Edit tour
Windows
Analysis Report
injector V2.4.exe
Overview
General Information
| Sample name: | injector V2.4.exe |
| Analysis ID: | 1561470 |
| MD5: | c1b5cae419a07b5bfeb4e958510f8637 |
| SHA1: | 80c99f320d7b74fb100b51cd98a2ff232e286e63 |
| SHA256: | 608864a20a91e6fcacefa06046a522a66dbfe45f3f94adfc32ed89ffcae29907 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
injector V2.4.exe (PID: 5508 cmdline: "C:\Users\ user\Deskt op\injecto r V2.4.exe " MD5: C1B5CAE419A07B5BFEB4E958510F8637) 
conhost.exe (PID: 6428 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - injector V2.4.exe (PID: 5268 cmdline:
"C:\Users\ user\Deskt op\injecto r V2.4.exe " MD5: C1B5CAE419A07B5BFEB4E958510F8637) - injector V2.4.exe (PID: 6564 cmdline:
"C:\Users\ user\Deskt op\injecto r V2.4.exe " MD5: C1B5CAE419A07B5BFEB4E958510F8637)
- cleanup
{"C2 url": "https://property-imper.sbs/api", "Build Version": "yau6Na--1285025705"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:11.838507+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:13.918642+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:16.241595+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49706 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:18.324378+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:20.509084+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49708 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:23.015197+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:25.549686+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49711 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:30.110285+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49725 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:12.545091+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:14.660934+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:30.820317+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49725 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:12.545091+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:14.660934+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:19.090279+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:25.563296+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.5 | 49711 | 104.21.33.116 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 4_2_00418BE3 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004DC72A | |
| Source: | Code function: | 0_2_004DC7DB | |
| Source: | Code function: | 3_2_004DC72A | |
| Source: | Code function: | 3_2_004DC7DB | |
| Source: | Code function: | 4_2_0043D880 | |
| Source: | Code function: | 4_2_00420970 | |
| Source: | Code function: | 4_2_0040A10E | |
| Source: | Code function: | 4_2_00418BE3 | |
| Source: | Code function: | 4_2_0040CE5A | |
| Source: | Code function: | 4_2_00440620 | |
| Source: | Code function: | 4_2_00440740 | |
| Source: | Code function: | 4_2_0040C7A5 | |
| Source: | Code function: | 4_2_00439040 | |
| Source: | Code function: | 4_2_0042C84A | |
| Source: | Code function: | 4_2_0042CD62 | |
| Source: | Code function: | 4_2_00429F62 | |
| Source: | Code function: | 4_2_00429813 | |
| Source: | Code function: | 4_2_0042C8DC | |
| Source: | Code function: | 4_2_0042D0F6 | |
| Source: | Code function: | 4_2_004298A8 | |
| Source: | Code function: | 4_2_004298A8 | |
| Source: | Code function: | 4_2_00426959 | |
| Source: | Code function: | 4_2_00426910 | |
| Source: | Code function: | 4_2_0042C918 | |
| Source: | Code function: | 4_2_0042C929 | |
| Source: | Code function: | 4_2_00404930 | |
| Source: | Code function: | 4_2_00404930 | |
| Source: | Code function: | 4_2_004231F0 | |
| Source: | Code function: | 4_2_0040B989 | |
| Source: | Code function: | 4_2_00402190 | |
| Source: | Code function: | 4_2_0042A1A2 | |
| Source: | Code function: | 4_2_0040DA43 | |
| Source: | Code function: | 4_2_0040EA4F | |
| Source: | Code function: | 4_2_0041D201 | |
| Source: | Code function: | 4_2_0042BA10 | |
| Source: | Code function: | 4_2_00439290 | |
| Source: | Code function: | 4_2_00428A9C | |
| Source: | Code function: | 4_2_00428A9C | |
| Source: | Code function: | 4_2_00425344 | |
| Source: | Code function: | 4_2_004298A8 | |
| Source: | Code function: | 4_2_004298A8 | |
| Source: | Code function: | 4_2_0042D318 | |
| Source: | Code function: | 4_2_004393D0 | |
| Source: | Code function: | 4_2_0042D380 | |
| Source: | Code function: | 4_2_0042E388 | |
| Source: | Code function: | 4_2_00423450 | |
| Source: | Code function: | 4_2_0042B450 | |
| Source: | Code function: | 4_2_0041AC64 | |
| Source: | Code function: | 4_2_00405C20 | |
| Source: | Code function: | 4_2_00405C20 | |
| Source: | Code function: | 4_2_00440CD0 | |
| Source: | Code function: | 4_2_004294BD | |
| Source: | Code function: | 4_2_0042CD67 | |
| Source: | Code function: | 4_2_004395E9 | |
| Source: | Code function: | 4_2_0043DDF5 | |
| Source: | Code function: | 4_2_00427580 | |
| Source: | Code function: | 4_2_00427580 | |
| Source: | Code function: | 4_2_00427580 | |
| Source: | Code function: | 4_2_0043E5A6 | |
| Source: | Code function: | 4_2_0042ADAB | |
| Source: | Code function: | 4_2_0042ADAB | |
| Source: | Code function: | 4_2_00408E00 | |
| Source: | Code function: | 4_2_00435E10 | |
| Source: | Code function: | 4_2_0040B626 | |
| Source: | Code function: | 4_2_0041CED0 | |
| Source: | Code function: | 4_2_0041CED0 | |
| Source: | Code function: | 4_2_0040BEB1 | |
| Source: | Code function: | 4_2_00428F5D | |
| Source: | Code function: | 4_2_00429F62 | |
| Source: | Code function: | 4_2_00422776 | |
| Source: | Code function: | 4_2_00427774 | |
| Source: | Code function: | 4_2_00427774 | |
| Source: | Code function: | 4_2_0041DF00 | |
| Source: | Code function: | 4_2_00421F10 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 4_2_00433550 | |
| Source: | Code function: | 4_2_00433550 | |
| Source: | Code function: | 4_2_00433D60 | |
| Source: | Code function: | 0_2_004CF4D0 | |
| Source: | Code function: | 0_2_004D34D0 | |
| Source: | Code function: | 0_2_004CF980 | |
| Source: | Code function: | 0_2_004D15A0 | |
| Source: | Code function: | 0_2_004CCE70 | |
| Source: | Code function: | 0_2_004C86C0 | |
| Source: | Code function: | 0_2_004E1FD2 | |
| Source: | Code function: | 0_2_004CD7F0 | |
| Source: | Code function: | 3_2_004CF4D0 | |
| Source: | Code function: | 3_2_004D34D0 | |
| Source: | Code function: | 3_2_004CF980 | |
| Source: | Code function: | 3_2_004D15A0 | |
| Source: | Code function: | 3_2_004CCE70 | |
| Source: | Code function: | 3_2_004C86C0 | |
| Source: | Code function: | 3_2_004E1FD2 | |
| Source: | Code function: | 3_2_004CD7F0 | |
| Source: | Code function: | 4_2_004228A0 | |
| Source: | Code function: | 4_2_00427140 | |
| Source: | Code function: | 4_2_00420970 | |
