Edit tour

Windows Analysis Report
xxx.exe

Overview

General Information

Sample name:	xxx.exe
Analysis ID:	1592728
MD5:	708adef6da5ac2ffee5f01f277560749
SHA1:	3dedb41674634e6b53dfaea704754cee7bddfbe3
SHA256:	0fec722a795adc9e313422c62e8ff0c7dac935dfef78da6560e38455a7739e4a
Tags:	Backdoorexemalwareuser-Joker
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found API chain indicative of debugger detection

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Contains functionality to dynamically determine API calls

Detected TCP or UDP traffic on non-standard ports

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

xxx.exe (PID: 2420 cmdline: "C:\Users\user\Desktop\xxx.exe" MD5: 708ADEF6DA5AC2FFEE5F01F277560749)

conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://156.245.12.57:8000/999.html

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: xxx.exe	ReversingLabs: Detection: 60%
Source: xxx.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: xxx.exe

Joe Sandbox ML: detected

Networking

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49709 -> 8000

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 156.245.12.57:8000

Source: unknown	TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown	TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown	TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown	TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown	TCP traffic detected without corresponding DNS query: 156.245.12.57

Source: global traffic

HTTP traffic detected: GET /999.html HTTP/1.1User-Agent: Microsoft helloHost: 156.245.12.57:8000Cache-Control: no-cache

Source: xxx.exe, 00000000.00000002.2373325221.0000000000749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.245.12.57/
Source: xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.245.12.57/nes
Source: xxx.exe, 00000000.00000002.2373325221.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.245.12.57:8000/999.html
Source: xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.245.12.57:8000/999.html)
Source: xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.245.12.57:8000/999.html:

Source: xxx.exe

Static PE information: Number of sections : 15 > 10

Source: classification engine

Classification label: mal72.troj.evad.winEXE@2/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03

Source: xxx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xxx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xxx.exe	ReversingLabs: Detection: 60%
Source: xxx.exe	Virustotal: Detection: 69%

Source: unknown	Process created: C:\Users\user\Desktop\xxx.exe "C:\Users\user\Desktop\xxx.exe"
Source: C:\Users\user\Desktop\xxx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\xxx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\xxx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\xxx.exe

Code function: 0_2_004017A0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,InternetConnectA,HttpOpenRequestA,malloc,InternetCloseHandle,FreeLibrary,malloc,

0_2_004017A0

Source: xxx.exe	Static PE information: section name: .xdata
Source: xxx.exe	Static PE information: section name: /4
Source: xxx.exe	Static PE information: section name: /19
Source: xxx.exe	Static PE information: section name: /31
Source: xxx.exe	Static PE information: section name: /45
Source: xxx.exe	Static PE information: section name: /57
Source: xxx.exe	Static PE information: section name: /70

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49709 -> 8000

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: xxx.exe, 00000000.00000002.2373325221.000000000077F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: xxx.exe, 00000000.00000002.2373325221.000000000077F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xxx.exe, 00000000.00000002.2373325221.0000000000722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPrx%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\xxx.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-850

Source: C:\Users\user\Desktop\xxx.exe

0_2_004017A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\xxx.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,	0_2_00401180
Source: C:\Users\user\Desktop\xxx.exe	Code function: 0_2_00401F50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_00401F50
Source: C:\Users\user\Desktop\xxx.exe	Code function: 0_2_004092D0 SetUnhandledExceptionFilter,VirtualAlloc,	0_2_004092D0
Source: C:\Users\user\Desktop\xxx.exe	Code function: 0_2_004033A2 SetUnhandledExceptionFilter,	0_2_004033A2

Source: C:\Users\user\Desktop\xxx.exe

Code function: 0_2_00401E70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00401E70

