Edit tour
Windows
Analysis Report
flupdate.exe
Overview
General Information
| Sample name: | flupdate.exe |
| Analysis ID: | 1562193 |
| MD5: | 728d903e430115d74f5adbd2f725f2eb |
| SHA1: | 7786bd4ce8f25bc023722b4cb6fc17860a5e29bd |
| SHA256: | c1d322835ee594b660a39b105516d944a92bba93af7c8b3f5e7bd0828aa6afe1 |
| Infos: |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
flupdate.exe (PID: 7512 cmdline: "C:\Users\ user\Deskt op\flupdat e.exe" MD5: 728D903E430115D74F5ADBD2F725F2EB)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00402870 | |
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00401834 | |
| Source: | Code function: | 0_2_00412CCC | |
| Source: | Code function: | 0_2_004078EF | |
| Source: | Code function: | 0_2_00412090 | |
| Source: | Code function: | 0_2_00413CB1 | |
| Source: | Code function: | 0_2_00403D70 | |
| Source: | Code function: | 0_2_004125D4 | |
| Source: | Code function: | 0_2_00411B4C | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004026F0 | |
| Source: | Mutant created: | ||
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Command line argument: | 0_2_00401E45 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 0_2_004376D0 | |
| Source: | Code function: | 0_2_004050D0 | |
| Source: | Code function: | 0_2_004209B9 | |
| Source: | Code function: | 0_2_004209B9 | |
| Source: | Code function: | 0_2_00407F10 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-9535 | ||
| Source: | Evaded block: | graph_0-9551 | ||
| Source: | Evasive API call chain: | graph_0-9547 | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00402870 | |
| Source: | API call chain: | graph_0-12300 | ||
| Source: | Code function: | 0_2_004086F0 | |
| Source: | Code function: | 0_2_004376D0 | |
| Source: | Code function: | 0_2_004116D9 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00410421 | |
| Source: | Code function: | 0_2_0040D02A | |
| Source: | Code function: | 0_2_004086F0 | |
| Source: | Code function: | 0_2_00404FC8 | |
| Source: | Code function: | 0_2_00413A30 | |
| Source: | Code function: | 0_2_0040D755 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Software Packing | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 13 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 21 Obfuscated Files or Information | NTDS | 14 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1562193 |
| Start date and time: | 2024-11-25 10:29:31 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 43s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | flupdate.exe |
| Detection: | MAL |
| Classification: | mal48.evad.winEXE@1/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- VT rate limit hit for: flupdate.exe
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.738303090285732 |
| TrID: |
|
| File name: | flupdate.exe |
| File size: | 262'144 bytes |
| MD5: | 728d903e430115d74f5adbd2f725f2eb |
| SHA1: | 7786bd4ce8f25bc023722b4cb6fc17860a5e29bd |
| SHA256: | c1d322835ee594b660a39b105516d944a92bba93af7c8b3f5e7bd0828aa6afe1 |
| SHA512: | d6190757b48f90b19c1a1d11937590f16201c55df93cc700a65a7dafc9dabe580fc39372a749e82aeb48f81047ab35eb52aa359a6011a0b290e6fd938f909b39 |
| SSDEEP: | 6144:qPKo3zZhCncVIKQOpmYUDuXrdmSHPUUKVVBeaw:V0z/dvwYUDuXT8xBw |
| TLSH: | 09441215EF1E5CC4F0C4CB7A0597AE3A07F4F4522505736922F8E6EC2E36E44C6A22A7 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..ts..'s..'s..'..A'v..'z.B'd..'Tv.'t..'s..'...'z.T'...'z.S'V..'m.C'r..'z.F'r..'Richs..'........................PE..L.....:]... |
 | |
| Icon Hash: | 4c1617edfa3d0f86 |
| Entrypoint: | 0x4376d0 |
| Entrypoint Section: | UPX1 |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5D3AB080 [Fri Jul 26 07:49:20 2019 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 26bacf39ecc38d64cdc04c882ade86d1 |
| Instruction |
|---|
| pushad |
| mov esi, 0042B000h |
| lea edi, dword ptr [esi-0002A000h] |
| push edi |
| jmp 00007FA3D87EF41Dh |
| nop |
| mov al, byte ptr [esi] |
| inc esi |
| mov byte ptr [edi], al |
| inc edi |
| add ebx, ebx |
| jne 00007FA3D87EF419h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jc 00007FA3D87EF3FFh |
| mov eax, 00000001h |
| add ebx, ebx |
| jne 00007FA3D87EF419h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc eax, eax |
| add ebx, ebx |
| jnc 00007FA3D87EF401h |
| jne 00007FA3D87EF41Bh |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jnc 00007FA3D87EF3F6h |
| xor ecx, ecx |
| sub eax, 03h |
| jc 00007FA3D87EF41Fh |
| shl eax, 08h |
| mov al, byte ptr [esi] |
| inc esi |
| xor eax, FFFFFFFFh |
| je 00007FA3D87EF486h |
| mov ebp, eax |
| add ebx, ebx |
| jne 00007FA3D87EF419h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| add ebx, ebx |
| jne 00007FA3D87EF419h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| jne 00007FA3D87EF432h |
| inc ecx |
| add ebx, ebx |
| jne 00007FA3D87EF419h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| add ebx, ebx |
| jnc 00007FA3D87EF401h |
| jne 00007FA3D87EF41Bh |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jnc 00007FA3D87EF3F6h |
| add ecx, 02h |
| cmp ebp, FFFFF300h |
| adc ecx, 01h |
| lea edx, dword ptr [edi+ebp] |
| cmp ebp, FFFFFFFCh |
| jbe 00007FA3D87EF421h |
| mov al, byte ptr [edx] |
| inc edx |
| mov byte ptr [edi], al |
| inc edi |
| dec ecx |
| jne 00007FA3D87EF409h |
| jmp 00007FA3D87EF378h |
| nop |
| mov eax, dword ptr [edx] |
| add edx, 04h |
| mov dword ptr [edi], eax |
| add edi, 04h |
| sub ecx, 04h |
| jnbe 00007FA3D87EF403h |
| add edi, ecx |
| jmp 00007FA3D87FF361h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3a2c8 | 0x114 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x38000 | 0x22c8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x37858 | 0x48 | UPX1 |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| UPX0 | 0x1000 | 0x2a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| UPX1 | 0x2b000 | 0xd000 | 0xca00 | ce349d1a7ab0f4665ba3f398917290a1 | False | 0.9862507735148515 | data | 7.900524926940504 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x38000 | 0x3000 | 0x2400 | f3048574b480eacd8b4ae85f0b9bc348 | False | 0.2849392361111111 | data | 4.2827029161518855 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x38194 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Hebrew | Israel | 0.5028901734104047 |
| RT_ICON | 0x38700 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Hebrew | Israel | 0.41335740072202165 |
| RT_ICON | 0x38fac | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | Hebrew | Israel | 0.3302238805970149 |
| RT_GROUP_ICON | 0x39e58 | 0x30 | data | Hebrew | Israel | 0.875 |
| RT_VERSION | 0x39e8c | 0x2d0 | data | English | United States | 0.44305555555555554 |
| RT_MANIFEST | 0x3a160 | 0x165 | ASCII text, with CRLF line terminators | English | United States | 0.5434173669467787 |
| DLL | Import |
|---|---|
| KERNEL32.DLL | LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess |
| USER32.dll | EndPaint |
| VERSION.dll | VerQueryValueA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Hebrew | Israel |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
| Target ID: | 0 |
| Start time: | 04:30:21 |
| Start date: | 25/11/2024 |
| Path: | C:\Users\user\Desktop\flupdate.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 262'144 bytes |
| MD5 hash: | 728D903E430115D74F5ADBD2F725F2EB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 7.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 3.5% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 27 |
Graph
Function 00401E45 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 230filesynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401834 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61nativewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004376D0 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405BF2 Relevance: 22.6, APIs: 15, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402650 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004080AC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040493B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004056A8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412CCC Relevance: 18.3, APIs: 4, Strings: 6, Instructions: 793COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402870 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D70 Relevance: 3.3, APIs: 2, Instructions: 277COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004026F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D02A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B08 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 172processsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401611 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 129stringfilelibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E0C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004039A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040118E Relevance: 9.1, APIs: 6, Instructions: 137COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B50 Relevance: 9.1, APIs: 6, Instructions: 92sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402A10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403490 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403610 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A34 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401032 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004049A5 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402CA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE1A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AF0 Relevance: 6.0, APIs: 4, Instructions: 47sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|