b1d3953
Instruction Fuzzy Hash: 013115B1E00A04BBDB149B95DC45BEB77B9EF08700F10847BF645A6190E77899848F1C

Function 00401E9E Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 00401EBC

Part of subcall function 00401F9F: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041C478,000000FF,?,00000014,00000000,?,00000104), ref: 00401FCE
Part of subcall function 00401F9F: _wfopen.MSVCRT ref: 00401FDF

time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
inet_ntoa.WS2_32(?), ref: 00401F15
fprintf.MSVCRT ref: 00401F29
fprintf.MSVCRT ref: 00401F3F
fprintf.MSVCRT ref: 00401F51
fputc.MSVCRT ref: 00401F56
fclose.MSVCRT ref: 00401F6D

Strings

%s %s: , xrefs: 00401F39
[%010lu] [error] [client %s] , xrefs: 00401F23

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$ByteCharMultiWide_vsnprintf_wfopenfclosefputcinet_ntoatime
String ID: %s %s: $[%010lu] [error] [client %s]
API String ID: 3083441-1168560208
Opcode ID: aefc8f5e88ccad6ce2f400e6c5f6c1c53bb43ce1f5b037de17076794da5f9477
Instruction ID: c3e367b2c5833ae0a96fa87e4bee82f41e62fdb5037da7f10a95e1f739f5d92d
Opcode Fuzzy Hash: aefc8f5e88ccad6ce2f400e6c5f6c1c53bb43ce1f5b037de17076794da5f9477
Instruction Fuzzy Hash: F521B771644305BBE720AB79DC89FE777BCEF04304F144476F915E22A2E774E9008A68

Function 0040370D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 88stringnetworkCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040371E
sscanf.MSVCRT ref: 0040374B
sscanf.MSVCRT ref: 0040377C
htonl.WS2_32(00000000), ref: 00403788
strchr.MSVCRT ref: 004037A0
htons.WS2_32(?), ref: 004037DB

Strings

%d.%d.%d.%d:%d%n, xrefs: 00403744
%d%n, xrefs: 00403775
sp,, xrefs: 0040379B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: sscanf$htonlhtonsmemsetstrchr
String ID: %d%n$%d.%d.%d.%d:%d%n$sp,
API String ID: 1351488546-3207130800
Opcode ID: 83c75d84e1bd344d3d3445a0db5353238d84388dbe654234ba3f122f2ed13db5
Instruction ID: 2ffaa9949a3a6b23c46fd9ed3c5c6b4bcf69d8f25be4d595818b4160695434e4
Opcode Fuzzy Hash: 83c75d84e1bd344d3d3445a0db5353238d84388dbe654234ba3f122f2ed13db5
Instruction Fuzzy Hash: 06314CBA940209ABD711CFA4CC80EEBBBBCEF48311F10846AE915E7190D774AB45CB64

Function 00406A19 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 49stringCOMMON

Download Yara Rule

APIs

sscanf.MSVCRT ref: 00406A32
_popen.MSVCRT ref: 00406A61
GetLastError.KERNEL32 ref: 00406A6F
strerror.MSVCRT ref: 00406A76

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

Strings

Cannot SSI #exec: [%s]: %s, xrefs: 00406A84
"%[^"]", xrefs: 00406A2A
Bad SSI #exec: [%s], xrefs: 00406A43

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$ErrorLast_popen_vsnprintffclosefputcinet_ntoasscanfstrerrortime
String ID: "%[^"]"$Bad SSI #exec: [%s]$Cannot SSI #exec: [%s]: %s
API String ID: 3194429842-19566311
Opcode ID: 8a75b61d93de6ea758b8a3ec6f43006c449b0c1530dab1ae961e506731b07e0d
Instruction ID: 8ac9c01a8730cf46aaf01bbd84f2839ad95485a90cf1337a4b3004bb040d0bb3
Opcode Fuzzy Hash: 8a75b61d93de6ea758b8a3ec6f43006c449b0c1530dab1ae961e506731b07e0d
Instruction Fuzzy Hash: 9E01D876948214BBDB107B50DC09DDA3B3CEF05321F118233FD16B11E1EB3996608AAD

Function 0040216A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

_isctype.MSVCRT ref: 004021B9
_isctype.MSVCRT ref: 004021EE
tolower.MSVCRT ref: 00402218
tolower.MSVCRT ref: 00402226
_isctype.MSVCRT ref: 00402241
_isctype.MSVCRT ref: 00402275

Strings

2D@, xrefs: 004022A3

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _isctype$tolower
String ID: 2D@
API String ID: 2917967906-979837821
Opcode ID: dba6eedc6260a1b920bdba40027422d87ae7eaf9795249da1993a1b478eaa078
Instruction ID: c56617d51dc63e33b9062a809599591f15af822dd4bf4ec9e6c2574c0892f7ca
Opcode Fuzzy Hash: dba6eedc6260a1b920bdba40027422d87ae7eaf9795249da1993a1b478eaa078
Instruction Fuzzy Hash: 0451D13110C341DFD3198FA4D988A677BE4AB4A315F1409BEE592A73E1D778E804CB69

Function 00404934 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401F9F: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041C478,000000FF,?,00000014,00000000,?,00000104), ref: 00401FCE
Part of subcall function 00401F9F: _wfopen.MSVCRT ref: 00401FDF

GetLastError.KERNEL32(?,0041C318,00000000,00000000), ref: 00404964
strerror.MSVCRT ref: 0040496B

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

Strings

.htpasswd, xrefs: 004049A5, 004049E7
fopen(%s): %s, xrefs: 00404976
%s%c%s, xrefs: 004049AD
%.*s%c%s, xrefs: 004049F2

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintf$ByteCharErrorLastMultiWide_vsnprintf_wfopenfclosefputcinet_ntoastrerrortime
String ID: %.*s%c%s$%s%c%s$.htpasswd$fopen(%s): %s
API String ID: 3627448326-3722374166
Opcode ID: 01dde92edbe4183ec00036d300cc64556b9df03bf934aa822907ceff9c5f2fec
Instruction ID: 5cc7c99360e4cd3e937f2c02f4a5ac3393b3536b267bf461f190d5935c371c2e
Opcode Fuzzy Hash: 01dde92edbe4183ec00036d300cc64556b9df03bf934aa822907ceff9c5f2fec
Instruction Fuzzy Hash: 4721C2F1A802197ADB20A6618C47FFB7B6C9B81754F100077FB04B62C1D67CDA418AAD

Function 00404858 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040365F: strchr.MSVCRT ref: 00403678
Part of subcall function 0040365F: memchr.MSVCRT ref: 004036B4

memcmp.MSVCRT(?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00404894
_errno.MSVCRT ref: 004048E2
strerror.MSVCRT ref: 004048EA
fclose.MSVCRT ref: 00404924

Strings

line 2137, xrefs: 004048F8
%.*s, xrefs: 004048B7
%s: cannot open %s: %s, xrefs: 004048FD

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _errnofclosememchrmemcmpstrchrstrerror
String ID: %.*s$%s: cannot open %s: %s$line 2137
API String ID: 3493416221-1352859754
Opcode ID: 2b57ef3cd22d0e7ed5f78827157aaa8046c548069c129a19213280e805f33b25
Instruction ID: 320c7bbb744ce5b03666b36a0ffe133b17fd3384dd7db7db2778a12af42bd3a1
Opcode Fuzzy Hash: 2b57ef3cd22d0e7ed5f78827157aaa8046c548069c129a19213280e805f33b25
Instruction Fuzzy Hash: 7F21D7B2940118BBCB02ABA5CC42DEF777DEF94704F00007AF710B2191EB79DA408769