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xxx.exe	61%	ReversingLabs	Win64.Hacktool.Vigorf
xxx.exe	69%	Virustotal		Browse
xxx.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://156.245.12.57/	0%	Avira URL Cloud	safe
http://156.245.12.57:8000/999.html:	0%	Avira URL Cloud	safe
http://156.245.12.57:8000/999.html	100%	Avira URL Cloud	malware
http://156.245.12.57:8000/999.html)	0%	Avira URL Cloud	safe
http://156.245.12.57/nes	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://156.245.12.57:8000/999.html	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://156.245.12.57/	xxx.exe, 00000000.00000002.2373325221.0000000000749000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.245.12.57:8000/999.html:	xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.245.12.57:8000/999.html)	xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.245.12.57/nes	xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.245.12.57	unknown	Seychelles		133199	SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592728
Start date and time:	2025-01-16 13:26:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xxx.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@2/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
156.245.12.57	64tq7bFbX2.exe	Get hash	malicious	Reverse SSH	Browse	156.245.12.57:8000/1222.txt

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK	http://m.yanhaiegou.com/	Get hash	malicious	Unknown	Browse	156.224.2.38
	http://www.qingdaokelun.com/	Get hash	malicious	Unknown	Browse	156.224.2.38
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	43.225.47.36
	b3astmode.m68k.elf	Get hash	malicious	Mirai	Browse	43.255.28.156
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	154.197.26.133
	PAYMENT CONFIRMATION.exe	Get hash	malicious	FormBook	Browse	154.197.26.133
	PURCHASE ORDER085.exe	Get hash	malicious	FormBook	Browse	154.197.26.133
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	154.204.52.180
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	154.197.26.133
	64tq7bFbX2.exe	Get hash	malicious	Reverse SSH	Browse	156.245.12.57

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	4.842029604090498
TrID:	Win64 Executable Console (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	xxx.exe
File size:	59'192 bytes
MD5:	708adef6da5ac2ffee5f01f277560749
SHA1:	3dedb41674634e6b53dfaea704754cee7bddfbe3
SHA256:	0fec722a795adc9e313422c62e8ff0c7dac935dfef78da6560e38455a7739e4a
SHA512:	463927da961a3a52199d2a70dbf51aed7b600e45da5e71c73c9ea9b9971c32fc77b3f1d442400a4a4fe4d0a5bc024893f633a5d898dd9e955b9ed3a8d0d3ce28
SSDEEP:	768:yowvHWwPfEqTIYv4gKNwFPgxh8Imgu8e9+T:qffEqTIm4gKN2PgxWIIvu
TLSH:	C54373E57AD88C9AEA14423C41FAD331657DB9E0C6534B136630B7320B12FE17ED726A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...U}=g.t........'......&...D................@..............................0................ ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x673D7D55 [Wed Nov 20 06:10:29 2024 UTC]
TLS Callbacks:	0x402080
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	191cc1a92e1042e0db31434b9572a063

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00003FF5h]
mov dword ptr [eax], 00000000h
call 00007F0E444CE0EFh
call 00007F0E444CD3FAh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax+00h]
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
call 00007F0E444CF4FCh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F0E444CD749h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov eax, dword ptr [00007CE9h]
call eax
dec eax
mov dword ptr [ebp-08h], eax
dec eax
cmp dword ptr [ebp-08h], 00000000h
je 00007F0E444CD787h
dec eax
mov eax, dword ptr [ebp-08h]
mov edx, 00000000h
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [00007E71h]
call eax
nop
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
call 00007F0E444CE010h
call 00007F0E444CD72Bh
call 00007F0E444CD780h
mov eax, 00000000h
dec eax
add esp, 20h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9000	0x8a8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6000	0x2a0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x50e0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9228	0x1d8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2508	0x2600	1d9970466fd8d565c60b0e4d28480fe1	False	0.5469777960526315	data	5.945678227723015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0xd0	0x200	3344b29373afadabaf1288f3f0bfdd63	False	0.1328125	data	0.7932223352655274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5000	0x570	0x600	b8b1ad051a4553710e4b98fd9076e25e	False	0.4322916666666667	data	4.077661661711834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x6000	0x2a0	0x400	4961940ddc1127255c55ca3bdfe37d72	False	0.3720703125	data	2.846351214959863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x7000	0x224	0x400	0165fc2d877ec9ed67173770a6c9a3ad	False	0.2529296875	data	2.525997155080107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x8000	0x980	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9000	0x8a8	0xa00	97191976758225b6a2ff8d25e5fc25a3	False	0.323828125	data	3.6635182750716546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xa000	0x68	0x200	951504b937f19488ea79e71601f2b361	False	0.0703125	data	0.2709192282599745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xb000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0xc000	0x50	0x200	0565fd82c175c622e81779bd1036e068	False	0.068359375	data	0.19196315608732903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0xd000	0x1f08	0x2000	577ae72cfce1164b2c8046a167911222	False	0.4591064453125	data	5.8205017772126615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0xf000	0x149	0x200	5d291f74219487bffd06356d36f3a0e4	False	0.375	data	3.2872917906726884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x10000	0x222	0x400	9bc7f7e368c3d3fba5906447de5da0a1	False	0.28515625	data	3.21548751686096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x11000	0x48	0x200	1846a56214fe898f4ca8711598b4ec09	False	0.115234375	data	0.6690565813693202	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x12000	0x9b	0x200	406b70665a5983d1f1682455c669f732	False	0.259765625	data	2.320780444544343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CreateThread, DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf
USER32.dll	ShowWindow

