Edit tour
Windows
Analysis Report
injector V2.5.exe
Overview
General Information
| Sample name: | injector V2.5.exe |
| Analysis ID: | 1561472 |
| MD5: | bcc3a5ac8ca364b58e08a8e771992d6a |
| SHA1: | 36f9ad6f96a2112c5ce71dba2cd87b04f33e6e6a |
| SHA256: | fd0068122528a6a7042dd6301a77067e9675acbddce740e5e85e840d54f98243 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
injector V2.5.exe (PID: 6996 cmdline: "C:\Users\ user\Deskt op\injecto r V2.5.exe " MD5: BCC3A5AC8CA364B58E08A8E771992D6A) 
conhost.exe (PID: 7024 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - injector V2.5.exe (PID: 6276 cmdline:
"C:\Users\ user\Deskt op\injecto r V2.5.exe " MD5: BCC3A5AC8CA364B58E08A8E771992D6A)
- cleanup
{"C2 url": ["revirepart.biz"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:31.428348+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:33.785867+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:35.837311+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:38.055093+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:40.586974+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:43.448049+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:45.914671+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:48.020961+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:50.790073+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 104.21.88.250 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:32.104063+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:34.517725+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:36.543606+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:51.493354+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49742 | 104.21.88.250 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:32.104063+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:34.517725+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:36.543606+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:31.428348+0100 | 2057647 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:29.663824+0100 | 2057646 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 61706 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:49.421766+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49738 | 104.21.88.250 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_0041A4DA | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0060C7DB | |
| Source: | Code function: | 2_2_004190D0 | |
| Source: | Code function: | 2_2_0040B97E | |
| Source: | Code function: | 2_2_00409AE0 | |
| Source: | Code function: | 2_2_00409AE0 | |
| Source: | Code function: | 2_2_0040DA8D | |
| Source: | Code function: | 2_2_00442B00 | |
| Source: | Code function: | 2_2_0042F3ED | |
| Source: | Code function: | 2_2_0042E398 | |
| Source: | Code function: | 2_2_0042EB98 | |
| Source: | Code function: | 2_2_0040AD50 | |
| Source: | Code function: | 2_2_00442530 | |
| Source: | Code function: | 2_2_0040C5BE | |
| Source: | Code function: | 2_2_004427D0 | |
| Source: | Code function: | 2_2_0042D040 | |
| Source: | Code function: | 2_2_00441860 | |
| Source: | Code function: | 2_2_0042E06F | |
| Source: | Code function: | 2_2_00407870 | |
| Source: | Code function: | 2_2_00407870 | |
| Source: | Code function: | 2_2_00402820 | |
| Source: | Code function: | 2_2_0042D830 | |
| Source: | Code function: | 2_2_0042E039 | |
| Source: | Code function: | 2_2_0042A0D5 | |
| Source: | Code function: | 2_2_0042E007 | |
| Source: | Code function: | 2_2_0042B0FA | |
| Source: | Code function: | 2_2_0040F096 | |
| Source: | Code function: | 2_2_0040F096 | |
| Source: | Code function: | 2_2_004068B0 | |
| Source: | Code function: | 2_2_00442970 | |
| Source: | Code function: | 2_2_00441930 | |
| Source: | Code function: | 2_2_004379E0 | |
| Source: | Code function: | 2_2_0040E1EC | |
| Source: | Code function: | 2_2_0041FF7F | |
| Source: | Code function: | 2_2_00425190 | |
| Source: | Code function: | 2_2_0041DA40 | |
| Source: | Code function: | 2_2_00443260 | |
| Source: | Code function: | 2_2_00404A31 | |
| Source: | Code function: | 2_2_0043DAC0 | |
| Source: | Code function: | 2_2_0041E2F0 | |
| Source: | Code function: | 2_2_0041E2F0 | |
| Source: | Code function: | 2_2_0042CAB0 | |
| Source: | Code function: | 2_2_0042B340 | |
| Source: | Code function: | 2_2_0041EFF5 | |
| Source: | Code function: | 2_2_0041EFF5 | |
| Source: | Code function: | 2_2_0040C303 | |
| Source: | Code function: | 2_2_0041BB10 | |
| Source: | Code function: | 2_2_0041FB20 | |
| Source: | Code function: | 2_2_0041FB20 | |
| Source: | Code function: | 2_2_00426BD0 | |
| Source: | Code function: | 2_2_00426BD0 | |
| Source: | Code function: | 2_2_00426BD0 | |
| Source: | Code function: | 2_2_00426BD0 | |
| Source: | Code function: | 2_2_0042D4A0 | |
| Source: | Code function: | 2_2_0041DD48 | |
| Source: | Code function: | 2_2_0042FD65 | |
| Source: | Code function: | 2_2_0042FD65 | |
| Source: | Code function: | 2_2_00426510 | |
| Source: | Code function: | 2_2_00429520 | |
| Source: | Code function: | 2_2_0040CE52 | |
| Source: | Code function: | 2_2_0040CE52 | |
| Source: | Code function: | 2_2_00426E00 | |
| Source: | Code function: | 2_2_00426E00 | |
| Source: | Code function: | 2_2_00426E00 | |
| Source: | Code function: | 2_2_00426E00 | |
| Source: | Code function: | 2_2_0042DE10 | |
| Source: | Code function: | 2_2_0041F6E0 | |
| Source: | Code function: | 2_2_0041F6E0 | |
| Source: | Code function: | 2_2_004296F4 | |
| Source: | Code function: | 2_2_00426F70 | |
| Source: | Code function: | 2_2_00426F70 | |
| Source: | Code function: | 2_2_00426F70 | |
| Source: | Code function: | 2_2_00426F70 | |
| Source: | Code function: | 2_2_0041FF7F | |
| Source: | Code function: | 2_2_0040E714 | |
| Source: | Code function: | 2_2_0041C7C9 | |
| Source: | Code function: | 2_2_0040E7D9 | |
| Source: | Code function: | 2_2_0041EFF5 | |
| Source: | Code function: | 2_2_0041EFF5 | |
| Source: | Code function: | 2_2_0042EF87 | |
| Source: | Code function: | 2_2_0041BFB6 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00435300 | |
| Source: | Code function: | 2_2_00435300 | |
| Source: | Code function: | 0_2_005FF4D0 | |
| Source: | Code function: | 0_2_006034D0 | |
| Source: | Code function: | 0_2_006015A0 | |
| Source: | Code function: | 0_2_005FF980 | |
| Source: | Code function: | 0_2_005FCE70 | |
| Source: | Code function: | 0_2_005F86C0 | |
| Source: | Code function: | 0_2_005FD7F0 | |
| Source: | Code function: | 0_2_00611FD2 | |
| Source: | Code function: | 2_2_00429060 | |
| Source: | Code function: | 2_2_00424860 | |
| Source: | Code function: | 2_2_004190D0 | |
| Source: | Code function: | 2_2_00422110 | |
| Source: | Code function: | 2_2_0043D260 | |
| Source: | Code function: | 2_2_00409AE0 | |
| Source: | Code function: | 2_2_0043AAE0 | |
| Source: | Code function: | 2_2_0042F3ED | |
| Source: | Code function: | 2_2_0042E398 | |
| Source: | Code function: | 2_2_00442C40 | |
| Source: | Code function: | 2_2_00408C70 | |
| Source: | Code function: | 2_2_0041A4DA | |
| Source: | Code function: | 2_2_0040AD50 | |
| Source: | Code function: | 2_2_00443580 | |
| Source: | Code function: | 2_2_00426618 | |
| Source: | Code function: | 2_2_0043A760 | |
| Source: | Code function: | 2_2_00441860 | |
| Source: | Code function: | 2_2_00407870 | |
| Source: | Code function: | 2_2_00423815 | |
| Source: | Code function: | 2_2_0042A0D5 | |
| Source: | Code function: | 2_2_0041E0E8 | |
| Source: | Code function: | 2_2_004350F0 | |
| Source: | Code function: | 2_2_0042B0FA | |
| Source: | Code function: | 2_2_0043B0A0 | |
| Source: | Code function: | 2_2_0043A0A0 | |
| Source: | Code function: | 2_2_004068B0 | |
| Source: | Code function: | 2_2_0042C14A | |
| Source: | Code function: | 2_2_00441930 | |
| Source: | Code function: | 2_2_004329C6 | |
| Source: | Code function: | 2_2_0041FF7F | |
| Source: | Code function: | 2_2_00425A4A | |
| Source: | Code function: | 2_2_00421250 | |
| Source: | Code function: | 2_2_00443260 | |
| Source: | Code function: | 2_2_00406200 | |
| Source: | Code function: | 2_2_00404A31 | |
| Source: | Code function: | 2_2_0043DAC0 | |
| Source: | Code function: | 2_2_0043E2D0 | |
| Source: | Code function: | 2_2_0041E2F0 | |
| Source: | Code function: | 2_2_004332F0 | |
| Source: | Code function: | 2_2_0040B280 | |
| Source: | Code function: | 2_2_00422360 | |
| Source: | Code function: | 2_2_00402B70 | |
| Source: | Code function: | 2_2_0041EFF5 | |
| Source: | Code function: | 2_2_0041BB10 | |
| Source: | Code function: | 2_2_0041FB20 | |
| Source: | Code function: | 2_2_00426BD0 | |
| Source: | Code function: | 2_2_00431BE8 | |
| Source: | Code function: | 2_2_00405BF0 | |
| Source: | Code function: | 2_2_0041EBF0 | |
| Source: | Code function: | 2_2_004413A0 | |
| Source: | Code function: | 2_2_00425410 | |
| Source: | Code function: | 2_2_00430C1C | |
| Source: | Code function: | 2_2_00420C90 | |
| Source: | Code function: | 2_2_00406D60 | |
| Source: | Code function: | 2_2_0042FD65 | |
| Source: | Code function: | 2_2_00403570 | |
| Source: | Code function: | 2_2_00429520 | |
| Source: | Code function: | 2_2_004205F0 | |
| Source: | Code function: | 2_2_004055F8 | |
| Source: | Code function: | 2_2_0042B588 | |
| Source: | Code function: | 2_2_00441597 | |
| Source: | Code function: | 2_2_0041B5A1 | |
| Source: | Code function: | 2_2_00439E40 | |
| Source: | Code function: | 2_2_00408E50 | |
| Source: | Code function: | 2_2_0040CE52 | |
| Source: | Code function: | 2_2_00426E00 | |
| Source: | Code function: | 2_2_00432615 | |
| Source: | Code function: | 2_2_0041F6E0 | |
| Source: | Code function: | 2_2_004296F4 | |
| Source: | Code function: | 2_2_004096A0 | |
| Source: | Code function: | 2_2_00442F40 | |
| Source: | Code function: | 2_2_00426F70 | |
| Source: | Code function: | 2_2_0041FF7F | |
| Source: | Code function: | 2_2_00404F05 | |
| Source: | Code function: | 2_2_0043D710 | |
| Source: | Code function: | 2_2_0041C7C9 | |
| Source: | Code function: | 2_2_004287D0 | |
| Source: | Code function: | 2_2_0040E7D9 | |
| Source: | Code function: | 2_2_0041EFF5 | |
| Source: | Code function: | 2_2_0042EF87 | |
| Source: | Code function: | 2_2_0041BFB6 | |
| Source: | Code function: | 2_2_0042E7BB | |
| Source: | Code function: | 2_2_005FF980 | |
| Source: | Code function: | 2_2_005FF4D0 | |
| Source: | Code function: | 2_2_006034D0 | |
| Source: | Code function: | 2_2_006015A0 | |
| Source: | Code function: | 2_2_005FCE70 | |
| Source: | Code function: | 2_2_005F86C0 | |
| Source: | Code function: | 2_2_005FD7F0 | |
| Source: | Code function: | 2_2_00611FD2 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0043AAE0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00604BD8 | |
| Source: | Code function: | 2_3_02DF954A | |
| Source: | Code function: | 2_3_02DE6BEC | |
| Source: | Code function: | 2_3_02DE6BEC | |
| Source: | Code function: | 2_3_02DE6BEC | |
| Source: | Code function: | 2_3_02DE6BEC | |
| Source: | Code function: | 2_2_00604BD8 | |
| Source: | Code function: | 0_2_00604CA2 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_0060C7DB | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043FAC0 | |
| Source: | Code function: | 0_2_00605444 | |
| Source: | Code function: | 0_2_005FCD10 | |
| Source: | Code function: | 0_2_0061B18D | |
| Source: | Code function: | 0_2_005FBD50 | |
| Source: | Code function: | 2_2_005FBD50 | |
| Source: | Code function: | 2_2_005FCD10 | |
| Source: | Code function: | 0_2_00609F90 | |
| Source: | Code function: | 0_2_00605444 | |
| Source: | Code function: | 0_2_00605438 | |
| Source: | Code function: | 0_2_00607DCA | |
| Source: | Code function: | 0_2_00604AD9 | |
| Source: | Code function: | 2_2_00604AD9 | |
| Source: | Code function: | 2_2_00605444 | |
| Source: | Code function: | 2_2_00605438 | |
| Source: | Code function: | 2_2_00607DCA | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0061B18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00605200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_006058C5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 141 Security Software Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 39% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| frogs-severz.sbs | 104.21.88.250 | true | true | unknown | |
| revirepart.biz | 104.21.43.198 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.43.198 | revirepart.biz | United States | 13335 | CLOUDFLARENETUS | false | |
| 104.21.88.250 | frogs-severz.sbs | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561472 |
| Start date and time: | 2024-11-23 14:16:33 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | injector V2.5.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: injector V2.5.exe
| Time | Type | Description |
|---|---|---|
| 08:17:30 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.43.198 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| 104.21.88.250 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| revirepart.biz | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| frogs-severz.sbs | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.732133080216734 |
| TrID: |
|
| File name: | injector V2.5.exe |
| File size: | 501'248 bytes |
| MD5: | bcc3a5ac8ca364b58e08a8e771992d6a |
| SHA1: | 36f9ad6f96a2112c5ce71dba2cd87b04f33e6e6a |
| SHA256: | fd0068122528a6a7042dd6301a77067e9675acbddce740e5e85e840d54f98243 |
| SHA512: | 7c3280d2c30a886261e6c2537a3bed60458cc7329a8658f08901d9b4850a31042f6c66bdddaab87c3a45042731c14c912e0f25fc2b49188665e2a42fbe13749e |
| SSDEEP: | 12288:1JB+nneDgkXFEIAY4vKsI+koNRtw++ttp42IK7nV:bAoR2jYQKLPAtQD+fCV |
| TLSH: | 3FB4F1AA77A3D0B3E1A2183141E49EB5466F7E700F20A4FB97601F791B366C28532E57 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x415870 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007F41E48769BAh |
| jmp 00007F41E487681Dh |
| mov ecx, dword ptr [0042B5F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F41E48769B6h |
| test esi, ecx |
| jne 00007F41E48769D8h |
| call 00007F41E48769E1h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F41E48769B9h |
| mov ecx, BB40E64Fh |
| jmp 00007F41E48769C0h |
| test esi, ecx |
| jne 00007F41E48769BCh |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0042B5F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0042B5ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042946Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00429430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042942Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004294A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0042C970h |
| call dword ptr [00429488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2f000 | 0x1400 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x237c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x293c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2169a | 0x21800 | 02aff72e65eaf052f891170e28598361 | False | 0.550606343283582 | data | 6.737058354414408 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x7264 | 0x7400 | 91e5fdecc510d2c4e72b1b50db3c2501 | False | 0.40641837284482757 | data | 4.769873714467996 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2b000 | 0x2068 | 0x1000 | f9b2b4b1f63578440eedd0ace5ac94f1 | False | 0.484375 | OpenPGP Secret Key | 5.090094544660231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x2e000 | 0x8 | 0x200 | 160c8b290b62e5e566d05ce3bec76423 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2f000 | 0x1400 | 0x1400 | 29fb367912ce622b91120c5cffd84495 | False | 0.81953125 | data | 6.557860970753822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x31000 | 0x4ee00 | 0x4ee00 | 6cbc315130b915278f3d798b2df9b067 | False | 1.000328100237718 | data | 7.999439261577721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T14:17:29.663824+0100 | 2057646 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) | 1 | 192.168.2.4 | 61706 | 1.1.1.1 | 53 | UDP |
| 2024-11-23T14:17:31.428348+0100 | 2057647 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) | 1 | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:31.428348+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:32.104063+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:32.104063+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | TCP |
| 2024-11-23T14:17:33.785867+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:34.517725+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:34.517725+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:35.837311+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:36.543606+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:36.543606+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:38.055093+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:40.586974+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:43.448049+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:45.914671+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:48.020961+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:49.421766+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49738 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:50.790073+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 104.21.88.250 | 443 | TCP |
| 2024-11-23T14:17:51.493354+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49742 | 104.21.88.250 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 14:17:30.054642916 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:30.054686069 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:30.054790974 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:30.099710941 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:30.099730968 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:31.428204060 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:31.428348064 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:31.441452026 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:31.441468000 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:31.441894054 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:31.493243933 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:31.502232075 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:31.502263069 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:31.502410889 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.104173899 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.104409933 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.104475975 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:32.116283894 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:32.116313934 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.116355896 CET | 49730 | 443 | 192.168.2.4 | 104.21.43.198 |
| Nov 23, 2024 14:17:32.116363049 CET | 443 | 49730 | 104.21.43.198 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.460639954 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:32.460714102 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.460822105 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:32.461282015 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:32.461317062 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:33.785625935 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:33.785866976 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:33.790201902 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:33.790224075 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:33.790683985 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:33.806097984 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:33.806258917 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:33.806307077 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:34.517749071 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:34.517992020 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:34.518060923 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:34.518129110 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:34.518161058 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:34.518202066 CET | 49731 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:34.518215895 CET | 443 | 49731 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:34.575256109 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:34.575366974 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:34.575437069 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:34.575752020 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:34.575773001 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:35.837169886 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:35.837311029 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:35.839109898 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:35.839117050 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:35.839441061 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:35.840672970 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:35.840698004 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:35.840753078 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.543700933 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.543924093 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.543994904 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.544044971 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.544167995 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.544224977 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.544238091 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.551634073 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.551681995 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.551695108 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.560194016 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.560266972 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.560281038 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.602701902 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.602725983 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.649530888 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.663103104 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.712060928 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.712121964 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.744568110 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.744640112 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.744656086 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.744728088 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.744781017 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.744858027 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.744870901 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.744884014 CET | 49732 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.744889975 CET | 443 | 49732 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.836975098 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.837063074 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:36.837161064 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.837558985 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:36.837599993 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.054970026 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.055093050 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:38.056644917 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:38.056668997 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.057470083 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.058696032 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:38.058844090 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:38.058902979 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.058990002 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:38.059003115 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.921720982 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.921833038 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:38.921910048 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:39.044950008 CET | 49733 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:39.045002937 CET | 443 | 49733 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:39.267842054 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:39.267951965 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:39.268044949 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:39.268485069 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:39.268507957 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:40.586823940 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:40.586973906 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:40.588807106 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:40.588828087 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:40.589612961 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:40.590830088 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:40.590955973 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:40.590993881 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:41.435725927 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:41.435997009 CET | 443 | 49734 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:41.436048031 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:41.436116934 CET | 49734 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:42.226366997 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:42.226459980 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:42.226555109 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:42.227000952 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:42.227039099 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:43.447890997 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:43.448049068 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:43.449589014 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:43.449615955 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:43.450517893 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:43.451761961 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:43.451960087 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:43.452006102 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:43.452081919 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:43.452100992 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:44.199078083 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:44.199353933 CET | 443 | 49735 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:44.199426889 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:44.199485064 CET | 49735 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:44.686213017 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:44.686249018 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:44.686331987 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:44.687153101 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:44.687165022 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:45.914608002 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:45.914670944 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:45.916116953 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:45.916126966 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:45.916357040 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:45.917854071 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:45.917941093 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:45.917947054 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:46.604207039 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:46.604450941 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:46.604460001 CET | 443 | 49736 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:46.604521036 CET | 49736 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:46.756831884 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:46.756869078 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:46.756952047 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:46.757302046 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:46.757317066 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:48.020884037 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:48.020961046 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:48.022407055 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:48.022424936 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:48.022743940 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:48.037467003 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:48.037558079 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:48.037564993 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:49.421860933 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:49.422173023 CET | 443 | 49738 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:49.422195911 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:49.422259092 CET | 49738 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:49.528989077 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:49.529032946 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:49.529097080 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:49.529557943 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:49.529568911 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:50.790005922 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:50.790072918 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:50.791356087 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:50.791367054 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:50.791692972 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:50.800978899 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:50.801042080 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:50.801136017 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:51.492975950 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:51.493282080 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:51.493365049 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:51.511229038 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:51.511264086 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Nov 23, 2024 14:17:51.511305094 CET | 49742 | 443 | 192.168.2.4 | 104.21.88.250 |
| Nov 23, 2024 14:17:51.511320114 CET | 443 | 49742 | 104.21.88.250 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 14:17:29.663824081 CET | 61706 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 23, 2024 14:17:30.042036057 CET | 53 | 61706 | 1.1.1.1 | 192.168.2.4 |
| Nov 23, 2024 14:17:32.121208906 CET | 63862 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 23, 2024 14:17:32.458523035 CET | 53 | 63862 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 14:17:29.663824081 CET | 192.168.2.4 | 1.1.1.1 | 0xf0ed | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 14:17:32.121208906 CET | 192.168.2.4 | 1.1.1.1 | 0xcbf1 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 14:17:30.042036057 CET | 1.1.1.1 | 192.168.2.4 | 0xf0ed | No error (0) | 104.21.43.198 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 14:17:30.042036057 CET | 1.1.1.1 | 192.168.2.4 | 0xf0ed | No error (0) | 172.67.184.174 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 14:17:32.458523035 CET | 1.1.1.1 | 192.168.2.4 | 0xcbf1 | No error (0) | 104.21.88.250 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 14:17:32.458523035 CET | 1.1.1.1 | 192.168.2.4 | 0xcbf1 | No error (0) | 172.67.155.47 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.43.198 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:31 UTC | 261 | OUT | |
| 2024-11-23 13:17:31 UTC | 8 | OUT | |
| 2024-11-23 13:17:32 UTC | 1011 | IN | |
| 2024-11-23 13:17:32 UTC | 9 | IN | |
| 2024-11-23 13:17:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:33 UTC | 263 | OUT | |
| 2024-11-23 13:17:33 UTC | 8 | OUT | |
| 2024-11-23 13:17:34 UTC | 1011 | IN | |
| 2024-11-23 13:17:34 UTC | 7 | IN | |
| 2024-11-23 13:17:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:35 UTC | 264 | OUT | |
| 2024-11-23 13:17:35 UTC | 86 | OUT | |
| 2024-11-23 13:17:36 UTC | 1010 | IN | |
| 2024-11-23 13:17:36 UTC | 359 | IN | |
| 2024-11-23 13:17:36 UTC | 891 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN | |
| 2024-11-23 13:17:36 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:38 UTC | 272 | OUT | |
| 2024-11-23 13:17:38 UTC | 15331 | OUT | |
| 2024-11-23 13:17:38 UTC | 2779 | OUT | |
| 2024-11-23 13:17:38 UTC | 1007 | IN | |
| 2024-11-23 13:17:38 UTC | 19 | IN | |
| 2024-11-23 13:17:38 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:40 UTC | 281 | OUT | |
| 2024-11-23 13:17:40 UTC | 8791 | OUT | |
| 2024-11-23 13:17:41 UTC | 1008 | IN | |
| 2024-11-23 13:17:41 UTC | 19 | IN | |
| 2024-11-23 13:17:41 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:43 UTC | 274 | OUT | |
| 2024-11-23 13:17:43 UTC | 15331 | OUT | |
| 2024-11-23 13:17:43 UTC | 5065 | OUT | |
| 2024-11-23 13:17:44 UTC | 1013 | IN | |
| 2024-11-23 13:17:44 UTC | 19 | IN | |
| 2024-11-23 13:17:44 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:45 UTC | 279 | OUT | |
| 2024-11-23 13:17:45 UTC | 1261 | OUT | |
| 2024-11-23 13:17:46 UTC | 1018 | IN | |
| 2024-11-23 13:17:46 UTC | 19 | IN | |
| 2024-11-23 13:17:46 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49738 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:48 UTC | 271 | OUT | |
| 2024-11-23 13:17:48 UTC | 1074 | OUT | |
| 2024-11-23 13:17:49 UTC | 1013 | IN | |
| 2024-11-23 13:17:49 UTC | 19 | IN | |
| 2024-11-23 13:17:49 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49742 | 104.21.88.250 | 443 | 6276 | C:\Users\user\Desktop\injector V2.5.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 13:17:50 UTC | 265 | OUT | |
| 2024-11-23 13:17:50 UTC | 121 | OUT | |
| 2024-11-23 13:17:51 UTC | 1008 | IN | |
| 2024-11-23 13:17:51 UTC | 54 | IN | |
| 2024-11-23 13:17:51 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:17:27 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.5.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x5f0000 |
| File size: | 501'248 bytes |
| MD5 hash: | BCC3A5AC8CA364B58E08A8E771992D6A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:17:27 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 08:17:28 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\injector V2.5.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x5f0000 |
| File size: | 501'248 bytes |
| MD5 hash: | BCC3A5AC8CA364B58E08A8E771992D6A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 3.5% |
| Total number of Nodes: | 1634 |
| Total number of Limit Nodes: | 25 |
Graph
Function 0061B18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FCD10 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00609DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00606CE6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060A732 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00606E00 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060B0CB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00603B60 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FCD90 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060BC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00604CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FCE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060C7DB Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00605444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006015A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00605200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00605438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00609F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F86C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006034D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FF980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FBD50 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006090D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00610308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00606F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006094F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00608D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006045A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 6.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 52.7% |
| Total number of Nodes: | 296 |
| Total number of Limit Nodes: | 27 |
Graph
Function 0043AAE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 429memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408C70 Relevance: 7.6, APIs: 5, Instructions: 148threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AD50 Relevance: 6.7, Strings: 5, Instructions: 422COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409AE0 Relevance: 6.7, Strings: 5, Instructions: 422COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B97E Relevance: 2.7, Strings: 2, Instructions: 247COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C5BE Relevance: 1.5, Strings: 1, Instructions: 270COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FAC0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004427D0 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442530 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442B00 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004190D0 Relevance: .5, Instructions: 464COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EB98 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D1B0 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A020 Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433E66 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004325A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D2E3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D2B0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435300 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 129clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426BD0 Relevance: 24.9, Strings: 19, Instructions: 1180COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426E00 Relevance: 22.5, Strings: 17, Instructions: 1277COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426F70 Relevance: 21.1, Strings: 16, Instructions: 1089COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D830 Relevance: 14.0, Strings: 11, Instructions: 267COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BFB6 Relevance: 9.3, Strings: 7, Instructions: 513COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A0D5 Relevance: 8.6, Strings: 6, Instructions: 1123COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00605444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EFF5 Relevance: 5.6, Strings: 4, Instructions: 567COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004296F4 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DA40 Relevance: 4.0, Strings: 3, Instructions: 211COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DD48 Relevance: 3.9, Strings: 3, Instructions: 133COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C7C9 Relevance: 3.2, Strings: 2, Instructions: 677COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441860 Relevance: 3.1, Strings: 2, Instructions: 640COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441930 Relevance: 3.1, Strings: 2, Instructions: 633COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F6E0 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FB20 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A31 Relevance: 2.9, Strings: 2, Instructions: 386COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BB10 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E06F Relevance: 2.7, Strings: 2, Instructions: 193COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E039 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E007 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DAC0 Relevance: 2.0, Strings: 1, Instructions: 739COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425190 Relevance: 1.8, APIs: 1, Instructions: 254comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FF7F Relevance: 1.7, Strings: 1, Instructions: 441COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D040 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F096 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE52 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E1EC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D4A0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FD65 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442970 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E2F0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407870 Relevance: .8, Instructions: 826COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B0FA Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068B0 Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443260 Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E7D9 Relevance: .3, Instructions: 253COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B340 Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DE10 Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426510 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004379E0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CAB0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402820 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E714 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C303 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00604CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004345D3 Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 159memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006090D3 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00610308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00609DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00606F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006094F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060CB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00608D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006041C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00604241 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006045A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|