Function 00406C9A Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00406CDF
strcmp.MSVCRT ref: 00406D66
free.MSVCRT ref: 00406DD8

Strings

%s: %s, xrefs: 00406D38
%s %s HTTP/%s, xrefs: 00406D1A
POST, xrefs: 00406D5E
CONNECT, xrefs: 00406CD7

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp$free
String ID: %s %s HTTP/%s$%s: %s$CONNECT$POST
API String ID: 3401341699-164389875
Opcode ID: 3e79bdd37d97035f1466cbb25d492d40baa2bf1b2faecbbcfe4e8a980eff2087
Instruction ID: a2e4c323c497faed5c78c0f1fd1f294f9ff8c61e4a571f2c929ba36fb2d8b983
Opcode Fuzzy Hash: 3e79bdd37d97035f1466cbb25d492d40baa2bf1b2faecbbcfe4e8a980eff2087
Instruction Fuzzy Hash: C341F572200205AFE721AF55CC86FA77BE9EF04304F21447FF685A61A1D779E960CB58

Function 0040C668 Relevance: 10.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040C69D
memcpy.MSVCRT(00000000,?,?,004076CF,?,004074FB,00000002,00000000,00000000,?,?,?,?,763696C0,00000000), ref: 0040C6B1
malloc.MSVCRT ref: 0040C6D0
memcpy.MSVCRT(00000000,?,?,004076CF,?,004074FB,00000002,00000000,00000000,?,?,?,?,763696C0,00000000), ref: 0040C6E0
malloc.MSVCRT ref: 0040C6FE
memcpy.MSVCRT(00000000,763696C0,?,004076CF,?,004074FB,00000002,00000000,00000000,?,?,?,?,763696C0,00000000), ref: 0040C70D
malloc.MSVCRT ref: 0040C726
memcpy.MSVCRT(00000000,?,?,004076CF,?,004074FB,00000002,00000000,00000000,?,?,?,?,763696C0,00000000), ref: 0040C73B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: mallocmemcpy
String ID:
API String ID: 4276657696-0
Opcode ID: 88c62f63581244c734dc4a7e7799446ef6b09d0d38fb5ccf2928055f9686e102
Instruction ID: 30cf831c6cb86097104c99d217ca3d7e38f602569a77622842b391dc1d4f76ec
Opcode Fuzzy Hash: 88c62f63581244c734dc4a7e7799446ef6b09d0d38fb5ccf2928055f9686e102
Instruction Fuzzy Hash: D831C272500706AFDB209FAADCC0A57BBE8EF14318F01082EF985D3661D3BAE8148F54

Function 004037F3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 0040873C: malloc.MSVCRT ref: 0040873F

Part of subcall function 00407204: malloc.MSVCRT ref: 0040720A

Part of subcall function 00401E9E: _vsnprintf.MSVCRT ref: 00401EBC
Part of subcall function 00401E9E: time.MSVCRT(00000000,00000200,?,0041C478,00000000,00000002), ref: 00401F06
Part of subcall function 00401E9E: inet_ntoa.WS2_32(?), ref: 00401F15
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F29
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F3F
Part of subcall function 00401E9E: fprintf.MSVCRT ref: 00401F51
Part of subcall function 00401E9E: fputc.MSVCRT ref: 00401F56
Part of subcall function 00401E9E: fclose.MSVCRT ref: 00401F6D

malloc.MSVCRT ref: 0040384B

Strings

%s: cannot open %s: %s, xrefs: 004038AC
line 3551, xrefs: 00403865
SSL_CTX_new error: %s, xrefs: 0040382E
%s: cannot allocate mutexes: %s, xrefs: 0040386A
line 3533, xrefs: 004038A7

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fprintfmalloc$_vsnprintffclosefputcinet_ntoatime
String ID: %s: cannot allocate mutexes: %s$%s: cannot open %s: %s$SSL_CTX_new error: %s$line 3533$line 3551
API String ID: 3593249021-1043004576
Opcode ID: d5477f1af05b84df6b1284a455b9087b55c986238ad56c2a4411734b98a3ff14
Instruction ID: 3fa8b53a9451d537d561b4025e79622436e9ca7e6ae615ab055308e23c93aa7a
Opcode Fuzzy Hash: d5477f1af05b84df6b1284a455b9087b55c986238ad56c2a4411734b98a3ff14
Instruction Fuzzy Hash: F23176B1A4430435D6207FB38C82F6B2E9D9F41B8AF10443FBA41B61C2DABCD641417E

Function 004107A2 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004107DA
memset.MSVCRT ref: 00410805
memcpy.MSVCRT(00403D74,?,00000004,VD,VD,00000040,00000004,?,?,?,00000018,?,0041C038,?), ref: 00410831
memcpy.MSVCRT(00403D00,FFFFFF1D,00000004,00403D74,?,00000004,VD,VD,00000040,00000004,?,?,?,00000018,?,0041C038), ref: 0041083D
memcpy.MSVCRT(00000004,?,00000014,?,?,?,?,?,VD,VD,00000040,00000004), ref: 0041086E

Strings

VD, xrefs: 004107E6, 004107E7, 0041081A, 0041081E

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memset
String ID: VD
API String ID: 438689982-297103433
Opcode ID: 97715f420355b05f0fb7dec5e636a0656a8c074562483949877d55b3ad7fa429
Instruction ID: 8e8a96b5161e99258343f5622bcc139e7d947449c53ae981801bb6f8620d946d
Opcode Fuzzy Hash: 97715f420355b05f0fb7dec5e636a0656a8c074562483949877d55b3ad7fa429
Instruction Fuzzy Hash: 6F2125B1640204ABC730AF16CC42F9BB7ECEF51304F11082EF6449B292D6B8E485CBA8

Function 00406DE9 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 49stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00406E00
sscanf.MSVCRT ref: 00406E29
sscanf.MSVCRT ref: 00406E40

Strings

http://, xrefs: 00406DFA
%1024[^/]/%n, xrefs: 00406E3A
%1024[^:]:%d/%n, xrefs: 00406E23

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: sscanf$strncmp
String ID: %1024[^/]/%n$%1024[^:]:%d/%n$http://
API String ID: 3429437187-1181495805
Opcode ID: 6fec6f9f77b246b69fcadc81b92791e8c16c1a71a5e0883eecf4d841ac8badb4
Instruction ID: 95e09372c3734172eb6d8c5fc18091c86cc5219cff2f167617469cf405a26fb4
Opcode Fuzzy Hash: 6fec6f9f77b246b69fcadc81b92791e8c16c1a71a5e0883eecf4d841ac8badb4
Instruction Fuzzy Hash: 9901DF76900309BBDB109E18CC81FEB3BADDF44B50F118427FD09A6242E279D9219AE5

Function 00411265 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,0041E860,00000001,?,0041119B,?,00000000,0041C038,004279D8,?), ref: 004112C6

Strings

CCC, xrefs: 004112AC
DDDD, xrefs: 004112A3
GGGGGGG, xrefs: 00411288
FFFFFF, xrefs: 00411291
EEEEE, xrefs: 0041129A