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:27:04.183404922 CET	49709	8000	192.168.2.6	156.245.12.57
Jan 16, 2025 13:27:04.188178062 CET	8000	49709	156.245.12.57	192.168.2.6
Jan 16, 2025 13:27:04.189193964 CET	49709	8000	192.168.2.6	156.245.12.57
Jan 16, 2025 13:27:04.189356089 CET	49709	8000	192.168.2.6	156.245.12.57
Jan 16, 2025 13:27:04.194132090 CET	8000	49709	156.245.12.57	192.168.2.6
Jan 16, 2025 13:27:25.544517040 CET	8000	49709	156.245.12.57	192.168.2.6
Jan 16, 2025 13:27:25.547454119 CET	49709	8000	192.168.2.6	156.245.12.57
Jan 16, 2025 13:27:25.585431099 CET	49709	8000	192.168.2.6	156.245.12.57
Jan 16, 2025 13:27:25.590342045 CET	8000	49709	156.245.12.57	192.168.2.6

HTTP Request Dependency Graph

156.245.12.57:8000

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	156.245.12.57	8000	2420	C:\Users\user\Desktop\xxx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 13:27:04.189356089 CET	106	OUT	GET /999.html HTTP/1.1 User-Agent: Microsoft hello Host: 156.245.12.57:8000 Cache-Control: no-cache

Target ID:	0
Start time:	07:27:02
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\xxx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xxx.exe"
Imagebase:	0x400000
File size:	59'192 bytes
MD5 hash:	708ADEF6DA5AC2FFEE5F01F277560749
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:27:02
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.3%
Total number of Nodes:	179
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004017A0 Relevance: 96.5, APIs: 7, Strings: 48, Instructions: 281
networklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00401862
InternetOpenA.WININET ref: 00401AE4
InternetConnectA.WININET ref: 00401B27
HttpOpenRequestA.WININET ref: 00401B6C
malloc.MSVCRT ref: 00401C59
InternetCloseHandle.WININET ref: 00401C90
malloc.MSVCRT ref: 00401D49

