Edit tour

Windows Analysis Report
yjF33u9fqZ.dll

Overview

General Information

Sample name:	yjF33u9fqZ.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	a689d6c88b72b5b148ac581fcbe71902.dll.exe
Analysis ID:	1561761
MD5:	a689d6c88b72b5b148ac581fcbe71902
SHA1:	7fe590156c8b831e0033fc971a90a949ce50f085
SHA256:	410cbc2d187ca80ce22eadb4fbe77d5af071bc7c9f747f50e2ddf765167ba7d4
Tags:	dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Strela Stealer

Machine Learning detection for sample

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file does not import any functions

Program does not show much activity (idle)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 2940 cmdline: loaddll64.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1272 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 1840 cmdline: rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 3568 cmdline: regsvr32.exe /s C:\Users\user\Desktop\yjF33u9fqZ.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 1868 cmdline: rundll32.exe C:\Users\user\Desktop\yjF33u9fqZ.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1496761580.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.1496681049.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000006.00000002.1496870393.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000000.00000002.1527182250.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: loaddll64.exe PID: 2940	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 3568	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 1868	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 1840	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.7ffbc31d7404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ffbc31d0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ffbc31d7404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffbc31d7404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ffbc31d7404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ffbc31d7404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffbc31d0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ffbc31d0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffbc31d7404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffbc31d7404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffbc31d7404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffbc31d0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: yjF33u9fqZ.dll	ReversingLabs: Detection: 50%
Source: yjF33u9fqZ.dll	Virustotal: Detection: 50%			Perma Link

Machine Learning detection for sample

Source: yjF33u9fqZ.dll

Joe Sandbox ML: detected

Source: yjF33u9fqZ.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFBC31D1000	0_2_00007FFBC31D1000
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF215A0	0_2_0000023BEAF215A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF2F4E8	0_2_0000023BEAF2F4E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF272BC	0_2_0000023BEAF272BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF21A90	0_2_0000023BEAF21A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF21090	0_2_0000023BEAF21090
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_027172BC	3_2_027172BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02711A90	3_2_02711A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0271F4E8	3_2_0271F4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02711090	3_2_02711090
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_027115A0	3_2_027115A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000186B59A1A90	5_2_00000186B59A1A90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000186B59A72BC	5_2_00000186B59A72BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000186B59A15A0	5_2_00000186B59A15A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000186B59AF4E8	5_2_00000186B59AF4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000186B59A1090	5_2_00000186B59A1090
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002AB0BF3F4E8	6_2_000002AB0BF3F4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002AB0BF31090	6_2_000002AB0BF31090
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002AB0BF372BC	6_2_000002AB0BF372BC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002AB0BF31A90	6_2_000002AB0BF31A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002AB0BF315A0	6_2_000002AB0BF315A0

Source: yjF33u9fqZ.dll

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal60.troj.winDLL@10/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03

Source: yjF33u9fqZ.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yjF33u9fqZ.dll,DllRegisterServer

Source: yjF33u9fqZ.dll	ReversingLabs: Detection: 50%
Source: yjF33u9fqZ.dll	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yjF33u9fqZ.dll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yjF33u9fqZ.dll,DllRegisterServer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yjF33u9fqZ.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yjF33u9fqZ.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: yjF33u9fqZ.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: yjF33u9fqZ.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yjF33u9fqZ.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF375DE push ecx; retf 003Fh	0_2_0000023BEAF3763E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF2BBA2 push esp; ret	0_2_0000023BEAF2BBA5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31310 push esi; retf	0_2_0000023BEAF31313
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31318 push ebp; retf	0_2_0000023BEAF3131B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31300 push ebp; retf	0_2_0000023BEAF31303
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF3130A push esi; retf	0_2_0000023BEAF3130B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF312EC push ebp; retf	0_2_0000023BEAF312F3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF312FA push ebp; retf	0_2_0000023BEAF312FB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF312DC push ebp; retf	0_2_0000023BEAF312E3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF312E4 push ebp; retf	0_2_0000023BEAF312EB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF2CC9C push ebx; retf	0_2_0000023BEAF2CC9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF2CCA8 push 6F0000CBh; retf	0_2_0000023BEAF2CCAD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF2CC6C push esi; retf 0000h	0_2_0000023BEAF2CC6D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF2CC35 push cs; retf 0000h	0_2_0000023BEAF2CC59
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF311CC push ebp; retf	0_2_0000023BEAF311DB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF311BC push ebp; retf	0_2_0000023BEAF311CB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31191 push esi; retf	0_2_0000023BEAF31193
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31194 push ebp; retf	0_2_0000023BEAF311BB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF3116C push ebp; retf	0_2_0000023BEAF3117B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31150 push ebp; retf	0_2_0000023BEAF31153
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31154 push ebp; retf	0_2_0000023BEAF3116B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF3114A push esi; retf	0_2_0000023BEAF3114B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF3111C push esi; retf	0_2_0000023BEAF310FB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF3111C push esi; retf	0_2_0000023BEAF31143
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF3110C push esi; retf	0_2_0000023BEAF31113
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31114 push esi; retf	0_2_0000023BEAF3111B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF310FC push ebp; retf	0_2_0000023BEAF3115B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF31104 push esi; retf	0_2_0000023BEAF3110B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF310EC push esi; retf	0_2_0000023BEAF310FB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF310DC push esi; retf	0_2_0000023BEAF310E3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000023BEAF310E4 push esi; retf	0_2_0000023BEAF310EB

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA,	0_2_0000023BEAF220E0
Source: C:\Windows\System32\regsvr32.exe	Code function: CreateThread,GetLocaleInfoA,	3_2_027120E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	5_2_00000186B59A20E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	6_2_000002AB0BF320E0

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 6.2.rundll32.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1496761580.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1496681049.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1496870393.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1527182250.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1840, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 6.2.rundll32.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbc31d7404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbc31d7404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbc31d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1496761580.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1496681049.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1496870393.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1527182250.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1840, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	11 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yjF33u9fqZ.dll	50%	ReversingLabs	Win64.Trojan.Generic
yjF33u9fqZ.dll	50%	Virustotal		Browse
yjF33u9fqZ.dll	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561761
Start date and time:	2024-11-24 08:41:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yjF33u9fqZ.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	a689d6c88b72b5b148ac581fcbe71902.dll.exe
Detection:	MAL
Classification:	mal60.troj.winDLL@10/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 21
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.730667754251411
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	yjF33u9fqZ.dll
File size:	142'336 bytes
MD5:	a689d6c88b72b5b148ac581fcbe71902
SHA1:	7fe590156c8b831e0033fc971a90a949ce50f085
SHA256:	410cbc2d187ca80ce22eadb4fbe77d5af071bc7c9f747f50e2ddf765167ba7d4
SHA512:	fa24974e5f061be72e3fc96bb5fd811d2b2df42b8285a68aed5c7575523a41c57399c8f12fdb0e0f489f8140ae4ef69d0c1e7a21ed2e75f201fde063df20780c
SSDEEP:	3072:eyvnNShFEwLotu9CMqNwnPKgg3vXvOnIhu70FCWE7ik:NnN1wL19CMAwSN//OCE0MWc
TLSH:	08D3E04B64D4747EF32248B664B88AF00246ADC7431DE5F370EF5521673B3498AA1FE6
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....1g.........." .....J...........Y.......................................p............`........................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1800059b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6731A0B7 [Mon Nov 11 06:14:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
mov eax, 00000001h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6260	0x51	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0xc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49b6	0x4a00	96bdaefc7f5893af5f2da0c1d16c3e65	False	0.650073902027027	data	6.79319874185311	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x2f4	0x400	3ac46f946318536d4f869dd911082c03	False	0.232421875	data	4.893742051729495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7000	0x1d498	0x1d600	05e6fcfb3916eccc28772bcdebbe613d	False	0.8683011968085106	data	7.735103278254442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0xc	0x200	9e4b904bbd4603c429cab8fc3c432c47	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x1a8	0x200	082774175c3ed4a63cb8411ddc72bd3d	False	0.482421875	data	4.182807530451981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x26060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180001000

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:42:52
Start date:	24/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll"
Imagebase:	0x7ff6c2c90000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1527182250.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:42:52
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:42:52
Start date:	24/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1
Imagebase:	0x7ff64cb50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:42:52
Start date:	24/11/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\yjF33u9fqZ.dll
Imagebase:	0x7ff734cf0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1496681049.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:42:52
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\yjF33u9fqZ.dll,DllRegisterServer
Imagebase:	0x7ff79c430000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1496761580.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:42:52
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\yjF33u9fqZ.dll",#1
Imagebase:	0x7ff79c430000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000006.00000002.1496870393.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	81.1%
Signature Coverage:	32.4%
Total number of Nodes:	37
Total number of Limit Nodes:	6

Executed Functions

Function 00007FFBC31D1000 Relevance: 10.2, APIs: 2, Strings: 1, Instructions: 4968COMMON

Download Yara Rule

Strings

FacAsgbFtlXqEhswQZCLCQjgrPwhXurhpfuViCHOCyjcDIHvAgpeLwKyxuKMVRrfpvZDoLvHodCJiCHoBTTWSdZVXdvTSCFQKEzEBQAVrTlLtxgVvqGTjVYjJMIRBbxdXHVfKEKVlCmOHFturxmdYSioLvUWgpKTcCckcAopfKYSVVrjnhkEXsJbTpsyLHSbMefEjhjaSRcdAxzwOjQJOFoYfEhTyuTdEzCtPkSkdPZBMuuCJJMXctIteTJWtDuQKSko, xrefs: 00007FFBC31D2437

Memory Dump Source

Source File: 00000000.00000002.1527100021.00007FFBC31D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFBC31D0000, based on PE: true

Associated: 00000000.00000002.1526930320.00007FFBC31D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527136366.00007FFBC31D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527182250.00007FFBC31D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1527356722.00007FFBC31F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbc31d0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: FacAsgbFtlXqEhswQZCLCQjgrPwhXurhpfuViCHOCyjcDIHvAgpeLwKyxuKMVRrfpvZDoLvHodCJiCHoBTTWSdZVXdvTSCFQKEzEBQAVrTlLtxgVvqGTjVYjJMIRBbxdXHVfKEKVlCmOHFturxmdYSioLvUWgpKTcCckcAopfKYSVVrjnhkEXsJbTpsyLHSbMefEjhjaSRcdAxzwOjQJOFoYfEhTyuTdEzCtPkSkdPZBMuuCJJMXctIteTJWtDuQKSko
API String ID: 0-977244299
Opcode ID: e2a491c31f411c211f0efa711c27821d672d411da4d5a25e27f95955906d2a99
Instruction ID: 7069355d86c5e567138c95bc70ac94d44e3d8adb1a86027927b06bbb3c8af205
Opcode Fuzzy Hash: e2a491c31f411c211f0efa711c27821d672d411da4d5a25e27f95955906d2a99
Instruction Fuzzy Hash: 4673AABBF64A514AEB058F36A8523FB6782AB937A4F48E331DD19637D0DE2DD5058300

Function 0000023BEAF220E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0000023BEAF220ED
CreateThread.KERNELBASE ref: 0000023BEAF2211D
GetLocaleInfoA.KERNELBASE ref: 0000023BEAF221E5

Strings

5, xrefs: 0000023BEAF2225D

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: ConsoleCreateInfoLocaleThreadWindow
String ID: 5
API String ID: 1307802651-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: a47c12a13697e8553877d333ac2f5699e43d1880da9f623826ba50abf39734e4
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 4441A2302146448BF71AEF28D8AD7EB77E5FFD5305F80852DE247C61A5DF3885058A92

Function 0000023BEAF2A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 0000023BEAF2A90B

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 8cd1411729e6fcce85da572cfbdc855e48de9333431504619dde83324063e114
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: 7F31C230508E1A9EE7A6AF2C84986E077D4FF1A360FA50749E55AC72E4C738D9A1C3D1

Function 0000023BEAF21000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 0000023BEAF2104B

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 197f623226313a000d799c73db793ead10bf8fd5a4471c36662834927b34ede7
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 870167305085448FFB47EB28D8987D677E1F769305F008569E1CAC72A6DE7C8658C751

Function 0000023BEAF26F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000023BEAF26F64), ref: 0000023BEAF26F93

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: f3af5c0e1cbe23d39793abb522d7f208ceb69a5ec4c32ed2e11bebb7f1e0ab1e
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 15D012203003044BEE597FB8599C26D2755CB46205F001C786602C6697DE3EC8458752

Function 0000023BEAF220B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 0000023BEAF220CA

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 0000023BEAF2F4E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0000023BEAF2F737

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction ID: a29c0995ceeb6c8dd093633833df84ff43d81f0373fe0b40619e35038ad8efea
Opcode Fuzzy Hash: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction Fuzzy Hash: B7C17030520A4D8FEB99CF1CC89AB9677E0FF4A304F558599E859CB2A1C339D862CB51

Function 0000023BEAF215A0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction ID: d9376b1910a460ce6230daa5c6f57017f08bcf791193eb0739b79557b4854a0b
Opcode Fuzzy Hash: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction Fuzzy Hash: DFE18D30518B488FEB65EF18D8997EA77E5FF99304F40462EA58AC3160DF349A41CBC6

Function 0000023BEAF21A90 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction ID: 48a56842d2acd4c355f548f17d5de36703daeff60158643028531ce2114e2e6c
Opcode Fuzzy Hash: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction Fuzzy Hash: E0B19631218A498FEB6AEF28DC597FA73E5FB95301F40422ED54BC3191DF389A058B85

Function 0000023BEAF21090 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction ID: aa902a42034ae74ee9f8648d01e2ea2dd4f2a6dceead5d77efb8842151da5db6
Opcode Fuzzy Hash: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction Fuzzy Hash: 1971B23061CB484BE769DF1C985D3BA77D5FB89310F40866EE88AC3291EF38994587C5

Function 0000023BEAF272BC Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction ID: 544ee0f1ae38a9bb3d7f4fa1cc649c3e6b114435c041ce237caf65de4bf7eb64
Opcode Fuzzy Hash: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction Fuzzy Hash: 5A512432718E084FDB5CDF6CD4996B573D2EBAD310B14822EE40AD72A5DE74D94287C0

Function 0000023BEAF240B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023BEAF2410C

Part of subcall function 0000023BEAF25054: __GetUnwindTryBlock.LIBCMT ref: 0000023BEAF25097
Part of subcall function 0000023BEAF25054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023BEAF250BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023BEAF241E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023BEAF24433
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023BEAF2453F

Strings

csm, xrefs: 0000023BEAF24207
csm, xrefs: 0000023BEAF24126
csm, xrefs: 0000023BEAF2418D

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 578a7ec1d50035de5e5ceedcd9bb787c97391f021e16c5c7fc02a899e92a914d
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: F1F1A030918B088BEB55EF6C84597E977E4FF5A301F90021DE589C3296DB78D981CBD2

Function 0000023BEAF24930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023BEAF24958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023BEAF24A40

Strings

csm, xrefs: 0000023BEAF2497A
csm, xrefs: 0000023BEAF24A92

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 62acee11f6cddc33422ab2ef891494c2f09af1471c8346e022248c52c9553f13
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: A9719230614A08CFEF66DF1C80AD3A4B3D5FF55302F94465E9589C7692CBB89A80C7D6

Function 0000023BEAF24580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000023BEAF2462B

Strings

RCC, xrefs: 0000023BEAF245FB
MOC, xrefs: 0000023BEAF245F3

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 9b8515205725ad70e9880158a87e9ad7ab25be8791b197deb3a1c8b217583a26
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: FD71B030518B488FEB65DF1CC44ABEAB7E4FF9A301F440A5DE589C3152DB78A5818792

Function 0000023BEAF22CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023BEAF22D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023BEAF22DB2

Strings

csm, xrefs: 0000023BEAF22D99

Memory Dump Source

Source File: 00000000.00000002.1523579969.0000023BEAF21000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023BEAF21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23beaf21000_loaddll64.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: a7f7db320f8958e12c4da2c71decfc520380bed441795937863d9c372ac6ad30
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 0871D630208E048BEF29EF5CE4997B4B3D9FF55310F90456EE986C3296EB28ED5186D1

Analysis Process: regsvr32.exePID: 3568, Parent PID: 2940COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 027120E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0271211D
GetLocaleInfoA.KERNELBASE ref: 027121E5

Strings

5, xrefs: 0271225D

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: de4734a884ce3819ed1bcebb133f8720ad11962c7c1ff771914c7f49e482db74
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: C041D430214A488BE71AEF68DC9C6AB77E2FFD4305F84852DE54BC61A5DF388509CB42

Function 02711000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 0271104B

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 6f37dfe6dddffd0bb15a4bdffdf5d89a9bd19370fbd22213184f6d93f601126d
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 290167305086448FFB06EB28D8987D677E1F769305F008569E0CAC72A5DEBC8658C741

Function 02716F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,02716F64), ref: 02716F93

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 57d0993756bcd0b9e219a5a2c07b81f172a19254917d7951f2905ac365dfe76f
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: CED09E243007095FEB197BBD599C22D266EDF46205F001C386903CB6A6DE3A98498B42

Function 027120B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 027120CA

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 027140B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0271410C

Part of subcall function 02715054: __GetUnwindTryBlock.LIBCMT ref: 02715097
Part of subcall function 02715054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 027150BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 027141E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02714433
std::bad_alloc::bad_alloc.LIBCMT ref: 0271453F

Strings

csm, xrefs: 0271418D
csm, xrefs: 02714126
csm, xrefs: 02714207

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 55dd3a90e60e199b121ecdca52cdc3de58e3d81f6e0d419de87b0f0b3f7d327f
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 8AE1A230918B488FDB25EF6CC499AADB7E1FF99314F54065ED489D7215DB30E881CB82

Function 02714930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02714958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 02714A40

Strings

csm, xrefs: 0271497A
csm, xrefs: 02714A92

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 3de8b948d1e11cfbb61e45bb01d5aca73a8796e18b9f88210f84d8f5ed682855
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: A9619D34614B098FCB78DF2C80A9725B7E2FF98315F68465ED48AC7695DB34D880CB86

Function 02712CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02712D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 02712DB2

Strings

csm, xrefs: 02712D99

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 53ba45f5ad2102472fbd87ea418f2525198cbce37f48592d92f5ff6030f100a8
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 36618F30218A298BCF28EE5CD889A7477D1FF54354B10456EEC8AC7257EB34E895CB85

Function 02714580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0271462B

Strings

MOC, xrefs: 027145F3
RCC, xrefs: 027145FB

Memory Dump Source

Source File: 00000003.00000002.1496317670.0000000002711000.00000040.00001000.00020000.00000000.sdmp, Offset: 02711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2711000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 6d93f1c81776c6ef07aafcf9c0bc417321835046f1d6c2e587836531f328a791
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: DA71BE30518B898FDB29EF1CD446BAAB7E0FF99314F144A5EE489C3211DB74E581CB82

Analysis Process: rundll32.exePID: 1868, Parent PID: 2940COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 00000186B59A20E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00000186B59A211D
GetLocaleInfoA.KERNELBASE ref: 00000186B59A21E5

Strings

5, xrefs: 00000186B59A225D

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 36d369c58d278520374bc5ae1cf69e2d1833336443c9a38feb82708aa46439ab
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: FB419E31B14A888BE719EF64D89D7EA77E1FB94309F40852DF147C21A6DF3885058B52

Function 00000186B59A1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 00000186B59A104B

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 5358aaf3e3963aa82820fd9c32590dcd170d6bcb3fb131da2a5376fba3fe7728
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 1001673160C5848FFB06EB28D8987D677E1F769305F008569E0CBC72A6DE7C8658C751

Function 00000186B59A6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,00000186B59A6F64), ref: 00000186B59A6F93

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 2722973286a2687d01b7fce2a392584d12207876fd7a06baba0a60e48c4c2cd4
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 15D05E30B003080FFB187BB8998C3ED2661CB45349F006838B903CB6E7CD3A884A8712

Function 00000186B59A20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00000186B59A20CA

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 00000186B59A40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000186B59A410C

Part of subcall function 00000186B59A5054: __GetUnwindTryBlock.LIBCMT ref: 00000186B59A5097
Part of subcall function 00000186B59A5054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000186B59A50BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000186B59A41E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000186B59A4433
std::bad_alloc::bad_alloc.LIBCMT ref: 00000186B59A453F

Strings

csm, xrefs: 00000186B59A4126
csm, xrefs: 00000186B59A418D
csm, xrefs: 00000186B59A4207

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: e5d43d337c1301a0a4090adfa510529f991db3ecf105995db97fcd3bd1a95093
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 7DF17030A18A888FEB54FF68C4897E977E0FB59318F54865DE449C3292DF30D981CB92

Function 00000186B59A4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000186B59A4958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000186B59A4A40

Strings

csm, xrefs: 00000186B59A4A92
csm, xrefs: 00000186B59A497A

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: b95e9d1b6f9d4572f4f5acac595052f0f748bf4b32d7d0817c5bc4b537306f4b
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 68718330B14A848FEBA4BB18808D3E8B3D5FB94319F54855EE44DC7696CF30DA80C792

Function 00000186B59A4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000186B59A462B

Strings

RCC, xrefs: 00000186B59A45FB
MOC, xrefs: 00000186B59A45F3

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: cc4f47306922ce7f83bbaac4f1663beb9daed41d7ec0732496a3893922f15ee8
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 9C719430A18B888FE765FF18D44ABEAB7E0FB99304F04865DE48DC3151DB74A581CB92

Function 00000186B59A2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000186B59A2D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 00000186B59A2DB2

Strings

csm, xrefs: 00000186B59A2D99

Memory Dump Source

Source File: 00000005.00000002.1496397137.00000186B59A1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000186B59A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_186b59a1000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 26350316e3751351467774684b457e76d959ab0c6eb9ec4a8108eea34fb29ba6
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 36718030B08A448BDF68BB5CD4897F873D1EB54354F20857EF886C7297EA24E99187A1

Analysis Process: rundll32.exePID: 1840, Parent PID: 1272COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	4

Executed Functions

Function 000002AB0BF320E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000002AB0BF3211D
GetLocaleInfoA.KERNELBASE ref: 000002AB0BF321E5

Strings

5, xrefs: 000002AB0BF3225D

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 14167ccccfb001675f7224c7fed0ce108603675092fa9524a05b982a4a86a2f1
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: D341AE322186488BE75AEB34D89D7EB73E1FB95301F40862DE247C21A6EF389505CA42

Function 000002AB0BF3A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000002AB0BF3A90B

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 8f73c685ba07ae3fdd791131af2858c4b41658b2aa3675e2e2f049e1dcb1879a
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: 9631F631608E1A8FD7A6DF3C84987A977D0F70A760F650349E59AD71E6DB30D8A1C382

Function 000002AB0BF31000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000002AB0BF3104B

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: ca6f0a80d88c64db3b454879474e4b8aa279377e60c8989d220e242d4c1a79d6
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: A501A73160C5448FFB06EB28D8987D637E1F769301F008169E0CAC72A6DE7C8548C741

Function 000002AB0BF36F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000002AB0BF36F64), ref: 000002AB0BF36F93

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: c1da9aa8b2fb39b536b52d899caa4972fc69cf8e5eb2f109ae782a32a8576a51
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: A5D05E203043087FFB197BB8598C3AE2661EB47205F0018386A03CB6E7EE3B8849C703

Function 000002AB0BF320B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000002AB0BF320CA

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 000002AB0BF340B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002AB0BF3410C

Part of subcall function 000002AB0BF35054: __GetUnwindTryBlock.LIBCMT ref: 000002AB0BF35097
Part of subcall function 000002AB0BF35054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002AB0BF350BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002AB0BF341E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002AB0BF34433
std::bad_alloc::bad_alloc.LIBCMT ref: 000002AB0BF3453F

Strings

csm, xrefs: 000002AB0BF34126
csm, xrefs: 000002AB0BF34207
csm, xrefs: 000002AB0BF3418D

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 975d6721177ef2c4dc52ec9e2a1bd17e63d4c356c68885b239512b64b0ed7c19
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 1AF15E31A18A488BEB55EF68C4897EA77E0FB5A710F50065DE549C3297EF30D881CB82

Function 000002AB0BF34930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002AB0BF34958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002AB0BF34A40

Strings

csm, xrefs: 000002AB0BF34A92
csm, xrefs: 000002AB0BF3497A

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: b294d57f7c13259d3cfc76e0ede637a68932c616628f66d90f85e1fa3d76c15e
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: B1718F32714A088BEBA9DF28808D3A6B3D1FB55B11F54465A9689C7793EF349880C787

Function 000002AB0BF32CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002AB0BF32D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 000002AB0BF32DB2

Strings

csm, xrefs: 000002AB0BF32D99

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: be72413d044d5e11ac0df3a4e9a5b31e1b5d07992e69b6a059b8c251ff98372d
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: AD71B332308A048BDB29EA6CD48A7B673D1FB55750F10456EE986C3297FF34EC91C686

Function 000002AB0BF34580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002AB0BF3462B

Strings

RCC, xrefs: 000002AB0BF345FB
MOC, xrefs: 000002AB0BF345F3

Memory Dump Source

Source File: 00000006.00000002.1496760430.000002AB0BF31000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002AB0BF31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2ab0bf31000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 4a691683be783e3ec267cc556142c3516a54a907b163fd53df713d654786af68
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: C971B631618B488FE765DF28C44ABE6B7E0FB9A700F04465DE589C3252EB74E581C783

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yjF33u9fqZ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 2940, Parent PID: 4084

General

Chronological Activities

Analysis Process: conhost.exePID: 3712, Parent PID: 2940

General

Windows Analysis Report
yjF33u9fqZ.dll

Function 0000023BEAF220E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Function 0000023BEAF2A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 0000023BEAF21000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 0000023BEAF26F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 0000023BEAF220B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 0000023BEAF240B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 0000023BEAF24930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 0000023BEAF24580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 0000023BEAF22CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 027120E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Function 02711000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 02716F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 027120B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 027140B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 02714930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 02712CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 02714580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 00000186B59A20E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON