Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1561844 |
| MD5: | 7dc51c5014010a56bd8a33d256831a30 |
| SHA1: | a53650f246ad15a2091b55e59b0a054a9bbcfb8b |
| SHA256: | 49118fb0d2560d592dcad173d9ecd9b50b0c2fe1bcd3f6e39f841e1a00470852 |
| Tags: | exeuser-Bitsight |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 1272 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 7DC51C5014010A56BD8A33D256831A30) 
conhost.exe (PID: 3744 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - file.exe (PID: 4348 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 7DC51C5014010A56BD8A33D256831A30)
- cleanup
{"C2 url": "https://push-hook.cyou/api", "Build Version": "FATE99--test"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T13:28:26.947808+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:29.679577+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:31.967163+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:34.333964+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:36.718837+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:39.545095+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:42.319305+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:48.318465+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 172.67.161.207 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T13:28:28.391969+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:30.377505+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:49.042986+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49741 | 172.67.161.207 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T13:28:28.391969+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T13:28:30.377505+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T13:28:40.250640+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 172.67.161.207 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_000C17FB | |
| Source: | Code function: | 2_2_0040E0D8 | |
| Source: | Code function: | 2_2_0043B8E0 | |
| Source: | Code function: | 2_2_0043B8E0 | |
| Source: | Code function: | 2_2_004098F0 | |
| Source: | Code function: | 2_2_0040E35B | |
| Source: | Code function: | 2_2_0040CF05 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_0043B860 | |
| Source: | Code function: | 2_2_00420870 | |
| Source: | Code function: | 2_2_0040C02B | |
| Source: | Code function: | 2_2_0043F8D0 | |
| Source: | Code function: | 2_2_0043F8D0 | |
| Source: | Code function: | 2_2_0043BCE0 | |
| Source: | Code function: | 2_2_00405C90 | |
| Source: | Code function: | 2_2_00405C90 | |
| Source: | Code function: | 2_2_0040BC9D | |
| Source: | Code function: | 2_2_00428CB0 | |
| Source: | Code function: | 2_2_0040E970 | |
| Source: | Code function: | 2_2_0040AD00 | |
| Source: | Code function: | 2_2_0040EA38 | |
| Source: | Code function: | 2_2_00425E90 | |
| Source: | Code function: | 2_2_00440F60 | |
| Source: | Code function: | 2_2_004077D0 | |
| Source: | Code function: | 2_2_004077D0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00434470 | |
| Source: | Code function: | 2_2_00434470 | |
| Source: | Code function: | 0_2_000AA050 | |
| Source: | Code function: | 0_2_000A8190 | |
| Source: | Code function: | 0_2_000A1000 | |
| Source: | Code function: | 0_2_000B6030 | |
| Source: | Code function: | 0_2_000B3D10 | |
| Source: | Code function: | 0_2_000B89D0 | |
| Source: | Code function: | 0_2_000AFE20 | |
| Source: | Code function: | 0_2_000B8270 | |
| Source: | Code function: | 0_2_000ADEF0 | |
| Source: | Code function: | 0_2_000B5780 | |
| Source: | Code function: | 0_2_000C6FF2 | |
| Source: | Code function: | 2_2_000A1000 | |
| Source: | Code function: | 2_2_000B6030 | |
| Source: | Code function: | 2_2_000AA050 | |
| Source: | Code function: | 2_2_000A8190 | |
| Source: | Code function: | 2_2_000B89D0 | |
| Source: | Code function: | 2_2_000B8270 | |
| Source: | Code function: | 2_2_000B3D10 | |
| Source: | Code function: | 2_2_000AFE20 | |
| Source: | Code function: | 2_2_000ADEF0 | |
| Source: | Code function: | 2_2_000B5780 | |
| Source: | Code function: | 2_2_000C6FF2 | |
| Source: | Code function: | 2_2_00439030 | |
| Source: | Code function: | 2_2_0040E0D8 | |
| Source: | Code function: | 2_2_0043B8E0 | |
| Source: | Code function: | 2_2_004098F0 | |
| Source: | Code function: | 2_2_00440C80 | |
| Source: | Code function: | 2_2_00423D70 | |
| Source: | Code function: | 2_2_00419530 | |
| Source: | Code function: | 2_2_00441580 | |
| Source: | Code function: | 2_2_004089A0 | |
| Source: | Code function: | 2_2_00428770 | |
| Source: | Code function: | 2_2_0040CF05 | |
| Source: | Code function: | 2_2_00421790 | |
| Source: | Code function: | 2_2_00406840 | |
| Source: | Code function: | 2_2_0043C040 | |
| Source: | Code function: | 2_2_00420870 | |
| Source: | Code function: | 2_2_00406CC0 | |
| Source: | Code function: | 2_2_004094D0 | |
| Source: | Code function: | 2_2_0043F8D0 | |
| Source: | Code function: | 2_2_004324E0 | |
| Source: | Code function: | 2_2_00405C90 | |
| Source: | Code function: | 2_2_00428CB0 | |
| Source: | Code function: | 2_2_0040E970 | |
| Source: | Code function: | 2_2_0040AD00 | |
| Source: | Code function: | 2_2_004341D0 | |
| Source: | Code function: | 2_2_00403580 | |
| Source: | Code function: | 2_2_004061A0 | |
| Source: | Code function: | 2_2_00420650 | |
| Source: | Code function: | 2_2_0040B210 | |
| Source: | Code function: | 2_2_00409210 | |
| Source: | Code function: | 2_2_00427E20 | |
| Source: | Code function: | 2_2_00404AC0 | |
| Source: | Code function: | 2_2_00425E90 | |
| Source: | Code function: | 2_2_0041FB60 | |
| Source: | Code function: | 2_2_00440F60 | |
| Source: | Code function: | 2_2_0041DB30 | |
| Source: | Code function: | 2_2_004027D0 | |
| Source: | Code function: | 2_2_004077D0 | |
| Source: | Code function: | 2_2_00402B80 | |
| Source: | Code function: | 2_2_0043C780 | |
| Source: | Code function: | 2_2_004387B0 | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00439030 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_000B9BF8 | |
| Source: | Code function: | 2_3_02C7AAB9 | |
| Source: | Code function: | 2_3_02C5F4D6 | |
| Source: | Code function: | 2_3_02C5F4D6 | |
| Source: | Code function: | 2_3_02C5F2AE | |
| Source: | Code function: | 2_3_02C5F2AE | |
| Source: | Code function: | 2_3_02C5F6B6 | |
| Source: | Code function: | 2_3_02C5F6B6 | |
| Source: | Code function: | 2_3_02C0DED2 | |
| Source: | Code function: | 2_3_02C0DED2 | |
| Source: | Code function: | 2_3_02C0E73E | |
| Source: | Code function: | 2_3_02C0E73E | |
| Source: | Code function: | 2_3_02C5F4D6 | |
| Source: | Code function: | 2_3_02C5F4D6 | |
| Source: | Code function: | 2_3_02C5F2AE | |
| Source: | Code function: | 2_3_02C5F2AE | |
| Source: | Code function: | 2_3_02C5F6B6 | |
| Source: | Code function: | 2_3_02C5F6B6 | |
| Source: | Code function: | 2_3_02C0DED2 | |