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: CCC$DDDD$EEEEE$FFFFFF$GGGGGGG
API String ID: 3510742995-2380088536
Opcode ID: e9813a9c3c2caec6b928d553deb1097a05452135b44dc8f0a178dd48fa6a60a5
Instruction ID: 13055d4be77394f94bc71724d8cdbf94d4ebecf7834e3778282c180ea4b1dc11
Opcode Fuzzy Hash: e9813a9c3c2caec6b928d553deb1097a05452135b44dc8f0a178dd48fa6a60a5
Instruction Fuzzy Hash: D1F01D38AE8749B0D9302306AC53FE211815304B90F6449833B05FA1E0D4FD9AC2A02F

Function 00411514 Relevance: 9.0, APIs: 6, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 00411526
WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00411530
WSAGetLastError.WS2_32(?,?,?,00000000), ref: 0041153E
WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00411547
WSAGetLastError.WS2_32(?,?,?,00000000), ref: 00411557

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: ErrorLast$send
String ID:
API String ID: 3964319974-0
Opcode ID: c456a6f8dc68f5e949c94808d216391820c55d4afd63ff56f154d4a27d3ba358
Instruction ID: c73342d56370c3dfdb468e43380184260cfed3add4562a42c6a849998165ece3
Opcode Fuzzy Hash: c456a6f8dc68f5e949c94808d216391820c55d4afd63ff56f154d4a27d3ba358
Instruction Fuzzy Hash: 24F03072B48111769A20A7B99C42AEE61439B91778F710F1BF2F6D12F0E52CC5C0919F

Function 00404A27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00404B7B: memset.MSVCRT ref: 00404BC8
Part of subcall function 00404B7B: _isctype.MSVCRT ref: 00404BE3
Part of subcall function 00404B7B: strlen.MSVCRT ref: 00404C2C
Part of subcall function 00404B7B: strlen.MSVCRT ref: 00404C3A
Part of subcall function 00404B7B: strlen.MSVCRT ref: 00404C4D
Part of subcall function 00404B7B: strcmp.MSVCRT ref: 00404C68
Part of subcall function 00404B7B: strcmp.MSVCRT ref: 00404C7D

fgets.MSVCRT ref: 00404A6A
sscanf.MSVCRT ref: 00404A98
strcmp.MSVCRT ref: 00404AB0
strcmp.MSVCRT ref: 00404ACB

Strings

%[^:]:%[^:]:%s, xrefs: 00404A92

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp$strlen$_isctypefgetsmemsetsscanf
String ID: %[^:]:%[^:]:%s
API String ID: 327574129-3799016729
Opcode ID: 4e25fb76574f70fc9ec065f3184315b65a81cf8742ae4bdf82ba6af93c41c532
Instruction ID: 08ae39bb38a1d1a8fd659a0f22f7402fa382a86d31219c8e43519b277fe83e99
Opcode Fuzzy Hash: 4e25fb76574f70fc9ec065f3184315b65a81cf8742ae4bdf82ba6af93c41c532
Instruction Fuzzy Hash: 22213CB694011DABDF11DA91DC81EDFB77DEB48310F1080B3EA05E2151E635EA55CF68

Function 004070DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?,?), ref: 00407106
inet_ntoa.WS2_32(?), ref: 00407141
closesocket.WS2_32(?), ref: 00407166

Strings

line 3884, xrefs: 00407148
%s: %s is not allowed to connect, xrefs: 0040714D

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: acceptclosesocketinet_ntoa
String ID: %s: %s is not allowed to connect$line 3884
API String ID: 4056037703-2564180978
Opcode ID: 5460781ff3f3f77464f4b6eb3cd8324768a2d74e01832c77e3241837946dea83
Instruction ID: c2cdf6ddd75f09341db7c86c2f1c72a360341ed289d3915d68a4b8ee3a3bd73b
Opcode Fuzzy Hash: 5460781ff3f3f77464f4b6eb3cd8324768a2d74e01832c77e3241837946dea83
Instruction Fuzzy Hash: 87114C72900108ABCF00AFA4DD859EFBBBDEF04311F508126F915AA291D734AA45CBA5

Function 00406616 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401F9F: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041C478,000000FF,?,00000014,00000000,?,00000104), ref: 00401FCE
Part of subcall function 00401F9F: _wfopen.MSVCRT ref: 00401FDF

GetLastError.KERNEL32(?,0041D694,00000000,?,004046C8,00000000,?,?,?,?,?,?,?,00000000), ref: 0040662D
strerror.MSVCRT ref: 00406634
fclose.MSVCRT ref: 00406683

Strings

HTTP/1.1 200 OKContent-Type: text/htmlConnection: %s, xrefs: 00406664
fopen(%s): %s, xrefs: 0040663E

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide_wfopenfclosestrerror
String ID: HTTP/1.1 200 OKContent-Type: text/htmlConnection: %s$fopen(%s): %s
API String ID: 3205250981-3145790220
Opcode ID: 8d5a028876da06db07539b86240eb7b27f26c43a197b7322776485a1914c3c4e
Instruction ID: b638b5a21c5ecf989cd6861050b4d4364665f3241667afa21bced490716fbbd0
Opcode Fuzzy Hash: 8d5a028876da06db07539b86240eb7b27f26c43a197b7322776485a1914c3c4e
Instruction Fuzzy Hash: 59F04F72484224BBCB123BA1DC06EDA3F2AAF14754F118136FE09681B1DB3A46609A9D

Function 00401C66 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,00000000,00000000,00404E36,?,00000000,00000000,PUT), ref: 00401C93
FindNextFileW.KERNEL32(6N@,?), ref: 00401C9F
FindClose.KERNEL32(6N@), ref: 00401CAB
SetLastError.KERNEL32(000000A0,00000000,00000000,00404E36,?,00000000,00000000,PUT), ref: 00401CBF

Strings

6N@, xrefs: 00401C67, 00401C9D, 00401CA9

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Find$ByteCharCloseErrorFileLastMultiNextWide
String ID: 6N@
API String ID: 2042606875-3347145515
Opcode ID: f9e3ef4f9b449e827c555a678b5ecb803e5dc583e94f95add628a1b1fd34725f
Instruction ID: a6b72e4290548564f95069e6ba3a34dc0d13d59d507832aa714465fea3797e28
Opcode Fuzzy Hash: f9e3ef4f9b449e827c555a678b5ecb803e5dc583e94f95add628a1b1fd34725f
Instruction Fuzzy Hash: 6EF0C276248202EFE3205F24CD48DA377E9EB84760F10473AF6E6E21F0D670A8418725

Function 0041132E Relevance: 7.6, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,0041753F,1A1A2E58,?,?), ref: 0041137E
memcpy.MSVCRT(?,FFFFFFC0,FFFFFFC0,FFFFFFC0,FFFFFFBF,?,0041C038,00427C84), ref: 004113EF
memcpy.MSVCRT(?,0041753F,1A1A2E58,?,FFFFFFC0,FFFFFFC0,FFFFFFC0,FFFFFFBF,?,0041C038,00427C84), ref: 004113FF
memcpy.MSVCRT(?,004174DF,00000020,?,0041753F,1A1A2E58,?,FFFFFFC0,FFFFFFC0,FFFFFFC0,FFFFFFBF,?,0041C038,00427C84), ref: 00411413
memcpy.MSVCRT(?,004174FF,00000020,?,004174DF,00000020,?,0041753F,1A1A2E58,?,FFFFFFC0,FFFFFFC0,FFFFFFC0,FFFFFFBF,?,0041C038), ref: 00411427
memcpy.MSVCRT(?,?,00000014,?,?,?,?,1A1A2E99), ref: 00411461

Part of subcall function 004085B5: memcpy.MSVCRT(?,004279F4,00000020,0041C038), ref: 004085CC
Part of subcall function 004085B5: memcpy.MSVCRT(?,00427A14,00000020,?,004279F4,00000020,0041C038), ref: 004085DE

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 0fe96c841b0c32936f4366c30ce6f775ad9a34262579ecbe61e5c1256bad5883
Instruction ID: f14d2b1a9620b48150b34399b996c3c3fdf690a50336aa01e5b4079a384d368b
Opcode Fuzzy Hash: 0fe96c841b0c32936f4366c30ce6f775ad9a34262579ecbe61e5c1256bad5883
Instruction Fuzzy Hash: 3241EFB290011CABCB11DBA5DD85EDFB7BCEF04314F0445A7BA09E6141EB34E7858BA4

Function 0040840B Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000010,client finished,0041051C,?), ref: 00408455
memcpy.MSVCRT(?,?,00000010,?,?,00000010,client finished,0041051C,?), ref: 00408470
memcpy.MSVCRT(?,?,00000030,?,?,00000010,?,?,00000010,client finished,0041051C,?), ref: 0040847D
memcpy.MSVCRT(?,0041051C,0000000C,?,?,00000030,?,?,00000010,?,?,00000010,client finished,0041051C,?), ref: 0040848D

Part of subcall function 00408258: memcpy.MSVCRT(?,?,00000000,?,?,?,00000094,?,?,?,004084D4,?,?,?,00000094,?), ref: 00408343

Strings

client finished, xrefs: 00408419

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: client finished
API String ID: 3510742995-2813564925
Opcode ID: 2ec780f393483ce889654bee737f469ddf525a1239af2f3b9bf33bc893f5182a
Instruction ID: 8d7aa6ffeb0ff36f072458a0f6d1f8f5e64a6fd1d6334aaddff3a2809dc6d1f4
Opcode Fuzzy Hash: 2ec780f393483ce889654bee737f469ddf525a1239af2f3b9bf33bc893f5182a
Instruction Fuzzy Hash: 96318DB250015CBBCF11DEE4CD48EEF77ADAF48304F05456AFA48A6181DA38EA54CFA0

Function 00410EAC Relevance: 7.6, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00411257,?,0041C038,?,00000000,?,00411257,?,?,0041C038,004279D8,?), ref: 00410EC8
memcpy.MSVCRT(?,00000000,?,?,00411257,?,0041C038,?,00000000,?,00411257,?,?,0041C038,004279D8,?), ref: 00410ED9
memcpy.MSVCRT(?,?,?,?,00000000,?,?,00411257,?,0041C038,?,00000000,?,00411257,?,?), ref: 00410EF6
memcpy.MSVCRT(?,00000000,?,?,?,?,?,00000000,?,?,00411257,?,0041C038,?,00000000), ref: 00410F0C
memcpy.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00411257,?,0041C038), ref: 00410F2A
memcpy.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?), ref: 00410F3F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: ea937474f070778c49189097a4f6a97db660a4395ee095ca31da1b074c2f0964
Instruction ID: 03501868211d416b618bd9510409599cd3215b822fe2b5f2f0c46fc48313ac8f
Opcode Fuzzy Hash: ea937474f070778c49189097a4f6a97db660a4395ee095ca31da1b074c2f0964
Instruction Fuzzy Hash: 2B21EAB2400A19BBC7129FA5D884CEBB7ECEF49244B01452BB59ACB101D635F655CBA4

Function 0040E98F Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000008,?,76379AC0,00000000,?,0040389C,?,00000001), ref: 0040E9BA

Part of subcall function 0040E7D9: memcpy.MSVCRT(0040389C,?,00000004,00000008,?,?,0040E9CC,?,?,0040389C,?,76379AC0,00000000,?,0040389C,?), ref: 0040E7E8
Part of subcall function 0040E7D9: memcpy.MSVCRT(?,?,00000004,0040389C,?,00000004,00000008,?,?,0040E9CC,?,?,0040389C,?,76379AC0,00000000), ref: 0040E7F7
Part of subcall function 0040E7D9: memcpy.MSVCRT(0040E9CC,?,00000004,?,0040389C,0040389C,?,0040389C,?,?,0040389C,?,?,0040389C), ref: 0040E85F
Part of subcall function 0040E7D9: memcpy.MSVCRT(0040E9C8,0040389C,00000004,0040E9CC,?,00000004,?,0040389C,0040389C,?,0040389C,?,?,0040389C,?,?), ref: 0040E86E

memcpy.MSVCRT(?,?,00000008,0040389C,?,00000008,?,?,0040389C,?,76379AC0,00000000,?,0040389C,?,00000001), ref: 0040E9E8
memcpy.MSVCRT(?,?,00000008,?,?,00000008,0040389C,?,00000008,?,?,0040389C,?,76379AC0,00000000,?), ref: 0040E9F6
memcpy.MSVCRT(?,?,00000008,?,?,00000008,?,?,00000008,0040389C,?,00000008,?,?,0040389C,?), ref: 0040EA01

Strings

`3@, xrefs: 0040E98F

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: `3@
API String ID: 3510742995-891369106
Opcode ID: 54264571b64d918f162b781116069eaf670b5e6448bf8c8c2ada5e05681f38fa
Instruction ID: 1590678cad751e20d1ac48811db81138ba3ff977a76aa47bf4384b4b6b7836a5
Opcode Fuzzy Hash: 54264571b64d918f162b781116069eaf670b5e6448bf8c8c2ada5e05681f38fa
Instruction Fuzzy Hash: A70139B25002186BCF10EE569C85EEB7B6CFF45324F05483AFD49AA142EA34D5248BB0

Function 00408C2D Relevance: 7.5, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00408C44
free.MSVCRT ref: 00408C52
free.MSVCRT ref: 00408C60
free.MSVCRT ref: 00408C6E
free.MSVCRT ref: 00408C7C
free.MSVCRT ref: 00408C90

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f7e1263fa514c13471d8f834274539f18e02db5c6bf89f0694c383ef9ec6be60
Instruction ID: 1753344832c3d68424e835e5cfdc80cfc45faf857e01f48e8f7c2d59dccd7afd
Opcode Fuzzy Hash: f7e1263fa514c13471d8f834274539f18e02db5c6bf89f0694c383ef9ec6be60
Instruction Fuzzy Hash: 64F04436709B0556DA24AA7AAE88E9773EC9F84711705083FF695E32C0DF38E804897C

Function 004041D9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

_isctype.MSVCRT ref: 004041FA
strncmp.MSVCRT ref: 00404267

Strings

HTTP/, xrefs: 0040425F
<=@, xrefs: 004041E0, 00404224, 00404234, 00404240, 004041F9, 00404228, 00404237, 00404248

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _isctypestrncmp
String ID: <=@$HTTP/
API String ID: 2225848299-3200335489
Opcode ID: e4075f26d85ee82339b6d8c7abad51c391bf97fecbb479011a69ad698756fb40
Instruction ID: 93c608d2be356f14aecd05eaea80e8b4fdf1e6b62aac33f5781ecddff51188cd
Opcode Fuzzy Hash: e4075f26d85ee82339b6d8c7abad51c391bf97fecbb479011a69ad698756fb40
Instruction Fuzzy Hash: D411D2B1644304ABC7109FA1DC45AE67BACAB85398B10807FFE44EB2D1D639E545C758

Function 00401FEB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004020D6: strlen.MSVCRT ref: 0040210B
Part of subcall function 004020D6: memmove.MSVCRT(00000105,00000106,00000000,00000105,00000200,00000000,00402014,?,?,?,00000104), ref: 00402116

strlen.MSVCRT ref: 0040201B
fprintf.MSVCRT ref: 0040207C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00401FBC), ref: 004020A2