| Source: | Code function: | 4_2_0043B100 | |
| Source: | Code function: | 4_2_004389D0 | |
| Source: | Code function: | 4_2_00408AE0 | |
| Source: | Code function: | 4_2_00418BE3 | |
| Source: | Code function: | 4_2_00409BA0 | |
| Source: | Code function: | 4_2_00424470 | |
| Source: | Code function: | 4_2_0042E434 | |
| Source: | Code function: | 4_2_0042DD55 | |
| Source: | Code function: | 4_2_00438660 | |
| Source: | Code function: | 4_2_00440740 | |
| Source: | Code function: | 4_2_00440FB0 | |
| Source: | Code function: | 4_2_00406840 | |
| Source: | Code function: | 4_2_0042C84A | |
| Source: | Code function: | 4_2_00438000 | |
| Source: | Code function: | 4_2_0042C8DC | |
| Source: | Code function: | 4_2_004298A8 | |
| Source: | Code function: | 4_2_004378AF | |
| Source: | Code function: | 4_2_00426959 | |
| Source: | Code function: | 4_2_00406170 | |
| Source: | Code function: | 4_2_00429100 | |
| Source: | Code function: | 4_2_00430112 | |
| Source: | Code function: | 4_2_00426910 | |
| Source: | Code function: | 4_2_0042C918 | |
| Source: | Code function: | 4_2_0042C929 | |
| Source: | Code function: | 4_2_00404930 | |
| Source: | Code function: | 4_2_004241E8 | |
| Source: | Code function: | 4_2_004409F0 | |
| Source: | Code function: | 4_2_0042A1A2 | |
| Source: | Code function: | 4_2_004281BC | |
| Source: | Code function: | 4_2_0040DA43 | |
| Source: | Code function: | 4_2_0043C250 | |
| Source: | Code function: | 4_2_0041FAF0 | |
| Source: | Code function: | 4_2_00425344 | |
| Source: | Code function: | 4_2_004298A8 | |
| Source: | Code function: | 4_2_00409300 | |
| Source: | Code function: | 4_2_00431313 | |
| Source: | Code function: | 4_2_0042D318 | |
| Source: | Code function: | 4_2_00402B20 | |
| Source: | Code function: | 4_2_0043BB30 | |
| Source: | Code function: | 4_2_0043F330 | |
| Source: | Code function: | 4_2_004283CA | |
| Source: | Code function: | 4_2_00424BE2 | |
| Source: | Code function: | 4_2_0042D380 | |
| Source: | Code function: | 4_2_00420BB0 | |
| Source: | Code function: | 4_2_00423450 | |
| Source: | Code function: | 4_2_0043F450 | |
| Source: | Code function: | 4_2_0041AC64 | |
| Source: | Code function: | 4_2_0040546B | |
| Source: | Code function: | 4_2_00430C7A | |
| Source: | Code function: | 4_2_00405C20 | |
| Source: | Code function: | 4_2_0041CC20 | |
| Source: | Code function: | 4_2_00406CD0 | |
| Source: | Code function: | 4_2_00440CD0 | |
| Source: | Code function: | 4_2_004304FB | |
| Source: | Code function: | 4_2_00418490 | |
| Source: | Code function: | 4_2_004294BD | |
| Source: | Code function: | 4_2_00403550 | |
| Source: | Code function: | 4_2_0043F550 | |
| Source: | Code function: | 4_2_0042CD67 | |
| Source: | Code function: | 4_2_0041F510 | |
| Source: | Code function: | 4_2_004395E9 | |
| Source: | Code function: | 4_2_00427580 | |
| Source: | Code function: | 4_2_00408590 | |
| Source: | Code function: | 4_2_00437DA0 | |
| Source: | Code function: | 4_2_00424DB0 | |
| Source: | Code function: | 4_2_004365B8 | |
| Source: | Code function: | 4_2_00409650 | |
| Source: | Code function: | 4_2_0042DD4E | |
| Source: | Code function: | 4_2_00431670 | |
| Source: | Code function: | 4_2_00426630 | |
| Source: | Code function: | 4_2_0041CED0 | |
| Source: | Code function: | 4_2_0041B68E | |
| Source: | Code function: | 4_2_0041EEA0 | |
| Source: | Code function: | 4_2_00403F60 | |
| Source: | Code function: | 4_2_0042E765 | |
| Source: | Code function: | 4_2_00427774 | |
| Source: | Code function: | 4_2_0041DF00 | |
| Source: | Code function: | 4_2_0043B700 | |
| Source: | Code function: | 4_2_0040AFE0 | |
| Source: | Code function: | 4_2_004077E0 | |
| Source: | Code function: | 4_2_00419FED | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 4_2_004389D0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004D4BD8 | |
| Source: | Code function: | 3_2_004D4BD8 | |
| Source: | Code function: | 4_2_00415894 | |
| Source: | Code function: | 4_2_00414334 | |
| Source: | Code function: | 4_2_00414594 | |
| Source: | Code function: | 4_2_00414D9B | |
| Source: | Code function: | 4_2_00417FF4 | |
| Source: | Code function: | 0_2_004D4CA2 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_004DC72A | |
| Source: | Code function: | 0_2_004DC7DB | |
| Source: | Code function: | 3_2_004DC72A | |
| Source: | Code function: | 3_2_004DC7DB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_0043D920 | |
| Source: | Code function: | 0_2_004D5444 | |
| Source: | Code function: | 0_2_004CCD10 | |
| Source: | Code function: | 0_2_004EB18D | |
| Source: | Code function: | 0_2_004CBD50 | |
| Source: | Code function: | 3_2_004CBD50 | |
| Source: | Code function: | 3_2_004CCD10 | |
| Source: | Code function: | 0_2_004D9F90 | |
| Source: | Code function: | 0_2_004D5444 | |
| Source: | Code function: | 0_2_004D5438 | |
| Source: | Code function: | 0_2_004D7DCA | |
| Source: | Code function: | 0_2_004D4AD9 | |
| Source: | Code function: | 3_2_004D5444 | |
| Source: | Code function: | 3_2_004D5438 | |
| Source: | Code function: | 3_2_004D7DCA | |
| Source: | Code function: | 3_2_004D4AD9 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_004EB18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_004D5200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004D58C5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| property-imper.sbs | 104.21.33.116 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.33.116 | property-imper.sbs | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561470 |
| Start date and time: | 2024-11-23 14:10:14 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 27s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | injector V2.4.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target injector V2.4.exe, PID 5268 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: injector V2.4.exe
| Time | Type | Description |
|---|---|---|
| 08:11:11 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.33.116 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| property-imper.sbs | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.724737400091526 |
| TrID: |
|
| File name: | injector V2.4.exe |
| File size: | 491'520 bytes |
| MD5: | c1b5cae419a07b5bfeb4e958510f8637 |
| SHA1: | 80c99f320d7b74fb100b51cd98a2ff232e286e63 |
| SHA256: | 608864a20a91e6fcacefa06046a522a66dbfe45f3f94adfc32ed89ffcae29907 |
| SHA512: | eba55a7ee08a6be1cda57a97329d97fdb0450f1db9a13a5b88263d21497eeb5c844a5000f46f20de13f82fe92e17e3339031b3806832c0982ee5a30f83255a9b |
| SSDEEP: | 12288:iJB+nneDgkXFEIapcLRDW+vHfQ1n21GwriB4jP/9h:GAoR25pclDWMHQ21IWj/ |
| TLSH: | BBA4E16A76A3E5F3E6A3083441E49BB20A6E7E700F2495FF43601F692F366D18131E57 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x415870 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007FA1ACED4B4Ah |
