Edit tour
Windows
Analysis Report
loader.exe
Overview
General Information
| Sample name: | loader.exe |
| Analysis ID: | 1561467 |
| MD5: | eb9da66b64c00bc89fe8bb984995e7da |
| SHA1: | fb0ef230ce7078220b9c0d8795ec88234d9c2f93 |
| SHA256: | 340de30b05a843bd6a8fbdc1b58f7c3f2e9378c6c1a6b44108d0b7467a5f68c2 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
loader.exe (PID: 7284 cmdline: "C:\Users\ user\Deskt op\loader. exe" MD5: EB9DA66B64C00BC89FE8BB984995E7DA) 
conhost.exe (PID: 7292 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - loader.exe (PID: 7348 cmdline:
"C:\Users\ user\Deskt op\loader. exe" MD5: EB9DA66B64C00BC89FE8BB984995E7DA) - loader.exe (PID: 7356 cmdline:
"C:\Users\ user\Deskt op\loader. exe" MD5: EB9DA66B64C00BC89FE8BB984995E7DA) - loader.exe (PID: 7364 cmdline:
"C:\Users\ user\Deskt op\loader. exe" MD5: EB9DA66B64C00BC89FE8BB984995E7DA) - loader.exe (PID: 7372 cmdline:
"C:\Users\ user\Deskt op\loader. exe" MD5: EB9DA66B64C00BC89FE8BB984995E7DA)
- cleanup
{"C2 url": "https://property-imper.sbs/api", "Build Version": "yau6Na--5067838847"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:09:25.528059+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:27.573143+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:29.889674+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:32.141438+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:34.430730+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:36.966027+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:39.553578+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:43.271902+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:09:26.245154+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:28.294611+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:43.985225+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49738 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:09:26.245154+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:09:28.294611+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:09:32.862590+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 5_2_0041A205 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0025C7DB | |
| Source: | Code function: | 2_2_0025C72A | |
| Source: | Code function: | 2_2_0025C7DB | |
| Source: | Code function: | 5_2_00441920 | |
| Source: | Code function: | 5_2_00441920 | |
| Source: | Code function: | 5_2_00428BA0 | |
| Source: | Code function: | 5_2_0040A440 | |
| Source: | Code function: | 5_2_004194B0 | |
| Source: | Code function: | 5_2_0040DDAD | |
| Source: | Code function: | 5_2_004417F0 | |
| Source: | Code function: | 5_2_0042A8D0 | |
| Source: | Code function: | 5_2_004210A0 | |
| Source: | Code function: | 5_2_0043A120 | |
| Source: | Code function: | 5_2_004291C4 | |
| Source: | Code function: | 5_2_0042C990 | |
| Source: | Code function: | 5_2_0043C240 | |
| Source: | Code function: | 5_2_00424A50 | |
| Source: | Code function: | 5_2_0040DA6F | |
| Source: | Code function: | 5_2_0041EA11 | |
| Source: | Code function: | 5_2_0041BA2F | |
| Source: | Code function: | 5_2_0040EAF1 | |
| Source: | Code function: | 5_2_0042E2B5 | |
| Source: | Code function: | 5_2_0042531F | |
| Source: | Code function: | 5_2_0042531F | |
| Source: | Code function: | 5_2_0042E32F | |
| Source: | Code function: | 5_2_0043A3C0 | |
| Source: | Code function: | 5_2_0041A3F9 | |
| Source: | Code function: | 5_2_0041F3B0 | |
| Source: | Code function: | 5_2_0043C440 | |
| Source: | Code function: | 5_2_0043C440 | |
| Source: | Code function: | 5_2_00409C50 | |
| Source: | Code function: | 5_2_00428420 | |
| Source: | Code function: | 5_2_00428420 | |
| Source: | Code function: | 5_2_0041BCD2 | |
| Source: | Code function: | 5_2_00427CE1 | |
| Source: | Code function: | 5_2_00424CB0 | |
| Source: | Code function: | 5_2_00401D70 | |
| Source: | Code function: | 5_2_00427CE1 | |
| Source: | Code function: | 5_2_00440510 | |
| Source: | Code function: | 5_2_004405D0 | |
| Source: | Code function: | 5_2_00402D80 | |
| Source: | Code function: | 5_2_0042BD80 | |
| Source: | Code function: | 5_2_00404E70 | |
| Source: | Code function: | 5_2_00407E00 | |
| Source: | Code function: | 5_2_00407E00 | |
| Source: | Code function: | 5_2_0042AE3D | |
| Source: | Code function: | 5_2_00439ED0 | |
| Source: | Code function: | 5_2_0040B6E0 | |
| Source: | Code function: | 5_2_0043C750 | |
| Source: | Code function: | 5_2_0043C750 | |
| Source: | Code function: | 5_2_00409F60 | |
| Source: | Code function: | 5_2_0042CF60 | |
| Source: | Code function: | 5_2_00401F70 | |
| Source: | Code function: | 5_2_00428F70 | |
| Source: | Code function: | 5_2_0041AF7A | |
| Source: | Code function: | 5_2_0040C7FD | |
| Source: | Code function: | 5_2_0041CF97 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 5_2_00434400 | |
| Source: | Code function: | 5_2_00434400 | |
| Source: | Code function: | 5_2_004345C0 | |
| Source: | Code function: | 0_2_0024F4D0 | |
| Source: | Code function: | 0_2_002534D0 | |
| Source: | Code function: | 0_2_002515A0 | |
| Source: | Code function: | 0_2_0024F980 | |
| Source: | Code function: | 0_2_0024CE70 | |
| Source: | Code function: | 0_2_002486C0 | |
| Source: | Code function: | 0_2_0024D7F0 | |
| Source: | Code function: | 0_2_00261FD2 | |
| Source: | Code function: | 2_2_0024F4D0 | |
| Source: | Code function: | 2_2_002534D0 | |
| Source: | Code function: | 2_2_002515A0 | |
| Source: | Code function: | 2_2_0024F980 | |
| Source: | Code function: | 2_2_0024CE70 | |
| Source: | Code function: | 2_2_002486C0 | |
| Source: | Code function: | 2_2_0024D7F0 | |
| Source: | Code function: | 2_2_00261FD2 | |
| Source: | Code function: | 5_2_004240D0 | |
| Source: | Code function: | 5_2_00439920 | |
| Source: | Code function: | 5_2_00441920 | |
| Source: | Code function: | 5_2_00442220 | |
| Source: | Code function: | 5_2_00409350 | |
| Source: | Code function: | 5_2_0040E3CA | |
| Source: | Code function: | 5_2_00428BA0 | |
| Source: | Code function: | 5_2_0040A440 | |
| Source: | Code function: | 5_2_0040D4C5 | |
| Source: | Code function: | 5_2_00404490 | |
| Source: | Code function: | 5_2_004194B0 | |
| Source: | Code function: | 5_2_00439600 | |
| Source: | Code function: | 5_2_0042E624 | |
| Source: | Code function: | 5_2_00425F6F | |
| Source: | Code function: | 5_2_00421FD0 | |
| Source: | Code function: | 5_2_0043BFE0 | |
| Source: | Code function: | 5_2_0041C84E | |
| Source: | Code function: | 5_2_00427054 | |
| Source: | Code function: | 5_2_0041B862 | |
| Source: | Code function: | 5_2_004030D0 | |
| Source: | Code function: | 5_2_0042A8D0 | |
| Source: | Code function: | 5_2_004210A0 | |
| Source: | Code function: | 5_2_0041A900 | |
| Source: | Code function: | 5_2_00405108 | |
| Source: | Code function: | 5_2_004061C0 | |
| Source: | Code function: | 5_2_004291C4 | |
| Source: | Code function: | 5_2_004199D1 | |
| Source: | Code function: | 5_2_004341E0 | |
| Source: | Code function: | 5_2_0040DA6F | |
| Source: | Code function: | 5_2_00422220 | |
| Source: | Code function: | 5_2_00432AE0 | |
| Source: | Code function: | 5_2_004072F0 | |
| Source: | Code function: | 5_2_00403AF0 | |
| Source: | Code function: | 5_2_00420A80 | |
| Source: | Code function: | 5_2_00429B61 | |
| Source: | Code function: | 5_2_00405B73 | |
| Source: | Code function: | 5_2_0042531F | |
| Source: | Code function: | 5_2_0041A3F9 | |
| Source: | Code function: | 5_2_0041F3B0 | |
| Source: | Code function: | 5_2_0041A462 | |
| Source: | Code function: | 5_2_0040BC00 | |
| Source: | Code function: | 5_2_00420410 | |
| Source: | Code function: | 5_2_00441C10 | |
| Source: | Code function: | 5_2_00428420 | |
| Source: | Code function: | 5_2_0042B4AF | |
| Source: | Code function: | 5_2_00424CB0 | |
| Source: | Code function: | 5_2_00440510 | |
| Source: | Code function: | 5_2_00426530 | |
| Source: | Code function: | 5_2_00427DC6 | |
| Source: | Code function: | 5_2_004405D0 | |
| Source: | Code function: | 5_2_0042BD80 | |
| Source: | Code function: | 5_2_0041DE50 | |
| Source: | Code function: | 5_2_00406E60 | |
| Source: | Code function: | 5_2_00429E60 | |
| Source: | Code function: | 5_2_00427E65 | |
| Source: | Code function: | 5_2_00404E70 | |
| Source: | Code function: | 5_2_00407E00 | |
| Source: | Code function: | 5_2_0042AE3D | |
| Source: | Code function: | 5_2_0043CEC0 | |
| Source: | Code function: | 5_2_0040B6E0 | |
| Source: | Code function: | 5_2_0041AEE8 | |
| Source: | Code function: | 5_2_0042A692 | |
| Source: | Code function: | 5_2_004236A0 | |
| Source: | Code function: | 5_2_0043C750 | |
| Source: | Code function: | 5_2_00409F60 | |
| Source: | Code function: | 5_2_0042CF60 | |
| Source: | Code function: | 5_2_0041CF78 | |
| Source: | Code function: | 5_2_0041AF7A | |
| Source: | Code function: | 5_2_0042E61D | |
| Source: | Code function: | 5_2_00441F20 | |
| Source: | Code function: | 5_2_004067D0 | |
| Source: | Code function: | 5_2_00438FA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 5_2_00439920 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00254BD8 | |
| Source: | Code function: | 2_2_00254BD8 | |
| Source: | Code function: | 5_2_00418786 | |
| Source: | Code function: | 0_2_00254CA2 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_0025C7DB | |
| Source: | Code function: | 2_2_0025C72A | |
| Source: | Code function: | 2_2_0025C7DB | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 5_2_0043E990 | |
| Source: | Code function: | 0_2_00255444 | |
| Source: | Code function: | 0_2_0024CD10 | |
| Source: | Code function: | 0_2_0026B18D | |
| Source: | Code function: | 0_2_0024BD50 | |
| Source: | Code function: | 2_2_0024CD10 | |
| Source: | Code function: | 2_2_0024BD50 | |
| Source: | Code function: | 0_2_00259F90 | |
| Source: | Code function: | 0_2_00255438 | |
| Source: | Code function: | 0_2_00255444 | |
| Source: | Code function: | 0_2_00257DCA | |
| Source: | Code function: | 0_2_00254AD9 | |
| Source: | Code function: | 2_2_00255438 | |
| Source: | Code function: | 2_2_00255444 | |
| Source: | Code function: | 2_2_00257DCA | |
| Source: | Code function: | 2_2_00254AD9 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0026B18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00255200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_002558C5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| property-imper.sbs | 172.67.162.84 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.162.84 | property-imper.sbs | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561467 |
| Start date and time: | 2024-11-23 14:08:33 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 16s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | loader.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@10/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target loader.exe, PID 7348 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: loader.exe
| Time | Type | Description |
|---|---|---|
| 08:09:25 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.162.84 | Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| property-imper.sbs | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.728279644396657 |
| TrID: |
|
| File name: | loader.exe |
| File size: | 495'104 bytes |
| MD5: | eb9da66b64c00bc89fe8bb984995e7da |
| SHA1: | fb0ef230ce7078220b9c0d8795ec88234d9c2f93 |
| SHA256: | 340de30b05a843bd6a8fbdc1b58f7c3f2e9378c6c1a6b44108d0b7467a5f68c2 |
| SHA512: | 238299fb7c51972e8675a1d009dd274ccfbcae49cd52fe702cf9ea3b0ebc99519ef78c6aa05f537e0abe5fd0a64051f9e5246b64eb7be6fce013cef53ff2fc4b |
| SSDEEP: | 12288:OJB+nneDgkXFEIPFHbTSmie2URLIMnfAaLRvpgCfd/j4Lc:yAoR2wbTS2LLI8IalpgCfZkw |
| TLSH: | 80B4F1AF73A390A3E6A3287141E49B75452E3F700F30A5FB57241F691B36AC28532E57 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x415870 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007F86AD8B268Ah |
| jmp 00007F86AD8B24EDh |
| mov ecx, dword ptr [0042B5F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F86AD8B2686h |
| test esi, ecx |
| jne 00007F86AD8B26A8h |
| call 00007F86AD8B26B1h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F86AD8B2689h |
| mov ecx, BB40E64Fh |
| jmp 00007F86AD8B2690h |
| test esi, ecx |
| jne 00007F86AD8B268Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0042B5F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0042B5ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042946Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00429430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042942Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004294A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0042C970h |
| call dword ptr [00429488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2f000 | 0x1400 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x237c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x293c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2169a | 0x21800 | 02aff72e65eaf052f891170e28598361 | False | 0.550606343283582 | data | 6.737058354414408 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x7264 | 0x7400 | 91e5fdecc510d2c4e72b1b50db3c2501 | False | 0.40641837284482757 | data | 4.769873714467996 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2b000 | 0x2068 | 0x1000 | f9b2b4b1f63578440eedd0ace5ac94f1 | False | 0.484375 | OpenPGP Secret Key | 5.090094544660231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x2e000 | 0x8 | 0x200 | 160c8b290b62e5e566d05ce3bec76423 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2f000 | 0x1400 | 0x1400 | 29fb367912ce622b91120c5cffd84495 | False | 0.81953125 | data | 6.557860970753822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x31000 | 0x4d600 | 0x4d600 | ad66d6d60eda5d287fcd681bab58b4bc | False | 1.0003344608239095 | data | 7.999374463743238 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:09:25.528059+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:26.245154+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:26.245154+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:27.573143+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:28.294611+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:28.294611+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:29.889674+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:32.141438+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:32.862590+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:34.430730+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:36.966027+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:39.553578+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:43.271902+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T14:09:43.985225+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49738 | 172.67.162.84 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 14:09:24.263079882 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:24.263129950 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:24.263216972 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:24.265993118 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:24.266007900 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:25.527972937 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:25.528059006 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:25.530560970 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:25.530572891 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:25.530783892 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:25.571521997 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:25.603298903 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:25.603352070 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:25.603427887 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:26.245163918 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:26.245234966 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:26.245296955 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:26.251113892 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:26.251141071 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:26.312973022 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:26.313028097 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:26.313122034 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:26.313400030 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:26.313415051 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:27.573041916 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:27.573143005 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:27.574348927 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:27.574363947 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:27.574583054 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:27.576297998 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:27.576344967 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:27.576365948 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294600964 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294629097 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294652939 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294708967 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.294718981 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294730902 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294770002 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.294794083 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.294841051 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.302756071 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.304960966 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.305027008 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.305044889 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.313400030 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.313474894 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.313487053 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.368408918 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.418040991 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.462146044 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.462157011 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.495834112 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.495866060 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.495886087 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.495908022 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.495956898 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.495961905 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.496032000 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.496192932 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.496207952 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.496217012 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.496222019 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.585656881 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.585755110 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:28.585855007 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.586128950 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:28.586164951 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:29.889530897 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:29.889673948 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:29.890918016 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:29.890959024 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:29.891177893 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:29.892841101 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:29.892841101 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:29.892894983 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:29.894217014 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:29.894247055 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:30.751554012 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:30.751671076 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:30.751741886 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:30.751952887 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:30.752005100 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:30.877444983 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:30.877479076 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:30.877562046 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:30.877821922 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:30.877835989 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.141218901 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.141438007 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:32.143949986 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:32.143965960 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.144191980 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.146111012 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:32.146274090 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:32.146305084 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.862601042 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.862715006 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:32.862819910 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:32.862963915 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:32.862983942 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:33.172427893 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:33.172514915 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:33.172640085 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:33.173089027 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:33.173124075 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:34.430509090 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:34.430730104 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:34.432423115 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:34.432459116 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:34.432709932 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:34.434505939 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:34.434724092 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:34.434770107 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:34.434854031 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:34.434870958 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:35.322417021 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:35.322520018 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:35.322583914 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:35.322706938 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:35.322755098 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:35.652976990 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:35.653018951 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:35.653156996 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:35.653496981 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:35.653517962 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:36.965910912 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:36.966027021 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:36.967483044 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:36.967489004 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:36.967770100 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:36.969453096 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:36.969562054 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:36.969567060 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:37.672019005 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:37.672132969 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:37.672210932 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:37.672302008 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:37.672312975 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:38.235342979 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:38.235429049 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:38.235512972 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:38.235805035 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:38.235837936 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.553476095 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.553577900 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.555393934 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.555440903 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.556474924 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.558187008 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.559175968 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.559222937 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.559377909 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.559421062 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.559575081 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.559638023 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.559837103 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.559885979 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.560075045 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.560125113 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.560353041 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.560396910 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.560416937 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.560444117 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.560622931 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.560662031 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.560710907 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.560807943 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.560849905 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.603349924 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.603564978 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.603632927 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.603682995 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.603717089 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:39.603805065 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:39.603843927 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:41.909579992 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:41.909821033 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:41.909913063 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:41.909997940 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:41.910058975 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:41.956600904 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:41.956633091 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:41.956715107 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:41.957288027 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:41.957303047 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.271825075 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.271902084 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.274040937 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.274050951 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.275067091 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.276628971 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.276650906 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.276787043 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.985305071 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.985543013 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.985651970 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.985759974 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.985809088 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 14:09:43.985837936 CET | 49738 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 14:09:43.985855103 CET | 443 | 49738 | 172.67.162.84 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 14:09:24.116719007 CET | 62513 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 23, 2024 14:09:24.257682085 CET | 53 | 62513 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 14:09:24.116719007 CET | 192.168.2.4 | 1.1.1.1 | 0x64ad | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 14:09:24.257682085 CET | 1.1.1.1 | 192.168.2.4 | 0x64ad | No error (0) | 172.67.162.84 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 14:09:24.257682085 CET | 1.1.1.1 | 192.168.2.4 | 0x64ad | No error (0) | 104.21.33.116 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:25 UTC | 265 | OUT | |
| 2024-11-23 13:09:25 UTC | 8 | OUT | |
| 2024-11-23 13:09:26 UTC | 1026 | IN | |
| 2024-11-23 13:09:26 UTC | 7 | IN | |
| 2024-11-23 13:09:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:27 UTC | 266 | OUT | |
| 2024-11-23 13:09:27 UTC | 52 | OUT | |
| 2024-11-23 13:09:28 UTC | 1013 | IN | |
| 2024-11-23 13:09:28 UTC | 356 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN | |
| 2024-11-23 13:09:28 UTC | 398 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN | |
| 2024-11-23 13:09:28 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:29 UTC | 277 | OUT | |
| 2024-11-23 13:09:29 UTC | 15331 | OUT | |
| 2024-11-23 13:09:29 UTC | 2795 | OUT | |
| 2024-11-23 13:09:30 UTC | 1015 | IN | |
| 2024-11-23 13:09:30 UTC | 19 | IN | |
| 2024-11-23 13:09:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:32 UTC | 275 | OUT | |
| 2024-11-23 13:09:32 UTC | 8741 | OUT | |
| 2024-11-23 13:09:32 UTC | 1015 | IN | |
| 2024-11-23 13:09:32 UTC | 19 | IN | |
| 2024-11-23 13:09:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:34 UTC | 275 | OUT | |
| 2024-11-23 13:09:34 UTC | 15331 | OUT | |
| 2024-11-23 13:09:34 UTC | 5057 | OUT | |
| 2024-11-23 13:09:35 UTC | 1021 | IN | |
| 2024-11-23 13:09:35 UTC | 19 | IN | |
| 2024-11-23 13:09:35 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:36 UTC | 281 | OUT | |
| 2024-11-23 13:09:36 UTC | 1251 | OUT | |
| 2024-11-23 13:09:37 UTC | 1014 | IN | |
| 2024-11-23 13:09:37 UTC | 19 | IN | |
| 2024-11-23 13:09:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:39 UTC | 286 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:39 UTC | 15331 | OUT | |
| 2024-11-23 13:09:41 UTC | 1027 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49738 | 172.67.162.84 | 443 | 7372 | C:\Users\user\Desktop\loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:09:43 UTC | 266 | OUT | |
| 2024-11-23 13:09:43 UTC | 87 | OUT | |
| 2024-11-23 13:09:43 UTC | 1017 | IN | |
| 2024-11-23 13:09:43 UTC | 54 | IN | |
| 2024-11-23 13:09:43 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:09:22 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 495'104 bytes |
| MD5 hash: | EB9DA66B64C00BC89FE8BB984995E7DA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:09:22 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 08:09:23 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\loader.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 495'104 bytes |
| MD5 hash: | EB9DA66B64C00BC89FE8BB984995E7DA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 08:09:23 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\loader.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 495'104 bytes |
| MD5 hash: | EB9DA66B64C00BC89FE8BB984995E7DA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 08:09:23 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\loader.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 495'104 bytes |
| MD5 hash: | EB9DA66B64C00BC89FE8BB984995E7DA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 08:09:23 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 495'104 bytes |
| MD5 hash: | EB9DA66B64C00BC89FE8BB984995E7DA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 0.5% |
| Signature Coverage: | 3.5% |
| Total number of Nodes: | 1672 |
| Total number of Limit Nodes: | 24 |
Graph
Function 0026B18D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024CD10 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00259DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00256CE6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025A732 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00256E00 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025B0CB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00253B60 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024CD90 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025BC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00254CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024CE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025C7DB Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00255444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002515A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00255200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00255438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00259F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002486C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002534D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024F980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BD50 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002590D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00260308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00256F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002594F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00258D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002545A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025C7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00255444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00254CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00260308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025883A Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00256F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025E5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00258EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025CB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002607C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 47% |
| Total number of Nodes: | 596 |
| Total number of Limit Nodes: | 48 |
Graph
Function 00439920 Relevance: 31.9, APIs: 11, Strings: 7, Instructions: 439memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409350 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A440 Relevance: 6.6, Strings: 5, Instructions: 380COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425F6F Relevance: 1.9, APIs: 1, Instructions: 437COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004194B0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A205 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428BA0 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E990 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004417F0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441920 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DDAD Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E8F0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BF80 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D460 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D493 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A3F9 Relevance: 24.5, Strings: 19, Instructions: 714COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B6E0 Relevance: 15.4, Strings: 12, Instructions: 419COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434400 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 127clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042531F Relevance: 9.5, Strings: 7, Instructions: 769COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409F60 Relevance: 9.2, Strings: 7, Instructions: 448COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EAF1 Relevance: 9.1, Strings: 7, Instructions: 301COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428420 Relevance: 7.9, Strings: 6, Instructions: 430COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BD80 Relevance: 7.9, Strings: 6, Instructions: 371COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AE3D Relevance: 6.9, Strings: 5, Instructions: 687COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409C50 Relevance: 6.5, Strings: 5, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A8D0 Relevance: 5.4, Strings: 4, Instructions: 450COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DA6F Relevance: 5.2, Strings: 4, Instructions: 197COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AF7A Relevance: 4.4, Strings: 3, Instructions: 651COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F3B0 Relevance: 4.4, Strings: 3, Instructions: 602COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404E70 Relevance: 4.0, Strings: 3, Instructions: 209COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E2B5 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E32F Relevance: 2.7, Strings: 2, Instructions: 244COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BCD2 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004210A0 Relevance: 2.1, Strings: 1, Instructions: 879COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C750 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424A50 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424CB0 Relevance: 1.7, Strings: 1, Instructions: 474COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF60 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004291C4 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C440 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BA2F Relevance: 1.4, Strings: 1, Instructions: 179COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CF97 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EA11 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407E00 Relevance: .9, Instructions: 852COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004405D0 Relevance: .7, Instructions: 713COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440510 Relevance: .7, Instructions: 671COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439ED0 Relevance: .2, Instructions: 193COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C7FD Relevance: .2, Instructions: 181COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D70 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A3C0 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A120 Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C240 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427CE1 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F70 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C990 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428F70 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D80 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|