Strings

Rejecting suspicious path: [%s], xrefs: 00402076

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strlen$ByteCharMultiWidefprintfmemmove
String ID: Rejecting suspicious path: [%s]
API String ID: 1015408857-3549046145
Opcode ID: 36d3321a847911522c2a8b964d607736dab9e756d0f2744529ccdf4e3dc72384
Instruction ID: 9572e5d84daa92a431ce77e67741ed23f51d1a7a0111368cdf7d34e933c31dbd
Opcode Fuzzy Hash: 36d3321a847911522c2a8b964d607736dab9e756d0f2744529ccdf4e3dc72384
Instruction Fuzzy Hash: 1411B6B15043596FDB20D764CE8DBDAB7A9AB15304F4440A3E344B61E1D3FC9AC4CB59

Function 004050BD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,00000000,00000000,00404F3B,?,?,00000000,00000000,PUT), ref: 004050D1
free.MSVCRT ref: 004050E1
SetLastError.KERNEL32(000000A0,00000000,00000000,00404F3B,?,?,00000000,00000000,PUT), ref: 004050F2

Strings

;O@, xrefs: 004050BF, 004050E0

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: CloseErrorFindLastfree
String ID: ;O@
API String ID: 1593916217-3594699065
Opcode ID: b7fb7194298a5aadb68c13890f54cc5cb0878795387683123210573c38787d27
Instruction ID: 43a3aa3fe78abe9e1eff5d609cfd46805ec357d30c9ee23ed1c17e6599470d4b
Opcode Fuzzy Hash: b7fb7194298a5aadb68c13890f54cc5cb0878795387683123210573c38787d27
Instruction Fuzzy Hash: 8EE048366046319BC1204768AC0CA9BBF74DF89B71726C336F975E72D4CB345C0285E9

Function 004014E5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 00401501
MessageBoxA.USER32(00000000,?,Error,00000000), ref: 0040151A
exit.MSVCRT ref: 00401522

Strings

Error, xrefs: 00401512

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: Message_vsnprintfexit
String ID: Error
API String ID: 2513116298-2619118453
Opcode ID: d47bc7bc683f7e5bfc4230be41bd681c17e036806d325f746a382f8bf02f02c7
Instruction ID: d71f96a6a7750fb50719775450a9e6b300c18641d96c7b5459aee6eeb4d06487
Opcode Fuzzy Hash: d47bc7bc683f7e5bfc4230be41bd681c17e036806d325f746a382f8bf02f02c7
Instruction Fuzzy Hash: 24E08C31684308BBF750AB94CC0AFDA3B7CAB08701F00C561F60D960C1DBB0928C8BAD

Function 0040AB9C Relevance: 6.4, APIs: 5, Instructions: 187stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040AC77

Part of subcall function 00410B33: memset.MSVCRT ref: 00410B3E

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memsetstrlen
String ID:
API String ID: 841943882-0
Opcode ID: b30492fa55139c15f66e11d01aa87db8601dd3cfc4d74e00898182e5214a8d1f
Instruction ID: 4f1f0ea92e3b2dd738ecfdc4c1abeca4b8ca582276ed1050d89b188b53480818
Opcode Fuzzy Hash: b30492fa55139c15f66e11d01aa87db8601dd3cfc4d74e00898182e5214a8d1f
Instruction Fuzzy Hash: 68610771540705AFD720CB74C844FEFBBB99F15304F10852EE19AA72C1DB38AA95CB6A

Function 0040958F Relevance: 6.4, APIs: 5, Instructions: 147stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040965D
strncpy.MSVCRT ref: 0040967E
strlen.MSVCRT ref: 0040968B
strncpy.MSVCRT ref: 004096AA
strncmp.MSVCRT ref: 004096D5

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strlenstrncpy$strncmp
String ID:
API String ID: 3293407871-0
Opcode ID: 6258b604f2f99a2ba80117d0c64480dd25ac6a4bfc8478e6e3578d9a2319c0af
Instruction ID: 2596699d54b189e214f6f0c02ed9fa536009ceb31cedf16e08d0d03213f3f54b
Opcode Fuzzy Hash: 6258b604f2f99a2ba80117d0c64480dd25ac6a4bfc8478e6e3578d9a2319c0af
Instruction Fuzzy Hash: BA519271800609EFDF21CF75CC44BEBBBB8EB04314F1485AAE569A7282D778AA44CF54

Function 00411108 Relevance: 6.4, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000030,?,?,0041C038,004279D8,?), ref: 00411162
memcpy.MSVCRT(?,?,00000030,?,00000000,0041C038,004279D8,?), ref: 004111B7
memcpy.MSVCRT(?,?,00000020,?,?,00000030,?,00000000,0041C038,004279D8,?), ref: 004111C9
memcpy.MSVCRT(?,?,00000020,?,?,00000020,?,?,00000030,?,00000000,0041C038,004279D8,?), ref: 004111D8

Part of subcall function 0040F673: memcpy.MSVCRT(00000000,?,00000040,?,00419BF3,00000005,?,00409F63,00419BF3,?,00000005,0041E417,?,00000005,?,0041C038), ref: 0040F69B

Part of subcall function 004107A2: memset.MSVCRT ref: 004107DA
Part of subcall function 004107A2: memset.MSVCRT ref: 00410805
Part of subcall function 004107A2: memcpy.MSVCRT(00403D74,?,00000004,VD,VD,00000040,00000004,?,?,?,00000018,?,0041C038,?), ref: 00410831
Part of subcall function 004107A2: memcpy.MSVCRT(00403D00,FFFFFF1D,00000004,00403D74,?,00000004,VD,VD,00000040,00000004,?,?,?,00000018,?,0041C038), ref: 0041083D
Part of subcall function 004107A2: memcpy.MSVCRT(00000004,?,00000014,?,?,?,?,?,VD,VD,00000040,00000004), ref: 0041086E

memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411213

Part of subcall function 0040ED8D: memcpy.MSVCRT(?,?,00000040,?,0041C033,00000005,00409F53,0041E417,?,00000005,?,0041C038,?,00409EC9), ref: 0040EDB4

Part of subcall function 0040F58D: memset.MSVCRT ref: 0040F5C4
Part of subcall function 0040F58D: memset.MSVCRT ref: 0040F5E8
Part of subcall function 0040F58D: memcpy.MSVCRT(00000059,00000008,00000004,?,00000000,00000038,0041051C,0041E41C,?,00409376,0041E41C,00000018,0041E41C,004175D8,00000030,0041E41C), ref: 0040F607
Part of subcall function 0040F58D: memcpy.MSVCRT(0000005D,0000000D,00000004,00000059,00000008,00000004,?,00000000,00000038,0041051C,0041E41C,?,00409376,0041E41C,00000018,0041E41C), ref: 0040F613
Part of subcall function 0040F58D: memcpy.MSVCRT(?,00000011,00000010,00000005,00000030,0041E41C,0041051C,00000030,0041E41C,00000018,00000004,?,?,00000018,?,0041C038), ref: 0040F62B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 76cab3a4bed67648891fb88762c72cdd46013421ae0414b41eb38a02121b2efc
Instruction ID: 50d19c7672cc0cd360790473cf46d5a29f25d8d1165bbfb54c110201c803f0b0
Opcode Fuzzy Hash: 76cab3a4bed67648891fb88762c72cdd46013421ae0414b41eb38a02121b2efc
Instruction Fuzzy Hash: 034103B290021CABDB11DBE5DD85EDEB3BCAF04304F00446BB619E6081E778A7898B64

Function 0040A981 Relevance: 6.3, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,0041C038,00000002,0041C038,?,0041C038,?,004094B3,0041C038,?,0041C038,0041C038,00000000,?,0041C038,?), ref: 0040A999
memcpy.MSVCRT(00427A14,00000000,00000020,?,0041C038,00000002,0041C038,?,0041C038,?,004094B3,0041C038,?,0041C038,0041C038,00000000), ref: 0040A9B0
memcpy.MSVCRT(00427A34,0044E856,0044E856,00000000,0041C038,0041C038,<=@,0041C038), ref: 0040A9D6

Part of subcall function 00411108: memcpy.MSVCRT(?,?,00000030,?,?,0041C038,004279D8,?), ref: 00411162
Part of subcall function 00411108: memcpy.MSVCRT(?,?,00000030,?,00000000,0041C038,004279D8,?), ref: 004111B7
Part of subcall function 00411108: memcpy.MSVCRT(?,?,00000020,?,?,00000030,?,00000000,0041C038,004279D8,?), ref: 004111C9
Part of subcall function 00411108: memcpy.MSVCRT(?,?,00000020,?,?,00000020,?,?,00000030,?,00000000,0041C038,004279D8,?), ref: 004111D8
Part of subcall function 00411108: memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411213

memcmp.MSVCRT(00427A34,00427CCC,00000020), ref: 0040AA2D
memcpy.MSVCRT(00427B54,00427CEC,00000030,0041C038,?,?,?,00000000,0041C038,0041C038,<=@,0041C038), ref: 0040AA53

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: a44ba9ebd12d9726e44e3bedf917c04986d2444acdd4858111d701a25f5d401a
Instruction ID: daab44961b7cfb56bb28067222da4d7d4bb8a57247489fd4e435de34ff31c020
Opcode Fuzzy Hash: a44ba9ebd12d9726e44e3bedf917c04986d2444acdd4858111d701a25f5d401a
Instruction Fuzzy Hash: A53124B26047557BC702CB748C41FE7FB9CAB06304F05022BA989DB282D738B524CBE6

Function 0041688F Relevance: 6.3, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004168C7
memset.MSVCRT ref: 004168F2
memcpy.MSVCRT(00000038,?,00000004,00000000,00000000,00000040,00000010,?,004084D4), ref: 0041691E
memcpy.MSVCRT(-0000003C,FFFFFF1D,00000004,00000038,?,00000004,00000000,00000000,00000040,00000010,?,004084D4), ref: 0041692A
memcpy.MSVCRT(00000010,?,00000020,?,?,?,?,?,00000000,00000000,00000040,00000010), ref: 0041695B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 63530bcd349b526370fce13deddede0d8152a9948cf65c0c798804a167fefd6f
Instruction ID: 72d06965a59bfcca5a8694250986cd12e35528496a975f5dd0aa9594e33b963e
Opcode Fuzzy Hash: 63530bcd349b526370fce13deddede0d8152a9948cf65c0c798804a167fefd6f
Instruction Fuzzy Hash: 432106B1640204ABD720AF26CC42FDBB7ECEF51718F11441EFA459B282D6B8E481CB69

Function 0040F58D Relevance: 6.3, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F5C4
memset.MSVCRT ref: 0040F5E8
memcpy.MSVCRT(00000059,00000008,00000004,?,00000000,00000038,0041051C,0041E41C,?,00409376,0041E41C,00000018,0041E41C,004175D8,00000030,0041E41C), ref: 0040F607
memcpy.MSVCRT(0000005D,0000000D,00000004,00000059,00000008,00000004,?,00000000,00000038,0041051C,0041E41C,?,00409376,0041E41C,00000018,0041E41C), ref: 0040F613
memcpy.MSVCRT(?,00000011,00000010,00000005,00000030,0041E41C,0041051C,00000030,0041E41C,00000018,00000004,?,?,00000018,?,0041C038), ref: 0040F62B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: d0c0309f2109f6802b76f410299c15ce53331ce690c7160ae7c9e5633e2facf1
Instruction ID: d6d66a6b462f4353b1c9c83a3ddaa04aaf778cc08a8ada683952d642ab34df5f
Opcode Fuzzy Hash: d0c0309f2109f6802b76f410299c15ce53331ce690c7160ae7c9e5633e2facf1
Instruction Fuzzy Hash: EA2192B2500705AFC730AF65D881D9AB3ECEF14308B11492EF68697292DB78E559CB68

Function 00402526 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000100,00000040,00000000,00000000,00000000,?,004024D3,?,00000000,00000000,00000100,?,0041CD10), ref: 0040256B
memcpy.MSVCRT(?,00000100,00000040,00000000,00000000,00000000,?,004024D3,?,00000000,00000000,00000100,?,0041CD10), ref: 004025A0
memcpy.MSVCRT(?,00000100,00000000,00000000,00000000,00000000,?,004024D3,?,00000000,00000000,00000100,?,0041CD10), ref: 004025CF

Strings

@, xrefs: 004025BD

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 683450fa895aaa1917bd83834d58a49618c1cf3b0a22afe8fa436cd18943b5d4
Instruction ID: 414a7300c91830e1f56b2ce06e89bdb2d177afa795d6104d7e940eebdf4f7998
Opcode Fuzzy Hash: 683450fa895aaa1917bd83834d58a49618c1cf3b0a22afe8fa436cd18943b5d4
Instruction Fuzzy Hash: 28212CF24007047BCB20CE51CD45DDB73ACEF54310B00452FF905AA1D2E7B9E6558BA8

Function 00405317 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0040535E

Strings

s, xrefs: 00405367
d, xrefs: 00405398
n, xrefs: 00405353

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp
String ID: d$n$s
API String ID: 1004003707-4285348339
Opcode ID: 79f56495b64d96206cc804dbae2aafff9c2b4d2a5c8095114f9a5237e29c6647
Instruction ID: a9daa6db6a3d0d24a5a7627b285fc334112293732a9aec2a9cf6a7c9b775b7a5
Opcode Fuzzy Hash: 79f56495b64d96206cc804dbae2aafff9c2b4d2a5c8095114f9a5237e29c6647
Instruction Fuzzy Hash: B8210435A05A128FDB388920D04112BB752EB443E4B788E7BDD51BB3C1D2B9DCC28E89

Function 0040C5C5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000006,00000000,00000001,00000001,00000000,00000005,00000000,00419B64,00000000,00000000), ref: 0040C635
memcpy.MSVCRT(00000006,00000000,00000000,00000006,00000000,00000001,00000001,00000000,00000005,00000000,00419B64,00000000,00000000), ref: 0040C645
memcpy.MSVCRT(00000006,00417660,00000007,00000006,00000000,00000000,00000006,00000000,00000001,00000001,00000000,00000005,00000000,00419B64,00000000,00000000), ref: 0040C656

Strings

`vA, xrefs: 0040C5FE

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID: `vA
API String ID: 3510742995-3475553604
Opcode ID: 456224cdc5ebecf7c5c2905663e3cb9aeeb8caa6af34679a61b39c8fae8748d1
Instruction ID: f638c6e16efac623692dab44603c537b62e419cdc900073a20f3fecd908f3e10
Opcode Fuzzy Hash: 456224cdc5ebecf7c5c2905663e3cb9aeeb8caa6af34679a61b39c8fae8748d1
Instruction Fuzzy Hash: 631184B6504108F7CB209FA9DCC9DCB7BACDB44394F108237F909AA240D239E645C7A8