Strings

opyRight, xrefs: 00401D1F
IT CopyR, xrefs: 00401BB2
t CopyRi, xrefs: 004017E6
cent Cop, xrefs: 00401CF5
yRight T, xrefs: 00401D03
IT CopyR, xrefs: 00401A52
156.245.12.57, xrefs: 00401846
encent C, xrefs: 00401A8A
InternetConnectA, xrefs: 0040193A
HttpSendRequestA, xrefs: 00401976
MEM_COMM, xrefs: 00401CCB
InternetCloseHandle, xrefs: 004019D0
ight Ten, xrefs: 00401A60
CopyRigh, xrefs: 00401885
ght Tenc, xrefs: 004017F4
InternetOpenA, xrefs: 00401919
yRight T, xrefs: 00401A7C
IT CopyR, xrefs: 00401CD9
ight Ten, xrefs: 00401CE7
MEM_COMM, xrefs: 00401A44
InternetReadFile, xrefs: 004019B2
Microsoft hello, xrefs: 00401ADD
cent Cop, xrefs: 00401BCE
t Tencen, xrefs: 00401893
ight Ten, xrefs: 00401BC0
XXXXXXXX, xrefs: 004018CB
XXXXXXXX, xrefs: 00401810
GET, xrefs: 00401B65
XXXX, xrefs: 0040181E
/999.html, xrefs: 00401B5E
cent Cop, xrefs: 00401A6E
opyRight, xrefs: 00401BF8
t Tencen, xrefs: 004017D8
ent XXXX, xrefs: 004018BD
ent XXXX, xrefs: 00401802
HttpQueryInfoA, xrefs: 00401994
ght Tenc, xrefs: 004018AF
encent C, xrefs: 00401BEA
CopyRigh, xrefs: 004017CA
t CopyRi, xrefs: 004018A1
MEM_COMM, xrefs: 00401BA4
Tencent , xrefs: 00401877
wininet.dll, xrefs: 00401854
opyRight, xrefs: 00401A98
HttpOpenRequestA, xrefs: 00401958
encent C, xrefs: 00401D11
Tencent , xrefs: 004017BC
yRight T, xrefs: 00401BDC

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: Internet$Openmalloc$CloseConnectHandleHttpLibraryLoadRequest
String ID: /999.html$156.245.12.57$CopyRigh$CopyRigh$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$IT CopyR$IT CopyR$IT CopyR$InternetCloseHandle$InternetConnectA$InternetOpenA$InternetReadFile$MEM_COMM$MEM_COMM$MEM_COMM$Microsoft hello$Tencent $Tencent $XXXX$XXXXXXXX$XXXXXXXX$cent Cop$cent Cop$cent Cop$encent C$encent C$encent C$ent XXXX$ent XXXX$ght Tenc$ght Tenc$ight Ten$ight Ten$ight Ten$opyRight$opyRight$opyRight$t CopyRi$t CopyRi$t Tencen$t Tencen$wininet.dll$yRight T$yRight T$yRight T
API String ID: 3960302653-128515283
Opcode ID: b2fd95e36666364703eaf851509934c6ea6cea117421421dc962a3e4ba1a12af
Instruction ID: 3c36c2c077fc438c6c1a4d6e509bfeac211268eb7f4e3b4fbf769b21ae011445
Opcode Fuzzy Hash: b2fd95e36666364703eaf851509934c6ea6cea117421421dc962a3e4ba1a12af
Instruction Fuzzy Hash: 8CE1E772711B858DDB60CF6AE89079937B4F348B88F10412ADB4D9BB58DF78C648C781

Function 00401180 Relevance: 13.7, APIs: 9, Instructions: 198
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00401253
malloc.MSVCRT ref: 00401329
strlen.MSVCRT ref: 00401354
malloc.MSVCRT ref: 00401360
memcpy.MSVCRT ref: 00401378
_cexit.MSVCRT ref: 004013E5
GetStartupInfoA.KERNEL32 ref: 00401473

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled_cexitmemcpystrlen
String ID:
API String ID: 1640792405-0
Opcode ID: 0954b3694baacaf48436a9a8ee44d7ac150c5adbe548537c8d1895e4a10b6682
Instruction ID: ea2f29701c89ca8dfbee96cc60a3a68199d30d9076494749b550177da3f66ef6
Opcode Fuzzy Hash: 0954b3694baacaf48436a9a8ee44d7ac150c5adbe548537c8d1895e4a10b6682
Instruction Fuzzy Hash: EE818AB1601A4486EB249F66E99476A37A1F745B89F84803FDF49B73A1DF3CC844CB08

Function 00401550 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?,0040159A,?,?,00000000,004013C7), ref: 0040155F

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: ac3a97e1634f0332591932c13c106f9a5b7eace5186cc33a1fb14bfda8fbcc11
Instruction ID: e24cf67216d1ab02ccd18ab40ba9f1eb7f84ff5ca993fd911345df1f03c0be25
Opcode Fuzzy Hash: ac3a97e1634f0332591932c13c106f9a5b7eace5186cc33a1fb14bfda8fbcc11
Instruction Fuzzy Hash: 03D01725B20A04A8FB00AB65E8853992364A394B84F1844658E1C2B7B5CE38CA928744

Function 004015AA Relevance: 1.3, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017A0: LoadLibraryA.KERNELBASE ref: 00401862

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0040159F,?,?,00000000,004013C7), ref: 004015DF

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: eafd87b135870c3277d1ccb590904b627431a5bc32bd014144406af69be3b908
Instruction ID: 4d6643ed699146b276a85ed69641cd72d8d7df6af8af531d979a5cbfa9694d85
Opcode Fuzzy Hash: eafd87b135870c3277d1ccb590904b627431a5bc32bd014144406af69be3b908
Instruction Fuzzy Hash: F0112D76700B0489EB009BAAE85435E3BB1E388BD8F044929DF5D67BA4DF39CA818744

Non-executed Functions

Function 00401F50 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00401F64
RtlLookupFunctionEntry.KERNEL32 ref: 00401F7B
RtlVirtualUnwind.KERNEL32 ref: 00401FBD
SetUnhandledExceptionFilter.KERNEL32 ref: 00402001
UnhandledExceptionFilter.KERNEL32 ref: 0040200E
GetCurrentProcess.KERNEL32 ref: 00402014
TerminateProcess.KERNEL32 ref: 00402022
abort.MSVCRT ref: 00402028

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 9474b6d637d2d7a1735b837779f0a1567275c65c6a34296a95fcf03fa00a03f2
Instruction ID: 25590cd0e67d04b1e19e5fc1bcb133da58d7b8fb258ee1e17525615f4a9cbbee
Opcode Fuzzy Hash: 9474b6d637d2d7a1735b837779f0a1567275c65c6a34296a95fcf03fa00a03f2
Instruction Fuzzy Hash: 6021E2B5211F40E5EB009B65FC8439937B4F748B88F54452ADB8E67765EF38C559C308

Function 00401E70 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00401EB5
GetCurrentProcessId.KERNEL32 ref: 00401EC0
GetCurrentThreadId.KERNEL32 ref: 00401EC9
GetTickCount.KERNEL32 ref: 00401ED1
QueryPerformanceCounter.KERNEL32 ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 2456c897c62cbc58719bd7a6c4698752e8cca155e7f1a7114fe4868682ca05a5
Instruction ID: adfdb1e8f61912ef08abcb7e4b2a66cfdf938e31af663a5420e4cc81110beb83
Opcode Fuzzy Hash: 2456c897c62cbc58719bd7a6c4698752e8cca155e7f1a7114fe4868682ca05a5
Instruction Fuzzy Hash: B0114CA6666A5096FB514B25FC0435A73A0B7887B4F081B759F9C63BB4EA3CC885C308

Function 004092D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abe578a5aea196964e5cdf3f5bb485af5d2d31395725cb81f48671ea75b4910
Instruction ID: 58e5ecbea247effba85de43e6ad4148bbd663c4c32f591b95d6ba4a48949005a
Opcode Fuzzy Hash: 6abe578a5aea196964e5cdf3f5bb485af5d2d31395725cb81f48671ea75b4910
Instruction Fuzzy Hash: 15D04C4B54E6C55AD3224F6849B748D3FA5A47352434D949F8741977C3DA1D4C09831A

Function 004033A2 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dea916ac6609828f7ed1e9cf68ee35b638575fa28bfcf384e33bea4e0a6556
Instruction ID: 62ce8bfdcad9cfd8380e5864bf5f7c059ad3affd64876bb8c22f983b5634fcf7
Opcode Fuzzy Hash: c1dea916ac6609828f7ed1e9cf68ee35b638575fa28bfcf384e33bea4e0a6556
Instruction Fuzzy Hash: 5BB0929768E6D05AE31B4B386A223AC7F34F783A04F4D569697C4139D7C2248468C319

Function 00402470 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 283
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00408610,00007FFDB240ADA0,?,?,?,00000001,0040124C), ref: 0040259D

Strings

pU@, xrefs: 004024C9
Unknown pseudo relocation bit size %d., xrefs: 0040270A
pU@, xrefs: 004024DA
Unknown pseudo relocation protocol version %d., xrefs: 0040271E

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$pU@$pU@
API String ID: 544645111-2893283971
Opcode ID: 767fd6d0b4d2a02477aa7ec368c021c23978f4f96e2b5fd5f9b04f1d1f99b736
Instruction ID: afb65e7e837822a32bc7afbf5d61c16894896f3568a5e5339a79abaa955d43a4
Opcode Fuzzy Hash: 767fd6d0b4d2a02477aa7ec368c021c23978f4f96e2b5fd5f9b04f1d1f99b736
Instruction Fuzzy Hash: 02917772B0065056EB28AB66CA4831F6352B7943A8F64C53BCF08737D4DABDC986830D

Function 004029C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00402A19
signal.MSVCRT ref: 00402A72
signal.MSVCRT ref: 00402ACE
signal.MSVCRT ref: 00402B83

Strings

CCG , xrefs: 004029D5

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 29911268020bb597e0b8514571365ee87cd46d08841e64603e415505ec3442d0
Instruction ID: 5fb07f66a556ee689f3838c1c380e0e50e032e8bd04b8e9b82989a8055084e7a
Opcode Fuzzy Hash: 29911268020bb597e0b8514571365ee87cd46d08841e64603e415505ec3442d0
Instruction Fuzzy Hash: B231722070050156EE7865BA465D33B12519BC9338F288B3B9E2DA73D6DDFC8DC54A1E

Function 004022A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 0040234B
VirtualProtect.KERNEL32 ref: 004023F2
GetLastError.KERNEL32 ref: 00402400

Strings

Address %p has no image-section, xrefs: 0040245D
VirtualQuery failed for %d bytes at address %p, xrefs: 00402447
VirtualProtect failed with code 0x%x, xrefs: 00402406

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: 8bdda79e6ba61ad4cb12dd9ff82670264fb198e95138789142b9f3fd19f94e88
Instruction ID: baf10d0ae329835526f7ee2695b2a14063346a779cac995f20aedbf5fdf9dac7
Opcode Fuzzy Hash: 8bdda79e6ba61ad4cb12dd9ff82670264fb198e95138789142b9f3fd19f94e88
Instruction Fuzzy Hash: 465100B3701A5086DB118F26EA0475E77A4BB89BA8F44813ADF49673D4DA7CC981C708

Function 00402170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 004021E9

Strings

Unknown error, xrefs: 00402260
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 815495cc06a669c11f7df09f4818bfb55627af6126bd4e7bda4086a7cfc6ebf9
Instruction ID: 0ecc8f07ef23696e6b77e6791d1d031f4a1428b2dd59512c4aa1310c33ba51a6
Opcode Fuzzy Hash: 815495cc06a669c11f7df09f4818bfb55627af6126bd4e7bda4086a7cfc6ebf9
Instruction Fuzzy Hash: 9F018462904E88C6D6168F5CD8413EA7374FF9975AF24531AEF883A260DB39D653CB04

Function 00402240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004021E9

Strings

Total loss of significance (TLOSS), xrefs: 00402240
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 0d8a152475ba6b39ba2e50f73e6c82ad82122dfc362ef67b0340b5d7aaa2c495
Instruction ID: 159f28f85f34b88c94cab90bceff089bfadd26e80cc4720fa028cd8df1c9122a
Opcode Fuzzy Hash: 0d8a152475ba6b39ba2e50f73e6c82ad82122dfc362ef67b0340b5d7aaa2c495
Instruction Fuzzy Hash: 05F09662804E8485D2028F1CA4003ABB374FF9D789F18531AEF893A564DB38C6438704

Function 00402250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004021E9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9
Partial loss of significance (PLOSS), xrefs: 00402250

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: b5f6c215bcffa1346815a4a596f697511ddd50dcf93ac61e13fd41b48a855d5f
Instruction ID: 886e5dfa040ba4b94c4076f6b7e3ab43a6257d540f2971375d074bf13730864f
Opcode Fuzzy Hash: b5f6c215bcffa1346815a4a596f697511ddd50dcf93ac61e13fd41b48a855d5f
Instruction Fuzzy Hash: C4F09662804E8485D2018F1CA4003ABB374FF9D789F18531AEF893A164DB38C6478704

Function 00402210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 004021E9

Strings

Argument singularity (SIGN), xrefs: 00402210
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: f2b95ac2e3bbf30aacec077ee1d03aa10a6335291fcaa89b0dfbebe26c356ade
Instruction ID: e8e84fa61fffc8fe8fce6851db4ee6aa3b9609a81311b1e95b538913ca09ae8a
Opcode Fuzzy Hash: f2b95ac2e3bbf30aacec077ee1d03aa10a6335291fcaa89b0dfbebe26c356ade
Instruction Fuzzy Hash: FEF09062804E8482D2028F1CA8003ABB374FF9E789F28531AEF893A164DB38C6478704

Function 00402220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 004021E9

Strings

Overflow range error (OVERFLOW), xrefs: 00402220
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 7d951daa4ff57d630aebd49a2f7fad10b3c79d1ea1de0c31444e1624c60ebb3a
Instruction ID: cac4ea28ccfeaa8642976d1119164a518ba96263969e67eac16651abee439338
Opcode Fuzzy Hash: 7d951daa4ff57d630aebd49a2f7fad10b3c79d1ea1de0c31444e1624c60ebb3a
Instruction Fuzzy Hash: D3F09662804E8481D2018F1CA4003ABB374FF9D789F18531AEF893A164DB38C6438704

Function 00402230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 004021E9

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00402230
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 4e0dee6086b4afd15aafa5af03324ff2c77326b32a907f024217e96a79bf41c4
Instruction ID: 2cfbbe4a6ee732bfd0bd21a1b3c17089a390089ff56a43040340a512bbb3e76b
Opcode Fuzzy Hash: 4e0dee6086b4afd15aafa5af03324ff2c77326b32a907f024217e96a79bf41c4
Instruction Fuzzy Hash: 47F09062804E8482D2028F1CA8003ABB374FF9E789F28531AEF893A164DB38C6438704

Function 004021A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004021E9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021D9
Argument domain error (DOMAIN), xrefs: 004021A1

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 65b1a75ff62779ea885516d5648b562b15a1310304c9c6257b1541e63d385820
Instruction ID: 683080fa03ca09585ab4c8deeeb86514487a582436e01e827d1a7338dae3eddb
Opcode Fuzzy Hash: 65b1a75ff62779ea885516d5648b562b15a1310304c9c6257b1541e63d385820
Instruction Fuzzy Hash: A9F05B66914F8485D201DF1DA40039BB374FF5D799F54531AEF893A525DB38C643C704

Function 00402CA0 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00402CC7
free.MSVCRT ref: 00402D18
LeaveCriticalSection.KERNEL32 ref: 00402D24

Memory Dump Source

Source File: 00000000.00000002.2370239006.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2370214895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370267326.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2370383192.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2371475803.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xxx.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 9098aa0dc806bcf1f5c63ba432f6fd4bd59aed2620ea17ca8393637b50cf7412
Instruction ID: aa580be9640d9d5be08535393c3a1415d6d1d86b601a11bc958fde33e8efb4e3
Opcode Fuzzy Hash: 9098aa0dc806bcf1f5c63ba432f6fd4bd59aed2620ea17ca8393637b50cf7412
Instruction Fuzzy Hash: 870171A1301A00D6EF08DB55EA8436A23A0FB94B41F54887ACB0DA73A0DFBCCD819348

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xxx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: xxx.exePID: 2420, Parent PID: 4004

General

Chronological Activities

Analysis Process: conhost.exePID: 3160, Parent PID: 2420

General

Chronological Activities

Windows Analysis Report
xxx.exe

Function 004017A0 Relevance: 96.5, APIs: 7, Strings: 48, Instructions: 281
networklibraryCOMMON

Function 00401180 Relevance: 13.7, APIs: 9, Instructions: 198
sleepstringCOMMON

Function 00401550 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 004015AA Relevance: 1.3, APIs: 1, Instructions: 45
memoryCOMMON

Function 00401F50 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Function 00401E70 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Function 00402470 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 283
memoryCOMMON

Function 004029C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111
COMMON

Function 004022A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Function 00402170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Function 00402210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00402220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00402230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON