Edit tour
Windows
Analysis Report
arcaneloader.exe
Overview
General Information
| Sample name: | arcaneloader.exe |
| Analysis ID: | 1561494 |
| MD5: | f6af7a6808f0e831fed6566c54b1e94e |
| SHA1: | c892db08342003ea729c89e4b763448999eb4f5a |
| SHA256: | 131415b711a7dbe49af20022577ad51c271d75175e32547a8107a56d7462f1d7 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
arcaneloader.exe (PID: 1280 cmdline: "C:\Users\ user\Deskt op\arcanel oader.exe" MD5: F6AF7A6808F0E831FED6566C54B1E94E) 
conhost.exe (PID: 5232 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - arcaneloader.exe (PID: 280 cmdline:
"C:\Users\ user\Deskt op\arcanel oader.exe" MD5: F6AF7A6808F0E831FED6566C54B1E94E)
- cleanup
{"C2 url": ["fumblingactor.cyou"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:03:05.016322+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:07.004777+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:09.287935+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49711 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:11.509699+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49712 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:13.653451+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49718 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:16.264662+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49724 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:18.795759+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49734 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:22.293764+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49746 | 172.67.155.47 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:03:05.706014+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:07.718873+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:23.048426+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49746 | 172.67.155.47 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:03:05.706014+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:03:07.718873+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:03:16.992599+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49724 | 172.67.155.47 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_0041C8CA | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00DCC7DB | |
| Source: | Code function: | 0_2_00DCC72A | |
| Source: | Code function: | 3_2_00DCC7DB | |
| Source: | Code function: | 3_2_00DCC72A | |
| Source: | Code function: | 3_2_0040C10E | |
| Source: | Code function: | 3_2_004269C2 | |
| Source: | Code function: | 3_2_0042F246 | |
| Source: | Code function: | 3_2_0040B270 | |
| Source: | Code function: | 3_2_0040CA1E | |
| Source: | Code function: | 3_2_004222F0 | |
| Source: | Code function: | 3_2_00442460 | |
| Source: | Code function: | 3_2_0040D487 | |
| Source: | Code function: | 3_2_0040D487 | |
| Source: | Code function: | 3_2_0040ED41 | |
| Source: | Code function: | 3_2_0040ADDB | |
| Source: | Code function: | 3_2_0042EDFB | |
| Source: | Code function: | 3_2_00429590 | |
| Source: | Code function: | 3_2_0043F6C2 | |
| Source: | Code function: | 3_2_00441E80 | |
| Source: | Code function: | 3_2_0040CFE5 | |
| Source: | Code function: | 3_2_0042E84B | |
| Source: | Code function: | 3_2_00426810 | |
| Source: | Code function: | 3_2_0042C0DE | |
| Source: | Code function: | 3_2_004410E0 | |
| Source: | Code function: | 3_2_0041B888 | |
| Source: | Code function: | 3_2_0041B888 | |
| Source: | Code function: | 3_2_0042E8AB | |
| Source: | Code function: | 3_2_004428B0 | |
| Source: | Code function: | 3_2_0043A968 | |
| Source: | Code function: | 3_2_004411C0 | |
| Source: | Code function: | 3_2_0043E18E | |
| Source: | Code function: | 3_2_00440268 | |
| Source: | Code function: | 3_2_0043D2C0 | |
| Source: | Code function: | 3_2_0041B2ED | |
| Source: | Code function: | 3_2_0042C281 | |
| Source: | Code function: | 3_2_00420299 | |
| Source: | Code function: | 3_2_00420299 | |
| Source: | Code function: | 3_2_0041F2A9 | |
| Source: | Code function: | 3_2_004202AC | |
| Source: | Code function: | 3_2_004202AC | |
| Source: | Code function: | 3_2_0043FAB9 | |
| Source: | Code function: | 3_2_0042EB58 | |
| Source: | Code function: | 3_2_0040CB0E | |
| Source: | Code function: | 3_2_00425330 | |
| Source: | Code function: | 3_2_0040E3C6 | |
| Source: | Code function: | 3_2_00442BD0 | |
| Source: | Code function: | 3_2_00442BD0 | |
| Source: | Code function: | 3_2_0041B382 | |
| Source: | Code function: | 3_2_00429BAB | |
| Source: | Code function: | 3_2_0042EBBA | |
| Source: | Code function: | 3_2_0041F416 | |
| Source: | Code function: | 3_2_00425C1F | |
| Source: | Code function: | 3_2_0042C430 | |
| Source: | Code function: | 3_2_00407CD0 | |
| Source: | Code function: | 3_2_00402CA0 | |
| Source: | Code function: | 3_2_0042D550 | |
| Source: | Code function: | 3_2_00401D20 | |
| Source: | Code function: | 3_2_0042DDD6 | |
| Source: | Code function: | 3_2_0042DDD6 | |
| Source: | Code function: | 3_2_0041ED81 | |
| Source: | Code function: | 3_2_00440E40 | |
| Source: | Code function: | 3_2_0040A64A | |
| Source: | Code function: | 3_2_00441660 | |
| Source: | Code function: | 3_2_00441660 | |
| Source: | Code function: | 3_2_00437670 | |
| Source: | Code function: | 3_2_0041DE18 | |
| Source: | Code function: | 3_2_00409E30 | |
| Source: | Code function: | 3_2_0042F6C5 | |
| Source: | Code function: | 3_2_0040DECF | |
| Source: | Code function: | 3_2_004096E0 | |
| Source: | Code function: | 3_2_0042EDF6 | |
| Source: | Code function: | 3_2_00419F53 | |
| Source: | Code function: | 3_2_00440F70 | |
| Source: | Code function: | 3_2_00401F10 | |
| Source: | Code function: | 3_2_0042FF10 | |
| Source: | Code function: | 3_2_0042FF10 | |
| Source: | Code function: | 3_2_00423F20 | |
| Source: | Code function: | 3_2_00440FCA | |
| Source: | Code function: | 3_2_00402FD0 | |
| Source: | Code function: | 3_2_0042E7D7 | |
| Source: | Code function: | 3_2_0042E7F5 | |
| Source: | Code function: | 3_2_0042CFB0 | |
| Source: | Code function: | 3_2_0043CFB0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_004353C0 | |
| Source: | Code function: | 3_2_004353C0 | |
| Source: | Code function: | 3_2_00435540 | |
| Source: | Code function: | 0_2_00DBF4D0 | |
| Source: | Code function: | 0_2_00DC34D0 | |
| Source: | Code function: | 0_2_00DBF980 | |
| Source: | Code function: | 0_2_00DC15A0 | |
| Source: | Code function: | 0_2_00DB86C0 | |
| Source: | Code function: | 0_2_00DBCE70 | |
| Source: | Code function: | 0_2_00DD1FD2 | |
| Source: | Code function: | 0_2_00DBD7F0 | |
| Source: | Code function: | 3_2_0041C8CA | |
| Source: | Code function: | 3_2_004269C2 | |
| Source: | Code function: | 3_2_0043A1C0 | |
| Source: | Code function: | 3_2_0042F246 | |
| Source: | Code function: | 3_2_0040B270 | |
| Source: | Code function: | 3_2_004222F0 | |
| Source: | Code function: | 3_2_0043CAB0 | |
| Source: | Code function: | 3_2_0040D487 | |
| Source: | Code function: | 3_2_0040ED41 | |
| Source: | Code function: | 3_2_0042EDFB | |
| Source: | Code function: | 3_2_00429590 | |
| Source: | Code function: | 3_2_004425A0 | |
| Source: | Code function: | 3_2_0040F6C0 | |
| Source: | Code function: | 3_2_0043F6C2 | |
| Source: | Code function: | 3_2_00442EF0 | |
| Source: | Code function: | 3_2_00408F40 | |
| Source: | Code function: | 3_2_0043FF4D | |
| Source: | Code function: | 3_2_0041C058 | |
| Source: | Code function: | 3_2_00419860 | |
| Source: | Code function: | 3_2_0041D862 | |
| Source: | Code function: | 3_2_0042B820 | |
| Source: | Code function: | 3_2_004410E0 | |
| Source: | Code function: | 3_2_0042A080 | |
| Source: | Code function: | 3_2_0041B888 | |
| Source: | Code function: | 3_2_004428B0 | |
| Source: | Code function: | 3_2_00432142 | |
| Source: | Code function: | 3_2_0042A93A | |
| Source: | Code function: | 3_2_004071C0 | |
| Source: | Code function: | 3_2_004411C0 | |
| Source: | Code function: | 3_2_0041E1D0 | |
| Source: | Code function: | 3_2_004039E0 | |
| Source: | Code function: | 3_2_004061E0 | |
| Source: | Code function: | 3_2_004099F0 | |
| Source: | Code function: | 3_2_0040598A | |
| Source: | Code function: | 3_2_004399B0 | |
| Source: | Code function: | 3_2_0043DA60 | |
| Source: | Code function: | 3_2_00429A10 | |
| Source: | Code function: | 3_2_0043D2C0 | |
| Source: | Code function: | 3_2_00432A92 | |
| Source: | Code function: | 3_2_00402AB0 | |
| Source: | Code function: | 3_2_00427358 | |
| Source: | Code function: | 3_2_00442BD0 | |
| Source: | Code function: | 3_2_0041B382 | |
| Source: | Code function: | 3_2_00404390 | |
| Source: | Code function: | 3_2_00433390 | |
| Source: | Code function: | 3_2_00429BAB | |
| Source: | Code function: | 3_2_00427455 | |
| Source: | Code function: | 3_2_00425C1F | |
| Source: | Code function: | 3_2_0042C430 | |
| Source: | Code function: | 3_2_00407CD0 | |
| Source: | Code function: | 3_2_00431CF8 | |
| Source: | Code function: | 3_2_0040BD13 | |
| Source: | Code function: | 3_2_00406D30 | |
| Source: | Code function: | 3_2_0042DDD6 | |
| Source: | Code function: | 3_2_00428DDC | |
| Source: | Code function: | 3_2_0042ADF0 | |
| Source: | Code function: | 3_2_0041A583 | |
| Source: | Code function: | 3_2_0042FD86 | |
| Source: | Code function: | 3_2_00440E40 | |
| Source: | Code function: | 3_2_0041AE58 | |
| Source: | Code function: | 3_2_00441660 | |
| Source: | Code function: | 3_2_00420670 | |
| Source: | Code function: | 3_2_00409E30 | |
| Source: | Code function: | 3_2_0042F6C5 | |
| Source: | Code function: | 3_2_00425EEB | |
| Source: | Code function: | 3_2_00438EEE | |
| Source: | Code function: | 3_2_004066A0 | |
| Source: | Code function: | 3_2_0042EDF6 | |
| Source: | Code function: | 3_2_00439750 | |
| Source: | Code function: | 3_2_0043AF57 | |
| Source: | Code function: | 3_2_00422F5C | |
| Source: | Code function: | 3_2_00440F70 | |
| Source: | Code function: | 3_2_00440FCA | |
| Source: | Code function: | 3_2_00402FD0 | |
| Source: | Code function: | 3_2_00420FE0 | |
| Source: | Code function: | 3_2_004237E5 | |
| Source: | Code function: | 3_2_00426F80 | |
| Source: | Code function: | 3_2_0041F7A0 | |
| Source: | Code function: | 3_2_00DBF980 | |
| Source: | Code function: | 3_2_00DBF4D0 | |
| Source: | Code function: | 3_2_00DC34D0 | |
| Source: | Code function: | 3_2_00DC15A0 | |
| Source: | Code function: | 3_2_00DB86C0 | |
| Source: | Code function: | 3_2_00DBCE70 | |
| Source: | Code function: | 3_2_00DD1FD2 | |
| Source: | Code function: | 3_2_00DBD7F0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_0043A1C0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00DC4BD8 | |
| Source: | Code function: | 3_2_00DC4BD8 | |
| Source: | Code function: | 0_2_00DC4CA2 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00DCC7DB | |
| Source: | Code function: | 0_2_00DCC72A | |
| Source: | Code function: | 3_2_00DCC7DB | |
| Source: | Code function: | 3_2_00DCC72A | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043F4A0 | |
| Source: | Code function: | 0_2_00DC5444 | |
| Source: | Code function: | 0_2_00DDB18D | |
| Source: | Code function: | 0_2_00DBCD10 | |
| Source: | Code function: | 0_2_00DBBD50 | |
| Source: | Code function: | 3_2_00DBBD50 | |
| Source: | Code function: | 3_2_00DBCD10 | |
| Source: | Code function: | 0_2_00DC9F90 | |
| Source: | Code function: | 0_2_00DC5444 | |
| Source: | Code function: | 0_2_00DC5438 | |
| Source: | Code function: | 0_2_00DC7DCA | |
| Source: | Code function: | 0_2_00DC4AD9 | |
| Source: | Code function: | 3_2_00DC4AD9 | |
| Source: | Code function: | 3_2_00DC5444 | |
| Source: | Code function: | 3_2_00DC5438 | |
| Source: | Code function: | 3_2_00DC7DCA | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00DDB18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00DC5200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00DC58C5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Packed.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| frogs-severz.sbs | 172.67.155.47 | true | false | high | |
| fumblingactor.cyou | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.155.47 | frogs-severz.sbs | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561494 |
| Start date and time: | 2024-11-23 15:02:09 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | arcaneloader.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: arcaneloader.exe
| Time | Type | Description |
|---|---|---|
| 09:03:02 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.155.47 | Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| frogs-severz.sbs | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.736219294397836 |
| TrID: |
|
| File name: | arcaneloader.exe |
| File size: | 507'392 bytes |
| MD5: | f6af7a6808f0e831fed6566c54b1e94e |
| SHA1: | c892db08342003ea729c89e4b763448999eb4f5a |
| SHA256: | 131415b711a7dbe49af20022577ad51c271d75175e32547a8107a56d7462f1d7 |
| SHA512: | ab42cb1b69028a5a3788aa82c526a4fd7278dd0c1859bd968b4c0594a6a8c940a68299dfc375d4288def9e0e62c90a3939b70903057ebe1adda2d6d58db462a5 |
| SSDEEP: | 6144:SJLDwnXc+nZ5tc5tpJgurXjjmNcEIwyg8XIcwgSzBC05fnP7UXnVgWXdqPmtLO4D:SJB+nneDgkXFEIJ0zzpfnQXlXlNeBsJ |
| TLSH: | F1B4F19E73A3D0B3E962183502D49B75092F7E700F24A9FB57540F692F3A6C28932E57 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................... .......~....@.................................T...<.. |
 | |
| Icon Hash: | 0d4f96872b517131 |
| Entrypoint: | 0x415870 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007FE1D0F2155Ah |
| jmp 00007FE1D0F213BDh |
| mov ecx, dword ptr [0042B5F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007FE1D0F21556h |
| test esi, ecx |
| jne 00007FE1D0F21578h |
| call 00007FE1D0F21581h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007FE1D0F21559h |
| mov ecx, BB40E64Fh |
| jmp 00007FE1D0F21560h |
| test esi, ecx |
| jne 00007FE1D0F2155Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0042B5F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0042B5ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042946Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00429430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042942Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004294A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0042C970h |
| call dword ptr [00429488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x80000 | 0x1de8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2f000 | 0x1400 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x237c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x293c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2169a | 0x21800 | 02aff72e65eaf052f891170e28598361 | False | 0.550606343283582 | data | 6.737058354414408 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x7264 | 0x7400 | 91e5fdecc510d2c4e72b1b50db3c2501 | False | 0.40641837284482757 | data | 4.769873714467996 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2b000 | 0x2068 | 0x1000 | f9b2b4b1f63578440eedd0ace5ac94f1 | False | 0.484375 | OpenPGP Secret Key | 5.090094544660231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x2e000 | 0x8 | 0x200 | 160c8b290b62e5e566d05ce3bec76423 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2f000 | 0x1400 | 0x1400 | 29fb367912ce622b91120c5cffd84495 | False | 0.81953125 | data | 6.557860970753822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x31000 | 0x4e800 | 0x4e800 | 01f8ec1bd8aac06321dfaa0fd7af4910 | False | 1.0003296675955413 | data | 7.999487492637194 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x80000 | 0x1de8 | 0x1e00 | ff331c6468cd2ec8b30a579ec23d1204 | False | 0.9776041666666667 | data | 7.882227876387404 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x800ac | 0x1d26 | PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced | 0.9927633342267489 | ||
| RT_GROUP_ICON | 0x81dd4 | 0x14 | data | 1.05 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:03:05.016322+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:05.706014+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:05.706014+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:07.004777+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:07.718873+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:07.718873+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:09.287935+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49711 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:11.509699+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49712 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:13.653451+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49718 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:16.264662+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49724 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:16.992599+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49724 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:18.795759+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49734 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:22.293764+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49746 | 172.67.155.47 | 443 | TCP |
| 2024-11-23T15:03:23.048426+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49746 | 172.67.155.47 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 15:03:03.700448036 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:03.700495005 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:03.700572014 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:03.728261948 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:03.728290081 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.016222000 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.016321898 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.021338940 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.021353960 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.021750927 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.064135075 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.091238976 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.091264963 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.091547012 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.706048012 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.706193924 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.706258059 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.718024969 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.718060017 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.718076944 CET | 49707 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.718085051 CET | 443 | 49707 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.790715933 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.790781975 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:05.790851116 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.791239977 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:05.791254997 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.004704952 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.004776955 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.006500006 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.006519079 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.006951094 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.008872032 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.008894920 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.008963108 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.718950033 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.719140053 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.719199896 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.719227076 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.719255924 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.719355106 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.719408989 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.719559908 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.719609976 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.719624996 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.731385946 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.731479883 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.731507063 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.782866955 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.782901049 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.829754114 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.841342926 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.892244101 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.910516024 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.914248943 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.914314032 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.914350986 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.914503098 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.914623976 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.914671898 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.914691925 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:07.914705992 CET | 49709 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:07.914712906 CET | 443 | 49709 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:08.072496891 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:08.072560072 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:08.072637081 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:08.072973013 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:08.072999954 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:09.287843943 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:09.287935019 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:09.289724112 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:09.289755106 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:09.290008068 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:09.291354895 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:09.291555882 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:09.291601896 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:10.082015038 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:10.082124949 CET | 443 | 49711 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:10.082241058 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:10.082261086 CET | 49711 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:10.242746115 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:10.242801905 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:10.242880106 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:10.243225098 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:10.243241072 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:11.509596109 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:11.509699106 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:11.511059999 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:11.511079073 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:11.511310101 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:11.512609005 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:11.512777090 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:11.512809992 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:11.512862921 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:11.555339098 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:12.163614988 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:12.163717031 CET | 443 | 49712 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:12.163769007 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:12.163856030 CET | 49712 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:12.440454960 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:12.440490007 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:12.440733910 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:12.441056967 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:12.441066980 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:13.653271914 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:13.653450966 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:13.654858112 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:13.654867887 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:13.655128002 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:13.656806946 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:13.656980991 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:13.657005072 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:13.657085896 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:13.657093048 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:14.586110115 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:14.586215019 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:14.586278915 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:14.586472034 CET | 49718 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:14.586491108 CET | 443 | 49718 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:14.954044104 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:14.954101086 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:14.954158068 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:14.954463005 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:14.954482079 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.264547110 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.264662027 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:16.266228914 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:16.266236067 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.266478062 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.267924070 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:16.267924070 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:16.267976046 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.992599964 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.992701054 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:16.992815018 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:16.993136883 CET | 49724 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:16.993156910 CET | 443 | 49724 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:17.525717974 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:17.525758028 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:17.525862932 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:17.526176929 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:17.526191950 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.795692921 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.795758963 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.805001974 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.805023909 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.805241108 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.806476116 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.807223082 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.807255030 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.807378054 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.807410002 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.807555914 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.807590008 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.807701111 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.807739019 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.807856083 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.807885885 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.808015108 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.808044910 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.808053017 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.808065891 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.808307886 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.808336973 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.808356047 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.808614016 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.808654070 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.851334095 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.851475000 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.851530075 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.851552963 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.851571083 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:18.851593971 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:18.851608992 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:21.000606060 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:21.000703096 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:21.000747919 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:21.000863075 CET | 49734 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:21.000869036 CET | 443 | 49734 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:21.028065920 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:21.028105021 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:21.028163910 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:21.028443098 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:21.028460026 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:22.293687105 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:22.293764114 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:22.294917107 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:22.294935942 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:22.295175076 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:22.296322107 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:22.296379089 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:22.296401978 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:23.048441887 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:23.048541069 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:23.048609018 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:23.048980951 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:23.049006939 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Nov 23, 2024 15:03:23.049021006 CET | 49746 | 443 | 192.168.2.6 | 172.67.155.47 |
| Nov 23, 2024 15:03:23.049030066 CET | 443 | 49746 | 172.67.155.47 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 15:03:03.097207069 CET | 59110 | 53 | 192.168.2.6 | 1.1.1.1 |
| Nov 23, 2024 15:03:03.335712910 CET | 53 | 59110 | 1.1.1.1 | 192.168.2.6 |
| Nov 23, 2024 15:03:03.456376076 CET | 65210 | 53 | 192.168.2.6 | 1.1.1.1 |
| Nov 23, 2024 15:03:03.694583893 CET | 53 | 65210 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 15:03:03.097207069 CET | 192.168.2.6 | 1.1.1.1 | 0x963d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 15:03:03.456376076 CET | 192.168.2.6 | 1.1.1.1 | 0x8e2e | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 15:03:03.335712910 CET | 1.1.1.1 | 192.168.2.6 | 0x963d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Nov 23, 2024 15:03:03.694583893 CET | 1.1.1.1 | 192.168.2.6 | 0x8e2e | No error (0) | 172.67.155.47 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 15:03:03.694583893 CET | 1.1.1.1 | 192.168.2.6 | 0x8e2e | No error (0) | 104.21.88.250 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49707 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:05 UTC | 263 | OUT | |
| 2024-11-23 14:03:05 UTC | 8 | OUT | |
| 2024-11-23 14:03:05 UTC | 1009 | IN | |
| 2024-11-23 14:03:05 UTC | 7 | IN | |
| 2024-11-23 14:03:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49709 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:07 UTC | 264 | OUT | |
| 2024-11-23 14:03:07 UTC | 54 | OUT | |
| 2024-11-23 14:03:07 UTC | 1013 | IN | |
| 2024-11-23 14:03:07 UTC | 356 | IN | |
| 2024-11-23 14:03:07 UTC | 893 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN | |
| 2024-11-23 14:03:07 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49711 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:09 UTC | 283 | OUT | |
| 2024-11-23 14:03:09 UTC | 12872 | OUT | |
| 2024-11-23 14:03:10 UTC | 1011 | IN | |
| 2024-11-23 14:03:10 UTC | 19 | IN | |
| 2024-11-23 14:03:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49712 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:11 UTC | 274 | OUT | |
| 2024-11-23 14:03:11 UTC | 15064 | OUT | |
| 2024-11-23 14:03:12 UTC | 1019 | IN | |
| 2024-11-23 14:03:12 UTC | 19 | IN | |
| 2024-11-23 14:03:12 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49718 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:13 UTC | 282 | OUT | |
| 2024-11-23 14:03:13 UTC | 15331 | OUT | |
| 2024-11-23 14:03:13 UTC | 4639 | OUT | |
| 2024-11-23 14:03:14 UTC | 1005 | IN | |
| 2024-11-23 14:03:14 UTC | 19 | IN | |
| 2024-11-23 14:03:14 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49724 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:16 UTC | 280 | OUT | |
| 2024-11-23 14:03:16 UTC | 1221 | OUT | |
| 2024-11-23 14:03:16 UTC | 1008 | IN | |
| 2024-11-23 14:03:16 UTC | 19 | IN | |
| 2024-11-23 14:03:16 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49734 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:18 UTC | 273 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:18 UTC | 15331 | OUT | |
| 2024-11-23 14:03:20 UTC | 1017 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49746 | 172.67.155.47 | 443 | 280 | C:\Users\user\Desktop\arcaneloader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:03:22 UTC | 264 | OUT | |
| 2024-11-23 14:03:22 UTC | 89 | OUT | |
| 2024-11-23 14:03:23 UTC | 1003 | IN | |
| 2024-11-23 14:03:23 UTC | 54 | IN | |
| 2024-11-23 14:03:23 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:03:00 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\arcaneloader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdb0000 |
| File size: | 507'392 bytes |
| MD5 hash: | F6AF7A6808F0E831FED6566C54B1E94E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:03:00 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 09:03:02 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\arcaneloader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdb0000 |
| File size: | 507'392 bytes |
| MD5 hash: | F6AF7A6808F0E831FED6566C54B1E94E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 0.5% |
| Signature Coverage: | 3.6% |
| Total number of Nodes: | 1619 |
| Total number of Limit Nodes: | 29 |
Graph
Function 00DDB18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBCD10 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC6CE6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCA732 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC6E00 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCB0CB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC3B60 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBCD90 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCB807 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCBC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBCE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCC7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC15A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCC72A Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC5200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC5438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC9F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DB86C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC34D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBF980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBBD50 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC90D3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 48.1% |
| Total number of Nodes: | 208 |
| Total number of Limit Nodes: | 12 |
Graph
Function 0043A1C0 Relevance: 30.3, APIs: 11, Strings: 6, Instructions: 583memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C8CA Relevance: 29.0, APIs: 1, Strings: 15, Instructions: 994encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B270 Relevance: 22.9, Strings: 18, Instructions: 387COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C10E Relevance: 10.2, Strings: 8, Instructions: 197COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408F40 Relevance: 7.6, APIs: 5, Instructions: 132threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004222F0 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EDFB Relevance: 3.4, APIs: 2, Instructions: 426COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EDF6 Relevance: 3.4, APIs: 2, Instructions: 358COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429590 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D487 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442460 Relevance: 2.6, Strings: 2, Instructions: 110COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CFE5 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042F246 Relevance: 1.9, APIs: 1, Instructions: 422COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042F6C5 Relevance: 1.9, APIs: 1, Instructions: 355COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F4A0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00441E80 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CA1E Relevance: 1.3, Strings: 1, Instructions: 83COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F6C2 Relevance: .2, Instructions: 195COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040ADDB Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004402C4 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F3D0 Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C9D0 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043CA40 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00433D78 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00433303 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D420 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D455 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00438D33 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004353C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409E30 Relevance: 11.6, Strings: 9, Instructions: 383COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042DDD6 Relevance: 10.6, Strings: 8, Instructions: 618COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00DCC7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C430 Relevance: 5.6, Strings: 4, Instructions: 593COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429BAB Relevance: 5.5, Strings: 4, Instructions: 495COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042FF10 Relevance: 5.3, Strings: 4, Instructions: 313COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EB58 Relevance: 5.2, Strings: 4, Instructions: 206COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EBBA Relevance: 5.2, Strings: 4, Instructions: 198COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423F20 Relevance: 4.2, Strings: 3, Instructions: 431COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B382 Relevance: 4.1, Strings: 3, Instructions: 387COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00420299 Relevance: 4.0, Strings: 3, Instructions: 229COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004202AC Relevance: 4.0, Strings: 3, Instructions: 225COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004096E0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B888 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E3C6 Relevance: 2.6, Strings: 2, Instructions: 110COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426810 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043E18E Relevance: 2.6, Strings: 2, Instructions: 69COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D2C0 Relevance: 1.9, Strings: 1, Instructions: 616COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425C1F Relevance: 1.8, Strings: 1, Instructions: 593COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425330 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D550 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041DE18 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043A968 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043CFB0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041ED81 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CB0E Relevance: 1.3, Strings: 1, Instructions: 75COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00440268 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407CD0 Relevance: .8, Instructions: 814COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00440E40 Relevance: .8, Instructions: 787COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00440F70 Relevance: .7, Instructions: 688COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402FD0 Relevance: .7, Instructions: 664COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00440FCA Relevance: .7, Instructions: 651COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004410E0 Relevance: .6, Instructions: 603COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004411C0 Relevance: .6, Instructions: 568COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442BD0 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004428B0 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F416 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00441660 Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042E84B Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042E8AB Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419F53 Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C281 Relevance: .1, Instructions: 141COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C0DE Relevance: .1, Instructions: 139COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F2A9 Relevance: .1, Instructions: 135COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042E7D7 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401D20 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DECF Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401F10 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043FAB9 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00437670 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A64A Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042CFB0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B2ED Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402CA0 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042E7F5 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00DC4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00DC90D3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCCB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DCD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|