| jmp 00007FA1ACED49ADh |
| mov ecx, dword ptr [0042B5F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007FA1ACED4B46h |
| test esi, ecx |
| jne 00007FA1ACED4B68h |
| call 00007FA1ACED4B71h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007FA1ACED4B49h |
| mov ecx, BB40E64Fh |
| jmp 00007FA1ACED4B50h |
| test esi, ecx |
| jne 00007FA1ACED4B4Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0042B5F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0042B5ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042946Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00429430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042942Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004294A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0042C970h |
| call dword ptr [00429488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2f000 | 0x1400 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x237c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x293c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2169a | 0x21800 | 02aff72e65eaf052f891170e28598361 | False | 0.550606343283582 | data | 6.737058354414408 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x7264 | 0x7400 | 91e5fdecc510d2c4e72b1b50db3c2501 | False | 0.40641837284482757 | data | 4.769873714467996 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2b000 | 0x2068 | 0x1000 | f9b2b4b1f63578440eedd0ace5ac94f1 | False | 0.484375 | OpenPGP Secret Key | 5.090094544660231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x2e000 | 0x8 | 0x200 | 160c8b290b62e5e566d05ce3bec76423 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2f000 | 0x1400 | 0x1400 | 29fb367912ce622b91120c5cffd84495 | False | 0.81953125 | data | 6.557860970753822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x31000 | 0x4c800 | 0x4c800 | b3054e5e1020a2caf09f7f8b7770c7cc | False | 1.0003382863562091 | data | 7.9993842690073835 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:11:11.838507+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:12.545091+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:12.545091+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:13.918642+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:14.660934+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:14.660934+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:16.241595+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49706 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:18.324378+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:19.090279+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:20.509084+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49708 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:23.015197+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:25.549686+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49711 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:25.563296+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.5 | 49711 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:30.110285+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49725 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T14:11:30.820317+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49725 | 104.21.33.116 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 14:11:10.523969889 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:10.524050951 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:10.524169922 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:10.525521040 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:10.525553942 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:11.838424921 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:11.838506937 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:11.844907999 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:11.844923019 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:11.845184088 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:11.895762920 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:11.916132927 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:11.916151047 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:11.916279078 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:12.545101881 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:12.545195103 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:12.545283079 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:12.555841923 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:12.555895090 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:12.555926085 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:12.555943012 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:12.606036901 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:12.606128931 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:12.606260061 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:12.606564045 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:12.606600046 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:13.918556929 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:13.918642044 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:13.955070019 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:13.955147028 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:13.955595016 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:13.957875013 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:13.958125114 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:13.958163977 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.660856009 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.660908937 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.660933971 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.660994053 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.661041975 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.661098957 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.661111116 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.669469118 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.669569016 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.669595003 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.678024054 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.678124905 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.678149939 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.724023104 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.724054098 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.770863056 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.780432940 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.833394051 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.833417892 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.874795914 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.874841928 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.874861956 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.874893904 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.874948978 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.875112057 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.875133038 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.875149965 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.875157118 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.978425980 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.978483915 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:14.978554964 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.978904963 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:14.978921890 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.241481066 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.241595030 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:16.243429899 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:16.243443966 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.243935108 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.245203972 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:16.245412111 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:16.245448112 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.983494043 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.983620882 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:16.983715057 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:16.983844995 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:16.983890057 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:17.110151052 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:17.110260963 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:17.110352993 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:17.110721111 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:17.110750914 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:18.324204922 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:18.324378014 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:18.325936079 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:18.325970888 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:18.326306105 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:18.327732086 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:18.327877045 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:18.327922106 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:18.328017950 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:18.328030109 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:19.090274096 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:19.090389967 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:19.090471983 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:19.090600014 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:19.090652943 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:19.286775112 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:19.286873102 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:19.286990881 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:19.287383080 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:19.287434101 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:20.508929014 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:20.509083986 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:20.510653019 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:20.510662079 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:20.510982037 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:20.512238979 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:20.512392044 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:20.512420893 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:20.512501001 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:20.512511015 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:21.393655062 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:21.393996954 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:21.394081116 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:21.394246101 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:21.394278049 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:21.744370937 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:21.744416952 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:21.744515896 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:21.744903088 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:21.744910955 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.015083075 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.015197039 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:23.041630030 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:23.041656017 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.042638063 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.066068888 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:23.066188097 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:23.066196918 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.737355947 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.737632990 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:23.737751007 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:23.738053083 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:23.738078117 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:24.281857967 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:24.281898975 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:24.282037973 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:24.282352924 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:24.282361984 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.549583912 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.549685955 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.550985098 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.550995111 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.551352978 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.561743021 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.562479973 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.562552929 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.562659025 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.562706947 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.562828064 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563076973 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.563241959 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563271046 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.563445091 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563468933 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.563647032 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563664913 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.563678026 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563715935 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.563824892 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563859940 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.563925028 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.564079046 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.564116955 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.564146996 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.611330032 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:25.611552000 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.611618042 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.645874977 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:25.645893097 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:26.100322962 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:28.482755899 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:28.482883930 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:28.482961893 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:28.680243969 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:28.680267096 CET | 443 | 49711 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:28.849461079 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:28.849509001 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:28.849575996 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:28.849932909 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:28.849945068 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.110205889 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.110285044 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.111970901 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.111979008 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.112327099 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.113660097 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.113660097 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.113754034 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.820389986 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.820725918 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.820863008 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.822063923 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.822084904 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 14:11:30.822180033 CET | 49725 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 14:11:30.822185040 CET | 443 | 49725 | 104.21.33.116 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 14:11:10.374448061 CET | 52873 | 53 | 192.168.2.5 | 1.1.1.1 |
| Nov 23, 2024 14:11:10.517453909 CET | 53 | 52873 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 14:11:10.374448061 CET | 192.168.2.5 | 1.1.1.1 | 0xe6ee | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 14:11:10.517453909 CET | 1.1.1.1 | 192.168.2.5 | 0xe6ee | No error (0) | 104.21.33.116 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 14:11:10.517453909 CET | 1.1.1.1 | 192.168.2.5 | 0xe6ee | No error (0) | 172.67.162.84 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:11 UTC | 265 | OUT | |
| 2024-11-23 13:11:11 UTC | 8 | OUT | |
| 2024-11-23 13:11:12 UTC | 1017 | IN | |
| 2024-11-23 13:11:12 UTC | 7 | IN | |
| 2024-11-23 13:11:12 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:13 UTC | 266 | OUT | |
| 2024-11-23 13:11:13 UTC | 52 | OUT | |
| 2024-11-23 13:11:14 UTC | 1021 | IN | |
| 2024-11-23 13:11:14 UTC | 348 | IN | |
| 2024-11-23 13:11:14 UTC | 908 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN | |
| 2024-11-23 13:11:14 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49706 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:16 UTC | 279 | OUT | |
| 2024-11-23 13:11:16 UTC | 12810 | OUT | |
| 2024-11-23 13:11:16 UTC | 1017 | IN | |
| 2024-11-23 13:11:16 UTC | 19 | IN | |
| 2024-11-23 13:11:16 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:18 UTC | 284 | OUT | |
| 2024-11-23 13:11:18 UTC | 15082 | OUT | |
| 2024-11-23 13:11:19 UTC | 1013 | IN | |
| 2024-11-23 13:11:19 UTC | 19 | IN | |
| 2024-11-23 13:11:19 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49708 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:20 UTC | 285 | OUT | |
| 2024-11-23 13:11:20 UTC | 15331 | OUT | |
| 2024-11-23 13:11:20 UTC | 5247 | OUT | |
| 2024-11-23 13:11:21 UTC | 1015 | IN | |
| 2024-11-23 13:11:21 UTC | 19 | IN | |
| 2024-11-23 13:11:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:23 UTC | 279 | OUT | |
| 2024-11-23 13:11:23 UTC | 1251 | OUT | |
| 2024-11-23 13:11:23 UTC | 1022 | IN | |
| 2024-11-23 13:11:23 UTC | 19 | IN | |
| 2024-11-23 13:11:23 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49711 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:25 UTC | 286 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:25 UTC | 15331 | OUT | |
| 2024-11-23 13:11:28 UTC | 1023 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49725 | 104.21.33.116 | 443 | 6564 | C:\Users\user\Desktop\injector V2.4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:11:30 UTC | 266 | OUT | |
| 2024-11-23 13:11:30 UTC | 87 | OUT | |
| 2024-11-23 13:11:30 UTC | 1017 | IN | |
| 2024-11-23 13:11:30 UTC | 54 | IN | |
| 2024-11-23 13:11:30 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:11:08 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.4.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4c0000 |
| File size: | 491'520 bytes |
| MD5 hash: | C1B5CAE419A07B5BFEB4E958510F8637 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:11:08 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 08:11:09 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.4.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x4c0000 |
| File size: | 491'520 bytes |
| MD5 hash: | C1B5CAE419A07B5BFEB4E958510F8637 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 08:11:09 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.4.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4c0000 |
| File size: | 491'520 bytes |
| MD5 hash: | C1B5CAE419A07B5BFEB4E958510F8637 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.2% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 7.5% |
| Total number of Nodes: | 1908 |
| Total number of Limit Nodes: | 27 |
Graph