| Source: | Code function: | 2_3_02C0DED2 | |
| Source: | Code function: | 2_3_02C0E73E | |
| Source: | Code function: | 2_3_02C0E73E | |
| Source: | Code function: | 2_2_000B9BF8 | |
| Source: | Code function: | 2_2_00415058 | |
| Source: | Code function: | 2_2_0041802B | |
| Source: | Code function: | 2_2_00416438 | |
| Source: | Code function: | 2_2_00418102 | |
| Source: | Code function: | 2_2_00418135 | |
| Source: | Code function: | 2_2_004181DB | |
| Source: | Code function: | 2_2_00414BD4 | |
| Source: | Code function: | 0_2_000B9CC2 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_000C17FB | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043DF70 | |
| Source: | Code function: | 0_2_000BA464 | |
| Source: | Code function: | 0_2_000D018D | |
| Source: | Code function: | 0_2_000ADD90 | |
| Source: | Code function: | 0_2_000A9EF0 | |
| Source: | Code function: | 2_2_000ADD90 | |
| Source: | Code function: | 2_2_000A9EF0 | |
| Source: | Code function: | 0_2_000BEFB0 | |
| Source: | Code function: | 0_2_000BA458 | |
| Source: | Code function: | 0_2_000BA464 | |
| Source: | Code function: | 0_2_000BCDEA | |
| Source: | Code function: | 0_2_000B9AF9 | |
| Source: | Code function: | 2_2_000B9AF9 | |
| Source: | Code function: | 2_2_000BA458 | |
| Source: | Code function: | 2_2_000BA464 | |
| Source: | Code function: | 2_2_000BCDEA | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_000D018D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_000BA220 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_000BA8E5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 141 Security Software Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 50% | ReversingLabs | Win32.Trojan.CrypterX | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| push-hook.cyou | 172.67.161.207 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.161.207 | push-hook.cyou | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561844 |
| Start date and time: | 2024-11-24 13:27:31 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 45s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: file.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.161.207 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| push-hook.cyou | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.691993266523074 |
| TrID: |
|
| File name: | file.exe |
| File size: | 513'536 bytes |
| MD5: | 7dc51c5014010a56bd8a33d256831a30 |
| SHA1: | a53650f246ad15a2091b55e59b0a054a9bbcfb8b |
| SHA256: | 49118fb0d2560d592dcad173d9ecd9b50b0c2fe1bcd3f6e39f841e1a00470852 |
| SHA512: | 92aa662d5047d965ca93ed7f22aab9d16e47cf1d7a0b9f593c43aea2cccc94e8bb697808ff9fbfd6010cc02b7cd2c15395a4218b5e3c234a2ce3b0124998ddd6 |
| SSDEEP: | 12288:MuYPABqG93bG2zYH13IgLmfJ/+czMnKLESaK1g1Z:dYPABNLGTV33I+czvFaT1Z |
| TLSH: | 74B4E02AB5A3A0A3F5932C354194AA75851FBF350F22A5FB57201B786F3B5D2C132B43 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ag.................h........................@..........................0............@.................................T...<.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x41a890 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6741DAB7 [Sat Nov 23 13:37:59 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007F5D0481602Ah |
| jmp 00007F5D04815E8Dh |
| mov ecx, dword ptr [004305F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F5D04816026h |
| test esi, ecx |
| jne 00007F5D04816048h |
| call 00007F5D04816051h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F5D04816029h |
| mov ecx, BB40E64Fh |
| jmp 00007F5D04816030h |
| test esi, ecx |
| jne 00007F5D0481602Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [004305F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [004305ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042E46Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [0042E430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042E42Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [0042E4A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00431970h |
| call dword ptr [0042E488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x34000 | 0x143c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x287c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2e3c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x266ba | 0x26800 | 9fc12b2919d7993b7875b406673b0c41 | False | 0.5423155945616883 | data | 6.676506145316532 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x28000 | 0x7264 | 0x7400 | 662c29d34464011348a2d81d315c214b | False | 0.40833782327586204 | data | 4.811823385654876 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x30000 | 0x2068 | 0x1000 | 51c3c578bc7da757e8ebeb0ea4aceef9 | False | 0.484619140625 | OpenPGP Secret Key | 5.084546541546572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x33000 | 0x8 | 0x200 | 64e01fde7e0180fcba7fdb172e6bbca6 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x34000 | 0x143c | 0x1600 | a55fdfa9c914f00e7079e3187805e326 | False | 0.7510653409090909 | data | 6.285750152953626 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x36000 | 0x4cc00 | 0x4cc00 | 6290a165a90da79884f6db5fc3416ad6 | False | 1.000337184446254 | data | 7.999418311050769 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-24T13:28:26.947808+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:28.391969+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:28.391969+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:29.679577+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:30.377505+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:30.377505+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:31.967163+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:34.333964+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:36.718837+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:39.545095+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:40.250640+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49735 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:42.319305+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:48.318465+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 172.67.161.207 | 443 | TCP |
| 2024-11-24T13:28:49.042986+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49741 | 172.67.161.207 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 24, 2024 13:28:25.707968950 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:25.707990885 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:25.708168983 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:25.711374998 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:25.711390018 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:26.947737932 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:26.947808027 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:27.090934992 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:27.090946913 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:27.091254950 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:27.155019045 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:27.562056065 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:27.562092066 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:27.562169075 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:28.391997099 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:28.392111063 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:28.392184973 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:28.394568920 CET | 49730 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:28.394579887 CET | 443 | 49730 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:28.441118002 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:28.441221952 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:28.441329002 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:28.441623926 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:28.441656113 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:29.679464102 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:29.679577112 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:29.687242031 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:29.687263966 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:29.687577009 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:29.688807011 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:29.688844919 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:29.688895941 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377530098 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377580881 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377616882 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377640009 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.377650023 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377662897 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377696037 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.377717018 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.377763987 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.377787113 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.386003971 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.386064053 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.386081934 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.402859926 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.402914047 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.402935982 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.451906919 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.497250080 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.545665979 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.545711994 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.577797890 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.577846050 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.577871084 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.577894926 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.577951908 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.578020096 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.578054905 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.578083038 CET | 49731 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.578097105 CET | 443 | 49731 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.667752028 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.667838097 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:30.667923927 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.668325901 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:30.668364048 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:31.966943026 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:31.967163086 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:31.968548059 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:31.968580961 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:31.968830109 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:31.970065117 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:31.970254898 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:31.970303059 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:31.970386028 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:31.970400095 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:33.019207001 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:33.019300938 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:33.019365072 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:33.019567966 CET | 49732 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:33.019610882 CET | 443 | 49732 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:33.096831083 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:33.096931934 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:33.097026110 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:33.097347021 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:33.097381115 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:34.333877087 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:34.333964109 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:34.335335016 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:34.335367918 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:34.335607052 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:34.336690903 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:34.336795092 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:34.336833954 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:35.229486942 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:35.229600906 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:35.229717970 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:35.230057001 CET | 49733 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:35.230101109 CET | 443 | 49733 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:35.444794893 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:35.444880962 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:35.444967985 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:35.445318937 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:35.445353031 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:36.718710899 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:36.718837023 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:36.720297098 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:36.720347881 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:36.720599890 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:36.721820116 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:36.721975088 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:36.722024918 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:36.722105026 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:36.722136974 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:37.603647947 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:37.603768110 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:37.603827953 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:37.604058027 CET | 49734 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:37.604091883 CET | 443 | 49734 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:38.266875982 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:38.266972065 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:38.267086983 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:38.267432928 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:38.267479897 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:39.544965982 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:39.545094967 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:39.546515942 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:39.546550035 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:39.546789885 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:39.548065901 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:39.548151016 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:39.548162937 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:40.250648975 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:40.250739098 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:40.250833988 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:40.262191057 CET | 49735 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:40.262240887 CET | 443 | 49735 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:40.976569891 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:40.976655960 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:40.976747990 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:40.977108955 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:40.977148056 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.319107056 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.319304943 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.320496082 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.320533991 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.320775986 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.336457014 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.337310076 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.337357044 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.338012934 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.338061094 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.338371992 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.338426113 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.338674068 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.338723898 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.338917971 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.338965893 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.339308023 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.339364052 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.339382887 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.339411974 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.339618921 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.339659929 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.339706898 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.339796066 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.339859009 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.383364916 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.383614063 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.383661985 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.383711100 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.383744955 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:42.383883953 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:42.383943081 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:47.046854973 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:47.046953917 CET | 443 | 49736 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:47.047142982 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:47.047202110 CET | 49736 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:47.077841043 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:47.077874899 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:47.078036070 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:47.078296900 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:47.078310013 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:48.318348885 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:48.318464994 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:48.322189093 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:48.322197914 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:48.322467089 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:48.330749035 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:48.330761909 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:48.330812931 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:49.043009996 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:49.043108940 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:49.043215036 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:49.043494940 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:49.043513060 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Nov 24, 2024 13:28:49.043524027 CET | 49741 | 443 | 192.168.2.4 | 172.67.161.207 |
| Nov 24, 2024 13:28:49.043529987 CET | 443 | 49741 | 172.67.161.207 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 24, 2024 13:28:25.560316086 CET | 52189 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 24, 2024 13:28:25.702203035 CET | 53 | 52189 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 24, 2024 13:28:25.560316086 CET | 192.168.2.4 | 1.1.1.1 | 0x706 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 24, 2024 13:28:25.702203035 CET | 1.1.1.1 | 192.168.2.4 | 0x706 | No error (0) | 172.67.161.207 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2024 13:28:25.702203035 CET | 1.1.1.1 | 192.168.2.4 | 0x706 | No error (0) | 104.21.10.6 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:27 UTC | 261 | OUT | |
| 2024-11-24 12:28:27 UTC | 8 | OUT | |
| 2024-11-24 12:28:28 UTC | 1020 | IN | |
| 2024-11-24 12:28:28 UTC | 7 | IN | |
| 2024-11-24 12:28:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:29 UTC | 262 | OUT | |
| 2024-11-24 12:28:29 UTC | 46 | OUT | |
| 2024-11-24 12:28:30 UTC | 1013 | IN | |
| 2024-11-24 12:28:30 UTC | 356 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN | |
| 2024-11-24 12:28:30 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:31 UTC | 277 | OUT | |
| 2024-11-24 12:28:31 UTC | 15331 | OUT | |
| 2024-11-24 12:28:31 UTC | 2813 | OUT | |
| 2024-11-24 12:28:33 UTC | 1016 | IN | |
| 2024-11-24 12:28:33 UTC | 19 | IN | |
| 2024-11-24 12:28:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:34 UTC | 269 | OUT | |
| 2024-11-24 12:28:34 UTC | 8723 | OUT | |
| 2024-11-24 12:28:35 UTC | 1014 | IN | |
| 2024-11-24 12:28:35 UTC | 19 | IN | |
| 2024-11-24 12:28:35 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:36 UTC | 275 | OUT | |
| 2024-11-24 12:28:36 UTC | 15331 | OUT | |
| 2024-11-24 12:28:36 UTC | 5075 | OUT | |
| 2024-11-24 12:28:37 UTC | 1015 | IN | |
| 2024-11-24 12:28:37 UTC | 19 | IN | |
| 2024-11-24 12:28:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:39 UTC | 275 | OUT | |
| 2024-11-24 12:28:39 UTC | 1216 | OUT | |
| 2024-11-24 12:28:40 UTC | 1022 | IN | |
| 2024-11-24 12:28:40 UTC | 19 | IN | |
| 2024-11-24 12:28:40 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:42 UTC | 273 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:42 UTC | 15331 | OUT | |
| 2024-11-24 12:28:47 UTC | 1021 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49741 | 172.67.161.207 | 443 | 4348 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-24 12:28:48 UTC | 262 | OUT | |
| 2024-11-24 12:28:48 UTC | 81 | OUT | |
| 2024-11-24 12:28:49 UTC | 1015 | IN | |
| 2024-11-24 12:28:49 UTC | 54 | IN | |
| 2024-11-24 12:28:49 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 07:28:23 |
| Start date: | 24/11/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa0000 |
| File size: | 513'536 bytes |
| MD5 hash: | 7DC51C5014010A56BD8A33D256831A30 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 07:28:23 |
| Start date: | 24/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 07:28:24 |
| Start date: | 24/11/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa0000 |
| File size: | 513'536 bytes |
| MD5 hash: | 7DC51C5014010A56BD8A33D256831A30 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.4% |
| Dynamic/Decrypted Code Coverage: | 0.5% |
| Signature Coverage: | 4.2% |
| Total number of Nodes: | 1659 |
| Total number of Limit Nodes: | 23 |
Graph
Function 000D018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AA050 Relevance: 13.9, APIs: 6, Strings: 1, Instructions: 1601fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A8190 Relevance: 2.8, Strings: 1, Instructions: 1555COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000ADD90 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BEDF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BBD06 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BF752 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BBE20 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C00EB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B6E20 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000ADE10 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C0C65 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B9CC2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000ADEF0 Relevance: 9.7, APIs: 5, Instructions: 2248COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A1000 Relevance: 8.6, Strings: 3, Instructions: 4838COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C17FB Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BA464 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AFE20 Relevance: 4.9, Strings: 1, Instructions: 3648COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BA220 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BA458 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BEFB0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B8270 Relevance: .7, Instructions: 669COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B89D0 Relevance: .6, Instructions: 582COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B6030 Relevance: .5, Instructions: 544COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B5780 Relevance: .5, Instructions: 499COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A9EF0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BE0F3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C5328 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BBF74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C2F3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BE518 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C2C7E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C15D8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C224D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BDD8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 7.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 48.6% |
| Total number of Nodes: | 243 |
| Total number of Limit Nodes: | 16 |
Graph
Function 00439030 Relevance: 32.1, APIs: 11, Strings: 7, Instructions: 621memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004098F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004089A0 Relevance: 7.7, APIs: 5, Instructions: 242threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B8E0 Relevance: .2, Instructions: 217COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DED0 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE80 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CEB3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434470 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 111clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BA464 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425E90 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F8D0 Relevance: .8, Instructions: 813COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004077D0 Relevance: .8, Instructions: 758COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C90 Relevance: .4, Instructions: 417COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BC9D Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B860 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B9CC2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BE0F3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C5328 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BEDF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BBF74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C2F3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BE518 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C2C7E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C15D8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C1B74 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C224D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BDD8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02C61C6E Relevance: 5.1, Strings: 4, Instructions: 87COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|