Edit tour

Windows Analysis Report
17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

Overview

General Information

Sample name:	17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe
Analysis ID:	1545601
MD5:	fba5f0a24d4ee22bb7e2d81ee53f1b73
SHA1:	08d02ec3caf674c465d3141f796e7ebf825903d3
SHA256:	8d9d9232d8c7678decb355382e7f4c4b114c824349d81337518aa0aaf5347687
Tags:	base64-decodedexeuser-abuse_ch

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to detect virtual machines (SLDT)

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe" MD5: FBA5F0A24D4EE22BB7E2D81EE53F1B73)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe	Code function: 1_2_004415ED		1_2_004415ED
Source: C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe	Code function: 1_2_0040AB9A		1_2_0040AB9A

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

Code function: 1_2_0041B162 pushfd ; ret

1_2_0041B16D

Source: C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

Code function: 1_2_0040AC0C sldt word ptr [eax]

1_2_0040AC0C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

Code function: 1_2_00433839 mov eax, dword ptr fs:[00000030h]

1_2_00433839

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe	16%	ReversingLabs
17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545601
Start date and time:	2024-10-30 17:54:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe
Detection:	MAL
Classification:	mal52.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe, PID 7416 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.730369710244118
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe
File size:	370'022 bytes
MD5:	fba5f0a24d4ee22bb7e2d81ee53f1b73
SHA1:	08d02ec3caf674c465d3141f796e7ebf825903d3
SHA256:	8d9d9232d8c7678decb355382e7f4c4b114c824349d81337518aa0aaf5347687
SHA512:	976ca8907e32aa5adb0b4c67bf1eb6c560a4383189c5b020439acb011d0d7a8a306957aea465c6703c461d52f67cba3fa4f1a58996c72d57869d0782986494db
SSDEEP:	6144:3/u6fHlNK/5tmKiJMxGjk5TdZFOKJ3t0VNR2rxoh7Inl1PtCFaDC3csxKHiVx6us:326fHlNK/5tmKiJMxGjkNdZFOKJ3t0V2
TLSH:	D2747D50A681D072ECF71EB897649D65BABAB80044208C577FEC89B59FB1AD07432FF1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L......g...

File Icon


Icon Hash:	00928e8e8686b000

Analysis Process: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exePID: 7416, Parent PID: 3504

General

Target ID:	1
Start time:	12:55:15
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe"
Imagebase:	0x400000
File size:	370'022 bytes
MD5 hash:	FBA5F0A24D4EE22BB7E2D81EE53F1B73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exePID: 7416, Parent PID: 3504COMMON

Non-executed Functions

Function 004415ED Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bde0689ef5f7d49fbb63fc30a029c6e277d92a2933121d8e7927a3ed900369
Instruction ID: 689fb167534a84086959be96106322709ae36c68800c5eea467d830b38a4a73c
Opcode Fuzzy Hash: 00bde0689ef5f7d49fbb63fc30a029c6e277d92a2933121d8e7927a3ed900369
Instruction Fuzzy Hash: E0312172B215144FFB1D86099C863AA6B92EBE6314F2E427ED586C62D4D47CC947C284

Function 0040AB9A Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4538f070f3703a499b85082d420f77fdcdee65e2b88b7b8122abe43b5fe261
Instruction ID: c4d2633d61a9d298b602aea8442882a5f853691382aed5a8a2f9f2d80c35202c
Opcode Fuzzy Hash: bd4538f070f3703a499b85082d420f77fdcdee65e2b88b7b8122abe43b5fe261
Instruction Fuzzy Hash: CD213A367046144FD704DE3ACCC069AB7E3EBD9344705817AE849CB385EA38ED128795

Function 0040AC0C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcc56bf96e9ee28b13b70541db798576aedc70bff2cab7f6b4a70f1cafcabb9
Instruction ID: 8dfe3ac0e1e4dbf91e9bfa0d06aaa87f3a7d168d52525cc6731fc4b3c1c94df7
Opcode Fuzzy Hash: 8fcc56bf96e9ee28b13b70541db798576aedc70bff2cab7f6b4a70f1cafcabb9
Instruction Fuzzy Hash: 39F0A077714A104FD398DB3DCC4569937D2DFC9204308857DE095D7344EA68D9029345

Function 00433839 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49f753dcd12525f8bf7515670ff0743a164d1936ce4994337ee253e0c75c2c2
Instruction ID: c4f06e481f43d3f08d4f753b4c01ebd633c8ed8cb4f438952f69ff236515462c
Opcode Fuzzy Hash: d49f753dcd12525f8bf7515670ff0743a164d1936ce4994337ee253e0c75c2c2
Instruction Fuzzy Hash: 16E04F32912128EBC728DB8D850498AB3ECEB48B45F11089AB601D3110C274DE00C7D4

Function 0040A1AA Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Download Yara Rule

Strings

CBpC, xrefs: 0040A1FF
,, xrefs: 0040A2AE
4E, xrefs: 0040A29A
I^_E, xrefs: 0040A1ED
AI@, xrefs: 0040A292
@E, xrefs: 0040A2D1

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: AI@$,$CBpC$I^_E$4E$@E
API String ID: 0-3166366998
Opcode ID: d1be9a760ba9262711e08c8963bc5ccaa9966de6544aba5b6a7a4ad65685fc67
Instruction ID: cd1692aca1d0377c92d894392a6129a77a5aacc8ea0b28e1b4f33797ed9716b7
Opcode Fuzzy Hash: d1be9a760ba9262711e08c8963bc5ccaa9966de6544aba5b6a7a4ad65685fc67
Instruction Fuzzy Hash: 5A316934A08348DBC701DF28E9415A9B7F0FF86705F5081AFDC5257392DB786A46C70A

Function 00409C64 Relevance: 7.6, Strings: 6, Instructions: 71COMMON

Download Yara Rule

Strings

[M^I, xrefs: 00409D38
NUXI, xrefs: 00409D3F
P,D, xrefs: 00409C82
paM@, xrefs: 00409D31
P=E, xrefs: 00409C9A
_,, xrefs: 00409D46

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: NUXI$P,D$P=E$[M^I$_,$paM@
API String ID: 0-2283115929
Opcode ID: 2d40610f9a8c841e05bfb82633652c3c20302465f0ade7349cc1ab60e77cf884
Instruction ID: dd29551299dd68a0f1885815daff388baa81343b97b6c081ff061c151a2d0f9f
Opcode Fuzzy Hash: 2d40610f9a8c841e05bfb82633652c3c20302465f0ade7349cc1ab60e77cf884
Instruction Fuzzy Hash: CA213870A05200DBCB24EF65D9856ADB7B0EF41318F2001BFD101AB2D3CB799E46CB88

Function 004086FB Relevance: 6.3, Strings: 5, Instructions: 74COMMON

Download Yara Rule

Strings

0IE, xrefs: 0040873D
$AE, xrefs: 004087D9
`5E, xrefs: 004087C9
8IE, xrefs: 0040874C
ND@C, xrefs: 004087EE

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: $AE$0IE$8IE$ND@C$`5E
API String ID: 0-2118683752
Opcode ID: 2e72c4eb3b17c9ca3fc3ea536024e652a3750abf979e2003e9b45ee7a318fa2c
Instruction ID: fc3eee4014cf71bdcc08570828b8a4d0c289114f2f5a5d4701fa146e957e6fa2
Opcode Fuzzy Hash: 2e72c4eb3b17c9ca3fc3ea536024e652a3750abf979e2003e9b45ee7a318fa2c
Instruction Fuzzy Hash: 5D212C31605214ABC700DB78BA4659E37E0EB4631A720517FE841AB3D2DF7C9A42C70D

Function 0040973D Relevance: 6.3, Strings: 5, Instructions: 50COMMON

Download Yara Rule

Strings

_IBX, xrefs: 00409758
CBI,, xrefs: 00409775
EBI@, xrefs: 00409765
`BE, xrefs: 00409760
lBE, xrefs: 0040979B

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: CBI,$EBI@$_IBX$`BE$lBE
API String ID: 0-2791231339
Opcode ID: de9bf3319037531fa54d6c86921cafae3dfb1485767603064aab3ea2bf87a6d2
Instruction ID: 8a92c0037c8ec9f0fa7a274d7a62671b04956a700779b1f6961e3c69ac52280e
Opcode Fuzzy Hash: de9bf3319037531fa54d6c86921cafae3dfb1485767603064aab3ea2bf87a6d2
Instruction Fuzzy Hash: 4701D632209710DBC714FF19E881927B7E4FBC5361F90896FF9564B293CA789841CB4A

Function 004058DC Relevance: 6.3, Strings: 5, Instructions: 50COMMON

Download Yara Rule

Strings

\CE, xrefs: 0040593A
,, xrefs: 00405917
EGM^, xrefs: 004058F8
TCE, xrefs: 00405900
YP, xrefs: 00405905

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$EGM^$TCE$YP$\CE
API String ID: 0-4229273823
Opcode ID: 1f7c43a9c89d525cd32d62959154ead14f7f821d7a52b11a70af7141338df763
Instruction ID: 0188cf7a15b36ea4d262133ff73fcac2537e69fab3f8427e58364e19e6495bcb
Opcode Fuzzy Hash: 1f7c43a9c89d525cd32d62959154ead14f7f821d7a52b11a70af7141338df763
Instruction Fuzzy Hash: 99014971308300EBC610EF14FC5166FB7D4EB45725F54842FED181B2A2CA79544A8B4E

Function 0040568F Relevance: 6.3, Strings: 5, Instructions: 49COMMON

Download Yara Rule

Strings

C_, xrefs: 004056B7
@BE, xrefs: 004056B2
_C\D, xrefs: 004056AA
HBE, xrefs: 004056E9
,, xrefs: 004056C6

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$@BE$C_$HBE$_C\D
API String ID: 0-2088661977
Opcode ID: cbc598876f62e404d7b3d62fedbc2bcb5dfe58e83598815ab987b0d10c8bebaa
Instruction ID: 574503e6c472c4e3967ffc0542ff1d2fd074e0eae6d83046e17e259b61ab93dd
Opcode Fuzzy Hash: cbc598876f62e404d7b3d62fedbc2bcb5dfe58e83598815ab987b0d10c8bebaa
Instruction Fuzzy Hash: B301F931608710EFC710EF18E94192BB7D4EB99711F508D7FF4054B292DAB9A484875E

Function 00406175 Relevance: 6.3, Strings: 5, Instructions: 31COMMON

Download Yara Rule

Strings

]^_X, xrefs: 004061AA
YZ[T, xrefs: 004061B1
,, xrefs: 004061BE
UV, xrefs: 004061B8
lIE, xrefs: 004061A0

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$UV$YZ[T$]^_X$lIE
API String ID: 0-3697862801
Opcode ID: 431ae4da772c1255c6f5e881c23b27360013afdcc3e619e20aff958d3a682775
Instruction ID: 0deb612a8441084ebdf12f42abd144da1b5f6c8d2e5408c00f9440d5a132e560
Opcode Fuzzy Hash: 431ae4da772c1255c6f5e881c23b27360013afdcc3e619e20aff958d3a682775
Instruction Fuzzy Hash: 47F0A470E00644DBDB00CFA8D981AAEF7F0EB4A715F0544AAD8116F352DB74A645CB49

Function 00407588 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

OUBI, xrefs: 004075EE
pBE, xrefs: 004075CA
xdQ,, xrefs: 00407655
xBE, xrefs: 004075D9

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: OUBI$pBE$xBE$xdQ,
API String ID: 0-2756081750
Opcode ID: ea1bf45ac00ca227760e1640153191b8df586c9e43019807c4c1df0ae83435b4
Instruction ID: 0758807a147c44553b37a354c5a09260218d37ff2be985371ea9ebce454a9bac
Opcode Fuzzy Hash: ea1bf45ac00ca227760e1640153191b8df586c9e43019807c4c1df0ae83435b4
Instruction Fuzzy Hash: F5312531A086509BCB00DF2CD94559D77A0EB45324B9149BFE402AB392DB39BA02CB4F

Function 0040948E Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

F[Z, xrefs: 004094A1
EGI,, xrefs: 00409552
H_X^, xrefs: 00409542
CE, xrefs: 0040953D

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: F[Z$EGI,$H_X^$CE
API String ID: 0-550879246
Opcode ID: d5a04d7fc53420216d792aef18f39ff04f9b93ba25b1d8b7c3e6f53f8f09f1d7
Instruction ID: c4f2f85d713ea4276434952642840f73c211a294310930f2d3e7149e7383ccb1
Opcode Fuzzy Hash: d5a04d7fc53420216d792aef18f39ff04f9b93ba25b1d8b7c3e6f53f8f09f1d7
Instruction Fuzzy Hash: E421497630C300ABC301DF15BC8196AB7D4EB85314FA0896FF9964B293CA79AD46C65D

Function 00406038 Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

,, xrefs: 0040607F
MAhM, xrefs: 00406070
XM, xrefs: 00406078
^CK^, xrefs: 00406060

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$MAhM$XM$^CK^
API String ID: 0-1037802379
Opcode ID: 53c6e2b4d1e07453514d497f027b536c482d2296fd8d53113450ca908ade5930
Instruction ID: 949da70a4e51f00e2263c35da780ee549b98c685742fa476333989416ce30c02
Opcode Fuzzy Hash: 53c6e2b4d1e07453514d497f027b536c482d2296fd8d53113450ca908ade5930
Instruction Fuzzy Hash: 4F118CB1208340EFC610EF28D94282BB7D1EF85315F41496FF8564F292DB799454CB5B

Function 00406ABC Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

Strings

t%=, xrefs: 00406B37
,, xrefs: 00406AF4
(5E, xrefs: 00406AE0
N_T, xrefs: 00406AD8

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: N_T$(5E$,$t%=
API String ID: 0-852570236
Opcode ID: bd9c7aebf7ecf5e72c52a0652abc7cd31e4e7654e0f8bb6565a1dbf39c330b7e
Instruction ID: 06e1a3e1501285922fd59e047d0bb8b6c70fc4ff0d4e92a17ba338d2ed2c46ee
Opcode Fuzzy Hash: bd9c7aebf7ecf5e72c52a0652abc7cd31e4e7654e0f8bb6565a1dbf39c330b7e
Instruction Fuzzy Hash: 43018971208320FBDB10EF14AD4596A77D0EBA6315F51442FF8468B282DE75A446C31F

Function 00408883 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

5E, xrefs: 0040892D
`kjX, xrefs: 004088A0
MtvF, xrefs: 00408899
,, xrefs: 00408941

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: 5E$,$MtvF$`kjX
API String ID: 0-3791592594
Opcode ID: 062e4a8f4b514dac2aa82fbbb514d54ef2a2d566016e0a18d63cd78a1e7a66f5
Instruction ID: 17a9e87e1e6df4e8ad4aef214fc95fdb876a2625ec10715c3dc31d60fcb85c5a
Opcode Fuzzy Hash: 062e4a8f4b514dac2aa82fbbb514d54ef2a2d566016e0a18d63cd78a1e7a66f5
Instruction Fuzzy Hash: B8118C72608300DBC700FF14E98092EBB60FB91324F50842FE9496B383CE798984870F

Function 00405846 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

BE, xrefs: 00405869
,, xrefs: 0040587D
II, xrefs: 0040586E
AOMJ, xrefs: 00405861

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$AOMJ$II$BE
API String ID: 0-973620874
Opcode ID: 3d149936e516bcef52b9b0cf673ec71e10157dadea845d4cf596b31067fd8e0b
Instruction ID: 94bde7f9418e757eb601af37a11097959c7daeda79a53c98e21bee4ffc285588
Opcode Fuzzy Hash: 3d149936e516bcef52b9b0cf673ec71e10157dadea845d4cf596b31067fd8e0b
Instruction Fuzzy Hash: 70012232208710EBC310EF18B982D2BB7D0EB89361F50857FFD158B292DA78A4448B5E

Function 00407057 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

TAE, xrefs: 00407141
DHE, xrefs: 00407082
\X, xrefs: 00407093
D=E, xrefs: 00407131

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: D=E$DHE$TAE$\X
API String ID: 0-3981889983
Opcode ID: 3d4c9e5577427470898be5645f70c72863e3e2e5f4438235994dbbd5f2b2bda6
Instruction ID: 554511b853fb138842fbaf9fcc982ff5187db4d1da4d81d672cdd017db6fdda3
Opcode Fuzzy Hash: 3d4c9e5577427470898be5645f70c72863e3e2e5f4438235994dbbd5f2b2bda6
Instruction Fuzzy Hash: C5110A35E04680DBC700EF18EA40998B3B0AB55749B10407FD9115F3D2DB7CAA89CB0D

Function 00409BBC Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

<DE, xrefs: 00409BE7
hDE, xrefs: 00409C2B
U,, xrefs: 00409C0A
Y^EX, xrefs: 00409C03

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: <DE$U,$Y^EX$hDE
API String ID: 0-2882930861
Opcode ID: 9fe49640f0b0ee51f47f2a0498e958780e96e9276a5f3df74bb2ed1323dc3070
Instruction ID: 37b8513f3c274819dd7d9dd9f27a9967889d864d1726acb1137e41f7822fb7cb
Opcode Fuzzy Hash: 9fe49640f0b0ee51f47f2a0498e958780e96e9276a5f3df74bb2ed1323dc3070
Instruction Fuzzy Hash: 08112930E05714DBEB00EF59E941AACB3B4BFC6719B50422FE801672A2DB785AC1CA0C

Function 00407A35 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

(CE, xrefs: 00407A58
4CE, xrefs: 00407A90
,, xrefs: 00407A6D
OY^I, xrefs: 00407A5D

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: (CE$,$4CE$OY^I
API String ID: 0-2947160778
Opcode ID: 8b7c5f0be97b7cd67234c4516ffab7c4e620006adb4667741acd655725ecd8e6
Instruction ID: 8c02fcf280dc61bd013e455e03c9cb948ec2f2626e6247c0d8ed52cc06091aa9
Opcode Fuzzy Hash: 8b7c5f0be97b7cd67234c4516ffab7c4e620006adb4667741acd655725ecd8e6
Instruction Fuzzy Hash: F101F93270C3009BC210EF19AD8192F73D4EB99325F90882FF9155B392CA79A401CF5A

Function 0040500C Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

YA\_, xrefs: 00405029
,, xrefs: 00405031
hC@\, xrefs: 0040500C
DEBh, xrefs: 00405019

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$DEBh$YA\_$hC@\
API String ID: 0-3734053923
Opcode ID: 44480c7c9e671a4f857f9b11dc8d3d6d2cfeebe5e64df06c442f9af8cfe96415
Instruction ID: 9af34d4c247a2730fc0799637588450fb6872d834cf0f60940af7374ccafdb90
Opcode Fuzzy Hash: 44480c7c9e671a4f857f9b11dc8d3d6d2cfeebe5e64df06c442f9af8cfe96415
Instruction Fuzzy Hash: B20147701087408BC610DF59984190FB7A0EB81720F91852EBA696F2D2C7788885CF0A

Function 00408861 Relevance: 5.0, Strings: 4, Instructions: 35COMMON

Download Yara Rule

Strings

5E, xrefs: 0040892D
`kjX, xrefs: 004088A0
MtvF, xrefs: 00408899
,, xrefs: 00408941

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: 5E$,$MtvF$`kjX
API String ID: 0-3791592594
Opcode ID: 4568669c57122757894310d50261fcd1dc8560fdf885c0d055420b1990ec8501
Instruction ID: 77aa7e6e40f34382aaa087300c0a4052b3c33b28dc5ea0f612ba0e85bedba486
Opcode Fuzzy Hash: 4568669c57122757894310d50261fcd1dc8560fdf885c0d055420b1990ec8501
Instruction Fuzzy Hash: 2501DE34A08348CFCB00DF18DA50A6DF7B0FBAA705F55806EDC456B352DB34AA44CB1A

Function 004083A4 Relevance: 5.0, Strings: 4, Instructions: 24COMMON

Download Yara Rule

Strings

@CE, xrefs: 004083C7
_IOY, xrefs: 004083CC
,, xrefs: 004083E4
^EXU, xrefs: 004083DC

Memory Dump Source

Source File: 00000001.00000002.2669338669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2669320099.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669374542.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669393627.0000000000452000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2669407935.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a8.jbxd

Similarity

API ID:
String ID: ,$@CE$^EXU$_IOY
API String ID: 0-4283724782
Opcode ID: d914f8d3df62adfd7557a220dee7c8a34ac66317e158c289d5faf7423b3aefde
Instruction ID: b3727b18591741ea61376379f59079d7a23abebf65b870023da27d5892ddcfb8
Opcode Fuzzy Hash: d914f8d3df62adfd7557a220dee7c8a34ac66317e158c289d5faf7423b3aefde
Instruction Fuzzy Hash: 1EF05470704381CBC210EF18D65591AB7F1F788704F55486DE8564B353DB75E908CB5A

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exePID: 7416, Parent PID: 3504

General

Chronological Activities

Disassembly

Analysis Process: 17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exePID: 7416, Parent PID: 3504COMMON

Non-executed Functions

Function 004415ED Relevance: .1, Instructions: 108COMMON

Function 0040AB9A Relevance: .1, Instructions: 86COMMON

Function 0040AC0C Relevance: .0, Instructions: 30COMMON

Function 00433839 Relevance: .0, Instructions: 22COMMON

Function 0040A1AA Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Function 00409C64 Relevance: 7.6, Strings: 6, Instructions: 71COMMON

Function 004086FB Relevance: 6.3, Strings: 5, Instructions: 74COMMON

Function 0040973D Relevance: 6.3, Strings: 5, Instructions: 50COMMON

Function 004058DC Relevance: 6.3, Strings: 5, Instructions: 50COMMON

Function 0040568F Relevance: 6.3, Strings: 5, Instructions: 49COMMON

Function 00406175 Relevance: 6.3, Strings: 5, Instructions: 31COMMON

Function 00407588 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Function 0040948E Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Function 00406038 Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Function 00406ABC Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Function 00408883 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Function 00405846 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Function 00407057 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Windows Analysis Report
17303071871f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f776.dat-decoded.exe