Function 00401E35 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

_vsnprintf.MSVCRT ref: 00401E50

Strings

vsnprintf error, xrefs: 00401E5D
<=@, xrefs: 00401E44
truncating vsnprintf buffer: [%.*s], xrefs: 00401E81

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: _vsnprintf
String ID: <=@$truncating vsnprintf buffer: [%.*s]$vsnprintf error
API String ID: 2997827189-4271256169
Opcode ID: b03f3731f8015ba858ee48a0cbc3ddc4b45de93f94592c7382b3ae43d64a7ec4
Instruction ID: e0e831ebc17e6b0758f5e8d093d15e0ae71ce5efb6e63733b7891d4dc5a1b3fa
Opcode Fuzzy Hash: b03f3731f8015ba858ee48a0cbc3ddc4b45de93f94592c7382b3ae43d64a7ec4
Instruction Fuzzy Hash: 95F0CD3220820A6BEB119E15DC02EBF3B69DB51754F10443BFD04EA1F2E679E86192ED

Function 00403FEA Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 26stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00404013

Strings

1.1, xrefs: 00404005
keep-alive, xrefs: 0040400D
Connection, xrefs: 00403FEF

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: strcmp
String ID: 1.1$Connection$keep-alive
API String ID: 1004003707-1749409918
Opcode ID: 2ef259d729a866d5c9562d499ea0871c90f7d32c386df42bb776be7e9b661880
Instruction ID: 5c566aabf3cbf950743589e5a0ecf0d49fc986290ff2ac401aa11061c50096f1
Opcode Fuzzy Hash: 2ef259d729a866d5c9562d499ea0871c90f7d32c386df42bb776be7e9b661880
Instruction Fuzzy Hash: 62E07DF364422135D1309021AD01F9356484F9C72CF200433FF00F21D5D27CDC81505C

Function 00401D44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73filenetworkCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00401DB2
send.WS2_32(00000200,0041C038,0041C038,00000000), ref: 00401DD0

Strings

<=@, xrefs: 00401D68

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: fwritesend
String ID: <=@
API String ID: 482115517-3456421064
Opcode ID: c80984b705a2d0aeecc3422c244af3d0b093bb4c3e68844f915c58e3a15c54fe
Instruction ID: 3717ae8ba8e3e1bca51b9fdc0629ee0939a51b24cd31bf664b5d97951a5250f6
Opcode Fuzzy Hash: c80984b705a2d0aeecc3422c244af3d0b093bb4c3e68844f915c58e3a15c54fe
Instruction Fuzzy Hash: ED214175900219EBCB20DE59C881A9F77B9BF04714F10423BFC21A22E5D638FA519BE8

Function 0040B2D9 Relevance: 5.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 0040ED8D: memcpy.MSVCRT(?,?,00000040,?,0041C033,00000005,00409F53,0041E417,?,00000005,?,0041C038,?,00409EC9), ref: 0040EDB4

Part of subcall function 0040F673: memcpy.MSVCRT(00000000,?,00000040,?,00419BF3,00000005,?,00409F63,00419BF3,?,00000005,0041E417,?,00000005,?,0041C038), ref: 0040F69B

memcpy.MSVCRT(?,00000001,00000002,0041E478,00000000,00000000,0041E41C,?,00000000,0041E560,0041C038,00000000), ref: 0040B3EE
memcpy.MSVCRT(00427A34,00000000,00000000,0041E478,00000000,00000000,0041E41C,?,00000000,0041E560,0041C038,00000000), ref: 0040B431
memset.MSVCRT ref: 0040B45D
memcpy.MSVCRT(0041065C,65736F6F,00000020,0041E478,00000000,00000000,0041E41C,?,00000000,0041E560,0041C038,00000000), ref: 0040B47C

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: b4fb8f8ccb75113e4e86cc6e5b49e7d612bb178fa0e3c8fbf1f054b014de9ae4
Instruction ID: 4ddf41772e7400a355c0d8c05d35ec2a30584b6419acd315987ce76fdce50095
Opcode Fuzzy Hash: b4fb8f8ccb75113e4e86cc6e5b49e7d612bb178fa0e3c8fbf1f054b014de9ae4
Instruction Fuzzy Hash: B2715A7140465ABBCB169F70C850BFBBBA8EF05304F10416BF995D7282E338A655C7E9

Function 0040B5A8 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,0041C038,00000002,0041C038,?,0041C038), ref: 0040B5D5
memcpy.MSVCRT(004279F4,?,00000020,0041C038,?,0041C038), ref: 0040B63C
memcpy.MSVCRT(00427A34,0041C038,00000020,?,?,?,0041C038,?,0041C038), ref: 0040B66C
memcpy.MSVCRT(?,0041C038,0041C038,?,?,?,0041C038,?,0041C038), ref: 0040B6C7

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9ae32d830502216e54ecabf6dbf0f5ed9fb42a1af464453efcda1ccbed4e7f18
Instruction ID: d0e5491082fb3044d9f4710045b8e9ee1868968a20e6524377059eaed722e3f7
Opcode Fuzzy Hash: 9ae32d830502216e54ecabf6dbf0f5ed9fb42a1af464453efcda1ccbed4e7f18
Instruction Fuzzy Hash: 03615971904655ABC711DB74C840BEBB7A8EF05304F04427BE9A9EB2C2D338A955C7EE

Function 0040B907 Relevance: 5.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00427A54,00000000,00000030,?,00000000,00000000,?,?,7277202C,00000000,?,726F7272,?,?), ref: 0040B9DF
memcpy.MSVCRT(00427B84,65746363,?), ref: 0040BA90
memset.MSVCRT ref: 0040BADF
memcpy.MSVCRT(?,00427C84,?,00427A56,00000000,?), ref: 0040BB05

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: b4e3429e4cdfab6df8bc6e0e2c0ee826e5f60d2d655c70a500c84b45e80e4b15
Instruction ID: 70cfab1cb81d2e29525c0c02066bef9c429d6aca123b581cd3fed53bcf3359bc
Opcode Fuzzy Hash: b4e3429e4cdfab6df8bc6e0e2c0ee826e5f60d2d655c70a500c84b45e80e4b15
Instruction Fuzzy Hash: 9F5104716007459BDB21DB348841BEBB7A9EF45314F04442EF5AAAB3C1DB38A905CBAD

Function 0040A7D3 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,0041C040,00000002,?,0041C038,00000001,0041C038,00000000,?,00000000,00000000,00000000,?,00407BDD,?,00000000), ref: 0040A863
memcpy.MSVCRT(004279F4,?,00000020,0041E314,?,00000020), ref: 0040A89B
memcpy.MSVCRT(?,00427CCC,00000020), ref: 0040A8BC
memcpy.MSVCRT(0041C048,0041C048,656D6F73), ref: 0040A8EB

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 108109156ab526da466de6b7009e971ebc6f6538474ee461fb93e7cdfc924acc
Instruction ID: 700c18113f9d4183e0550ae1d2ab742cabb83e7879dfdb0a9ea871eec3e54b34
Opcode Fuzzy Hash: 108109156ab526da466de6b7009e971ebc6f6538474ee461fb93e7cdfc924acc
Instruction Fuzzy Hash: B1412972500B44AAD7219BB4D885FE7B7E8EF05304F00052FF29E9B182D378B555C7A9

Function 0040EA6D Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000004,?,?,?,0040EA4E,?,?,?,?,?,00000008,0041C038,?), ref: 0040EA7C
memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,0040EA4E,?,?,?,?,?,00000008), ref: 0040EA8B
memcpy.MSVCRT(?,?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040EB1C
memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?,?,?,?,?,?,?), ref: 0040EB2B

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8780e5a379dfc14a6a459a4b0277e0ed2907a278e191f8d6dc5c89ae09aed47c
Instruction ID: cb19a57c4209d214128b6427b2b505cd27ebaf86cc2a42d08330e4c26db68177
Opcode Fuzzy Hash: 8780e5a379dfc14a6a459a4b0277e0ed2907a278e191f8d6dc5c89ae09aed47c
Instruction Fuzzy Hash: 8F21DAB6C0011CFACF11EFA2DD45DCE776CAF14324F418467BA19AB141E639EB149BA4

Function 00407EF9 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0041F8B8,?,0041C038,004279D8,?,?,?,0040B4BD,0041C038,00427B54), ref: 00407F31
memcmp.MSVCRT(0041ED07,?,00000020,?,?,0040B4BD,0041C038,00427B54), ref: 00407F6B
LeaveCriticalSection.KERNEL32(0041F8B8,?,?,0040B4BD,0041C038,00427B54), ref: 00407FAF

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: CriticalSection$EnterLeavememcmp
String ID:
API String ID: 4275994184-0
Opcode ID: 9ced871ec745efad06d9285803bfbfe8de0d9095b37d4e49853eadacd25deccb
Instruction ID: b1aaf014b560a21ff2ac8ea03bc1435a38b3294080dfe8c6d1c584175207f86e
Opcode Fuzzy Hash: 9ced871ec745efad06d9285803bfbfe8de0d9095b37d4e49853eadacd25deccb
Instruction Fuzzy Hash: A0112771E08213BBE714A715DC4AFEA7764EB84714F14807AE805BB2C1D37CB949C66E

Function 00402E86 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402EAA
memset.MSVCRT ref: 00402ED2
memcpy.MSVCRT(00000004,?,00000010,?,00000004,?,?,?,0000000E,?,?,0041CD10), ref: 00402F07
memset.MSVCRT ref: 00402F11

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 566e86343523834fc280e4103b62e3bf4179eaf750bc396b973187ac326f8714
Instruction ID: 96a07799da38aecc15c343ca88b9fdb3779bdf4c27635c394d5fda9655532e54
Opcode Fuzzy Hash: 566e86343523834fc280e4103b62e3bf4179eaf750bc396b973187ac326f8714
Instruction Fuzzy Hash: F6110CB555070077D230AA259D07F9773789FA6B14F010A1EF2417A1C3D7F8E14596ED

Function 0040E7D9 Relevance: 5.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(0040389C,?,00000004,00000008,?,?,0040E9CC,?,?,0040389C,?,76379AC0,00000000,?,0040389C,?), ref: 0040E7E8
memcpy.MSVCRT(?,?,00000004,0040389C,?,00000004,00000008,?,?,0040E9CC,?,?,0040389C,?,76379AC0,00000000), ref: 0040E7F7
memcpy.MSVCRT(0040E9CC,?,00000004,?,0040389C,0040389C,?,0040389C,?,?,0040389C,?,?,0040389C), ref: 0040E85F
memcpy.MSVCRT(0040E9C8,0040389C,00000004,0040E9CC,?,00000004,?,0040389C,0040389C,?,0040389C,?,?,0040389C,?,?), ref: 0040E86E

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 1d07b5dba091eb54729381db5ccf5a17f1c76154a893c5354cc346082cffae30
Instruction ID: 59806f3c6d0a750e4a3280beb16737bb36094a3f4a3fb91f911148a5a3bb5ab2
Opcode Fuzzy Hash: 1d07b5dba091eb54729381db5ccf5a17f1c76154a893c5354cc346082cffae30
Instruction Fuzzy Hash: 6D11DDB6C0011CBACF11EFA1CD46DCE776CAF14314F018467BA18AB151E639D7149BA8

Function 00407FDF Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0041F8B8,?,00000000,0041C038,?,?,00409D8B,0041C038,0041C038,?,?,?,00000016,0041C038,004072DF,CLNTSRVRclient finished), ref: 0040800E
memcpy.MSVCRT(0041ED28,?,00000030,?,?,00409D8B,0041C038,0041C038,?,?,?,00000016,0041C038,004072DF,CLNTSRVRclient finished), ref: 0040803F
memcpy.MSVCRT(0041ED08,?,00000020,0041ED28,?,00000030,?,?,00409D8B,0041C038,0041C038,?,?,?,00000016,0041C038), ref: 0040804E
LeaveCriticalSection.KERNEL32(0041F8B8,?,00000014,0041C038,-00000005,?,00000000,?,004072DF,?,?,?,00401DA4,00000000,0041C038,0041C038), ref: 00408086

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: a7d502950f591e0667a9a604821440ae0f7dd1e272eabc841f89518a0ad23f5b
Instruction ID: d5f4536d1e2fcc52bd219eeafbc282f2800d7c97c6314a2d4b4ab70f71b896df
Opcode Fuzzy Hash: a7d502950f591e0667a9a604821440ae0f7dd1e272eabc841f89518a0ad23f5b
Instruction Fuzzy Hash: 2D114C7A940306ABE314DB62FC49BD3F76CEF50304F05493FE9095A182C73460698B68

Function 0040C44D Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040C467
free.MSVCRT ref: 0040C478
free.MSVCRT ref: 0040C489
free.MSVCRT ref: 0040C499

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8a0d45980218b09f9622a5a8dd20d9619e6e82e53e2112b707b93aa0ec30ba3e
Instruction ID: 88c20f03468e29b2b30f209abd394c9afeae26a693a41e803b67054a6ccd84ae
Opcode Fuzzy Hash: 8a0d45980218b09f9622a5a8dd20d9619e6e82e53e2112b707b93aa0ec30ba3e
Instruction Fuzzy Hash: B9F0FF71600720DBD6209B3698D4B67B3E8FF90B15F158A3ED541B3690D778E888CE68

Function 00408839 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040884D
free.MSVCRT ref: 00408858
free.MSVCRT ref: 00408862
free.MSVCRT ref: 00408878

Memory Dump Source

Source File: 0000000C.00000002.4519137934.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.4519123618.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519156723.0000000000417000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519172145.000000000041C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519187175.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.4519202095.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mongoose-2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 29a00420e931546b69fa788b926fb90a5f889836271eac78790b4cc30ec82501
Instruction ID: 9f6f964e3c3c51a544714275ee11e5fdd5d009880d0025563bf6347c6d533085
Opcode Fuzzy Hash: 29a00420e931546b69fa788b926fb90a5f889836271eac78790b4cc30ec82501
Instruction Fuzzy Hash: 07F01C377047105ACA20BA7AED00A57B3E89F847217168C3FF690F32A0DE34E8048A78

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Mongoose\HTML\clientaccesspolicy.xml

C:\Mongoose\mongoose-2.11.exe

C:\Mongoose\mongoose.conf

C:\Mongoose_log.txt

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\Mongoose.bat

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose-2.11.exe

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\mongoose.conf

C:\Users\user\AppData\Local\Temp\Stand Alone CNP\Mongoose\readme.txt.txt

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop7.25259.29933.1105.exe

Function 004030FA Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 270
filestringcomCOMMON

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004038EB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403555 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C22 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00402E5B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174
fileCOMMON