Function 004EB18D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CCD10 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6CE6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DA732 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6E00 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DB0CB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D3B60 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CCD90 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DB807 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DBC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CCE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D15A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC72A Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D5200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D5438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D9F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C86C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D34D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CF980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CBD50 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D90D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D45A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E0308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D883A Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DE5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D8EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DCB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E07C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 11.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 40.5% |
| Total number of Nodes: | 331 |
| Total number of Limit Nodes: | 29 |
Graph
Function 004389D0 Relevance: 40.7, APIs: 11, Strings: 12, Instructions: 484memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408AE0 Relevance: 7.7, APIs: 5, Instructions: 198threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D880 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D920 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440620 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440740 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420970 Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A10E Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE5A Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C7A5 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B070 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D9B6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432390 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FC22 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B030 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E6D2 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D260 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D293 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425344 Relevance: 16.0, Strings: 12, Instructions: 1043COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426910 Relevance: 12.9, Strings: 10, Instructions: 416COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AC64 Relevance: 5.7, Strings: 4, Instructions: 708COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DF00 Relevance: 5.6, Strings: 4, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427580 Relevance: 5.6, Strings: 4, Instructions: 609COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004298A8 Relevance: 5.5, Strings: 4, Instructions: 466COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429F62 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D201 Relevance: 5.1, Strings: 4, Instructions: 111COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421F10 Relevance: 4.2, Strings: 3, Instructions: 453COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A1A2 Relevance: 4.0, Strings: 3, Instructions: 227COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404930 Relevance: 4.0, Strings: 3, Instructions: 224COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427774 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004395E9 Relevance: 2.9, Strings: 2, Instructions: 431COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C84A Relevance: 2.8, Strings: 2, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C8DC Relevance: 2.8, Strings: 2, Instructions: 306COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C929 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C918 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426959 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004231F0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423450 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA10 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CED0 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D380 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D318 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D0F6 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DA43 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439290 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EA4F Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042ADAB Relevance: 1.3, Strings: 1, Instructions: 92COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429813 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428A9C Relevance: 1.3, Strings: 1, Instructions: 38COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C20 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CD67 Relevance: .3, Instructions: 310COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004294BD Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440CD0 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402190 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439040 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B989 Relevance: .2, Instructions: 199COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B626 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004393D0 Relevance: .2, Instructions: 176COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428F5D Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408E00 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435E10 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B450 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E388 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422776 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CD62 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BEB1 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DDF5 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E5A6 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432004 Relevance: 52.6, APIs: 1, Strings: 29, Instructions: 137memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|