Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cANdLlHS4N

Overview

General Information

Sample Name:cANdLlHS4N (renamed file extension from none to exe)
Analysis ID:586425
MD5:b3139b26a2dabb9b6e728884d8fa8b33
SHA1:de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
SHA256:5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Submitted sample is a known malware sample
Writes to foreign memory regions
Contains functionality to start reverse TCP shell (cmd.exe)
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Detected non-DNS traffic on DNS port
Queries keyboard layouts
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to detect sandboxes (mouse cursor move detection)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • cANdLlHS4N.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\cANdLlHS4N.exe" MD5: B3139B26A2DABB9B6E728884D8FA8B33)
    • obedience.exe (PID: 488 cmdline: C:\Users\user\AppData\Local\Temp\obedience.exe MD5: 6A1C14D5F16A07BEF55943134FE618C0)
      • iexplore.exe (PID: 5844 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • obedience.exe (PID: 5080 cmdline: "C:\Users\user\AppData\Local\Temp\obedience.exe" MD5: 6A1C14D5F16A07BEF55943134FE618C0)
    • iexplore.exe (PID: 244 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cANdLlHS4N.exeDropper_DeploysMalwareViaSideLoadingDetect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugXUSG
  • 0x135bf2:$UniqueString: 2E 6C 6E 6B 00 00 5C 00 00 00 61 76 70 75 69 2E 65 78 65
  • 0x30f9:$PsuedoRandomStringGenerator: B9 1A 00 00 00 F7 F9 46 80 C2 41 88 54 35 8B 83 FE 64

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\handkerchief.datREDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchiefDetect obfuscated .dat file containing shellcode and core REDLEAVES RATUSG
  • 0x38a81:$RedleavesStringObfu: 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D
C:\Users\user\AppData\Local\Temp\handkerchief.datSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x14c7:$xo1: Osrh;kit|izv;xzuuto;y~;inu;ru;_TH;vt\x7F~
C:\Users\user\AppData\Local\Temp\StarBurn.dllREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x11d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
C:\Users\user\AppData\Local\Temp\StarBurn.dllOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x17d3c:$s4: SOFTWARE\EGGORG

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmpREDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchiefDetect obfuscated .dat file containing shellcode and core REDLEAVES RATUSG
  • 0x38a81:$RedleavesStringObfu: 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D
00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x14c7:$xo1: Osrh;kit|izv;xzuuto;y~;inu;ru;_TH;vt\x7F~
00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmpREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0xdd0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmpREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0xdd0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6c46:$xo1: 6\x0A\x0B\x11B\x12\x10\x0D\x05\x10\x03\x0FB\x01\x03\x0C\x0C\x0D\x16B\x07B\x10\x17\x0CB\x0B\x0CB&-1B\x0F\x0D\x06\x07
  • 0x28ccf:$xo1: Mqpj9ikv~kxt9zxwwvm9{|9klw9pw9]VJ9tv}|
Click to see the 37 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.cANdLlHS4N.exe.ca8bf8.1.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x5d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
0.2.cANdLlHS4N.exe.ca8bf8.1.unpackOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x16b3c:$s4: SOFTWARE\EGGORG
0.2.cANdLlHS4N.exe.26e0000.2.raw.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x11d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
0.2.cANdLlHS4N.exe.26e0000.2.raw.unpackOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x17d3c:$s4: SOFTWARE\EGGORG
0.2.cANdLlHS4N.exe.26e0000.2.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x5d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
Click to see the 11 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\AppData\Local\Temp\obedience.exe, CommandLine: C:\Users\user\AppData\Local\Temp\obedience.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\obedience.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\obedience.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\obedience.exe, ParentCommandLine: "C:\Users\user\Desktop\cANdLlHS4N.exe" , ParentImage: C:\Users\user\Desktop\cANdLlHS4N.exe, ParentProcessId: 6048, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\obedience.exe, ProcessId: 488

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: cANdLlHS4N.exeVirustotal: Detection: 77%Perma Link
Source: cANdLlHS4N.exeMetadefender: Detection: 64%Perma Link
Source: cANdLlHS4N.exeReversingLabs: Detection: 84%
Antivirus / Scanner detection for submitted sample
Source: cANdLlHS4N.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dllAvira: detection malicious, Label: HEUR/AGEN.1226539
Source: 0.2.cANdLlHS4N.exe.2880000.3.unpackAvira: Label: TR/ATRAPS.Gen
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4B9B9 CredEnumerateA,WideCharToMultiByte,GetACP,WideCharToMultiByte,CryptUnprotectData,GetACP,WideCharToMultiByte,CredFree,
Source: cANdLlHS4N.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cANdLlHS4N.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009C8B98 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4B33C FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\Local

Networking

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: TrafficSnort IDS: 2024173 ET TROJAN Red Leaves magic packet detected (APT10 implant) 192.168.2.4:49764 -> 67.205.132.17:80
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 67.205.132.17 ports 3,443,4,995,80,53
Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 67.205.132.17:995
Source: global trafficTCP traffic: 192.168.2.4:49746 -> 67.205.132.17:53
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: iexplore.exe, 00000002.00000002.500224676.0000000004C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://67.205.132.17:443
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: cANdLlHS4N.exe, 00000000.00000002.246215033.0000000002880000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmp, obedience.exe, 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe, 00000003.00000000.262529824.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe.0.drString found in binary or memory: http://www.audio-tool.net
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://www.globalsign.net/repository/0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://www.globalsign.net/repository/03
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://www.globalsign.net/repository09
Source: unknownHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B43A47 recv,recv,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00429A00 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B55315 GetDesktopWindow,GetDC,GetDC,GetDC,CreateCompatibleDC,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,GetClientRect,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,StretchBlt,DeleteObject,DeleteObject,CreateCompatibleBitmap,SelectObject,BitBlt,GetObjectW,GlobalAlloc,GlobalFix,GetDIBits,VirtualAlloc,GlobalUnWire,GlobalFree,VirtualFree,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009AD29D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A7B6A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00445BB4 GetKeyboardState,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043D32C OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: cANdLlHS4N.exe, type: SAMPLEMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect RedLeaves in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPEDMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Submitted sample is a known malware sample
Source: cANdLlHS4N.exeInitial file: MD5: b3139b26a2dabb9b6e728884d8fa8b33 Family: APT10 Alias: Stone Panda, APT 10, menuPass, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, APT10 Description: APT10 is the name given to a group of Chinese hackers first identified by FireEye. The group is said to have taken gigabytes of sensitive data from firms involved in the fields of aviation, space and satellite, manufacturing, pharmaceuticals, oil and gas exploration, communications, computer processor and maritime. References: https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: cANdLlHS4N.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cANdLlHS4N.exe, type: SAMPLEMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaves hash1 = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481, author = JPCERT/CC Incident Response Group, description = detect RedLeaves in memory, rule_usage = memory block scan, reference = https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPEDMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPEDMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00A539D2
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AADB4F
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00ABECDC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00482618
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004847E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043AC9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00477074
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0045DB80
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6EDA0F49
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6EDA0B77
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6EDA07D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03029246
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302D2F5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300312C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300B053
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03019774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302962E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03028641
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300E6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300E4BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03028AD6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302D846
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302FE65
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03028E74
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302CDA4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03022DC8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302EC5B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4E428
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B685AD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6959A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B68DE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6FDD1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B62D34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6CD10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B596E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4E633
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6D7B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4AFBF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B43098
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B691B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6D261
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B68A42
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6EBC7
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00482618
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_004847E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043AC9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00477074
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0045DB80
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE60F49
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE60B77
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE607D9
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE60344
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00403FD0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00404A64 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 0047FD7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00404A40 appears 183 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00403BF0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 004070D0 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 004104E4 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 0040F294 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 0040A164 appears 106 times
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: String function: 00AAD340 appears 37 times
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: String function: 00AAD232 appears 122 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: String function: 030240C4 appears 39 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: String function: 04B64030 appears 39 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4F8FF DuplicateTokenEx,Wow64DisableWow64FsRedirection,CreateProcessAsUserW,GetLastError,Wow64RevertWow64FsRedirection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004637A8 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0045893C GetSubMenu,SaveDC,RestoreDC,73BEB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00448B44 NtdllDefWindowProc_A,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043AFAC NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_004637A8 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0045893C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00448B44 NtdllDefWindowProc_A,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043AFAC NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeVirustotal: Detection: 77%
Source: cANdLlHS4N.exeMetadefender: Detection: 64%
Source: cANdLlHS4N.exeReversingLabs: Detection: 84%
Source: cANdLlHS4N.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cANdLlHS4N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\cANdLlHS4N.exe "C:\Users\user\Desktop\cANdLlHS4N.exe"
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess created: C:\Users\user\AppData\Local\Temp\obedience.exe C:\Users\user\AppData\Local\Temp\obedience.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\obedience.exe "C:\Users\user\AppData\Local\Temp\obedience.exe"
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess created: C:\Users\user\AppData\Local\Temp\obedience.exe C:\Users\user\AppData\Local\Temp\obedience.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnkJump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exeFile created: C:\Users\user\AppData\Local\Temp\obedience.exeJump to behavior
Source: obedience.exe.0.drBinary string: \Device\
Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@0/3
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A13B0 _memset,_memset,_memset,_memset,_memset,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,SHGetSpecialFolderPathA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,_strrchr,lstrcpyA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,Sleep,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004099C2 GetDiskFreeSpaceA,
Source: obedience.exe, 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, obedience.exe, 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%";
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00426E50 GetLastError,FormatMessageA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A12C0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeMutant created: \Sessions\1\BaseNamedObjects\cplusplus_me
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009B508E FindResourceA,LoadResource,FreeResource,
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: cANdLlHS4N.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: cANdLlHS4N.exeStatic file information: File size 3804160 > 1048576
Source: cANdLlHS4N.exeStatic PE information: section name: RT_CURSOR
Source: cANdLlHS4N.exeStatic PE information: section name: RT_BITMAP
Source: cANdLlHS4N.exeStatic PE information: section name: RT_ICON
Source: cANdLlHS4N.exeStatic PE information: section name: RT_MENU
Source: cANdLlHS4N.exeStatic PE information: section name: RT_DIALOG
Source: cANdLlHS4N.exeStatic PE information: section name: RT_STRING
Source: cANdLlHS4N.exeStatic PE information: section name: RT_ACCELERATOR
Source: cANdLlHS4N.exeStatic PE information: section name: RT_GROUP_ICON
Source: cANdLlHS4N.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x134a00
Source: cANdLlHS4N.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1f0200
Source: cANdLlHS4N.exeStatic PE information: More than 200 imports for USER32.dll
Source: cANdLlHS4N.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAD385 push ecx; ret
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAD30A push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00450214 push 004502A1h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A028 push 0048A054h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004660E8 push 00466114h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043E0F8 push 0043E124h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00482094 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00486158 push 00486184h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466120 push 0046614Ch; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043018C push 004301B8h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004501AC push 00450212h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00488254 push 00488280h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043E260 push 0043E28Ch; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048821C push 00488248h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A310 push 0048A33Ch; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004205FC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A5A4 push 0048A5D0h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0041867C push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466714 push 00466757h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004188E0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0041C968 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A9C0 push 0048A9ECh; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0042CA4C push 0042CB1Ch; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048CA34 push 0048CA60h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466B78 push 00466BA4h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00406B08 push 00406B59h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00418B08 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00430B10 push 00430B5Fh; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00416BD4 push 00416C21h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466BE8 push 00466C14h; ret
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466BB0 push 00466BDCh; ret
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AC046C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
Source: StarBurn.dll.0.drStatic PE information: real checksum: 0x29839 should be: 0x293b5
Source: C:\Users\user\Desktop\cANdLlHS4N.exeFile created: C:\Users\user\AppData\Local\Temp\obedience.exeJump to dropped file
Source: C:\Users\user\Desktop\cANdLlHS4N.exeFile created: C:\Users\user\AppData\Local\Temp\StarBurn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon2060.png
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A836B IsWindowVisible,IsIconic,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0044A290 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0044A290 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00430384 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043EDE4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043EDE4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\cANdLlHS4N.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeAPI coverage: 6.2 %
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeAPI coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\obedience.exeAPI coverage: 6.0 %
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043EDE4
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004273EC GetSystemInfo,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009C8B98 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4B33C FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\Local
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAB46A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AC046C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4BC1E GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03000019 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAB46A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AB4A12 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6ED9862C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B605A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B58E89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE5862C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3000000
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 923650
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3000000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2D00000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\obedience.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,GetACP,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoW,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: EnumSystemLocalesA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: EnumSystemLocalesA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,GetACP,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B50396 CreateMutexW,GetLastError,CreateNamedPipeW,CloseHandle,CreateEventW,ResetEvent,ResetEvent,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ResetEvent,AllocConsole,GetConsoleWindow,ShowWindow,SetConsoleCtrlHandler,CreateConsoleScreenBuffer,SetConsoleScreenBufferSize,SetConsoleActiveScreenBuffer,GetStdHandle,SHGetSpecialFolderPathW,CreateProcessW,FreeLibrary,CreateThread,CreateThread,CreateThread,FreeLibrary,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AB6E0F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00ABBE8D __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00450214 GetVersion,

Remote Access Functionality

barindex
Contains functionality to start reverse TCP shell (cmd.exe)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B50396 CreateMutexW,GetLastError,CreateNamedPipeW,CloseHandle,CreateEventW,ResetEvent,ResetEvent,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ResetEvent,AllocConsole,GetConsoleWindow,ShowWindow,SetConsoleCtrlHandler,CreateConsoleScreenBuffer,SetConsoleScreenBufferSize,SetConsoleActiveScreenBuffer,GetStdHandle,SHGetSpecialFolderPathW,CreateProcessW,FreeLibrary,CreateThread,CreateThread,CreateThread,FreeLibrary, string: cmd.exe
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B5623C htons,htons,socket,getpeername,socket,socket,htons,htonl,bind,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Valid Accounts		2
Native API		1
Valid Accounts		1
Valid Accounts		1
Deobfuscate/Decode Files or Information		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Command and Scripting Interpreter		2
Registry Run Keys / Startup Folder		1
Access Token Manipulation		2
Obfuscated Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol1
Screen Capture		Exfiltration Over Bluetooth22
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)212
Process Injection		1
Software Packing		Security Account Manager35
System Information Discovery		SMB/Windows Admin Shares21
Input Capture		Automated Exfiltration1
Non-Standard Port		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)2
Registry Run Keys / Startup Folder		11
Masquerading		NTDS14
Security Software Discovery		Distributed Component Object Model2
Clipboard Data		Scheduled Transfer1
Remote Access Software		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Valid Accounts		LSA Secrets2
Process Discovery		SSHKeyloggingData Transfer Size Limits1
Non-Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Access Token Manipulation		Cached Domain Credentials11
Application Window Discovery		VNCGUI Input CaptureExfiltration Over C2 Channel2
Application Layer Protocol		Jamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items212
Process Injection		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cANdLlHS4N.exe78%VirustotalBrowse
cANdLlHS4N.exe65%MetadefenderBrowse
cANdLlHS4N.exe84%ReversingLabsWin32.Dropper.RedLeaves
cANdLlHS4N.exe100%AviraTR/Korplug.dryww

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\StarBurn.dll100%AviraHEUR/AGEN.1226539
C:\Users\user\AppData\Local\Temp\obedience.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\obedience.exe9%ReversingLabsWin32.PUA.Tsingsoft

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.obedience.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File
3.2.obedience.exe.6ee50000.1.unpack100%AviraHEUR/AGEN.1226539Download File
1.2.obedience.exe.6ed90000.1.unpack100%AviraHEUR/AGEN.1226539Download File
0.2.cANdLlHS4N.exe.2880000.3.unpack100%AviraTR/ATRAPS.GenDownload File
1.2.obedience.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://67.205.132.17:4431%VirustotalBrowse
http://67.205.132.17:4430%Avira URL Cloudsafe
http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
http://www.globalsign.net/repository090%URL Reputationsafe
https://67.205.132.17:443/23I9/index.php0%Avira URL Cloudsafe
https://67.205.132.17:443/NEZTl2/index.php0%Avira URL Cloudsafe
https://67.205.132.17:443/hvnqlRD8z/index.php0%Avira URL Cloudsafe
http://www.globalsign.net/repository/00%URL Reputationsafe
https://67.205.132.17:443/M2c1Nb/index.php0%Avira URL Cloudsafe
https://67.205.132.17:443/3T3t/index.php0%Avira URL Cloudsafe
http://www.globalsign.net/repository/030%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://67.205.132.17:443/23I9/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/NEZTl2/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/hvnqlRD8z/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/M2c1Nb/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/3T3t/index.phptrue
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://67.205.132.17:443iexplore.exe, 00000002.00000002.500224676.0000000004C70000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://secure.globalsign.net/cacert/PrimObject.crt0cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
  • URL Reputation: safe
unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
  • URL Reputation: safe
unknown
http://www.globalsign.net/repository09cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
  • URL Reputation: safe
unknown
http://www.audio-tool.netcANdLlHS4N.exe, 00000000.00000002.246215033.0000000002880000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmp, obedience.exe, 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe, 00000003.00000000.262529824.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe.0.drfalse
    		high
    http://www.globalsign.net/repository/0cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.globalsign.net/repository/03cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    144.168.45.116
    		unknownUnited States
    		54540INCERO-HVVCUSfalse
    67.205.132.17
    		unknownUnited States
    		14061DIGITALOCEAN-ASNUStrue

    Private

    IP
    192.168.2.1

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:586425
    Start date:10.03.2022
    Start time:07:20:28
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 11m 8s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:cANdLlHS4N (renamed file extension from none to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@8/4@0/3
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 27.5% (good quality ratio 26.9%)
    • Quality average: 82.1%
    • Quality standard deviation: 23.5%
    HCA Information:
    • Successful, ratio: 87%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • TCP Packets have been reduced to 100
    • Excluded domains from analysis (whitelisted): fs.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report creation exceeded maximum time and may have missing disassembly code information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    07:21:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\StarBurn.dll

    Download File
    Process:C:\Users\user\Desktop\cANdLlHS4N.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):134244
    Entropy (8bit):6.439912486566814
    Encrypted:false
    SSDEEP:3072:JmeUE3TxGh4MwlW7AzD7Lcv4L2ZbDdlWG/4:Jm7EUhTwljDS4LevXWGg
    MD5:A03FFF06A20EE6943154481C883174A8
    SHA1:4470E24C366AD001ED6FE77B6A09C845D4EF6A86
    SHA-256:2F3C5A34E0483A5F1739AFAA3E893955F4D81869506A49F28F6A3AC944050900
    SHA-512:DCF944225471940C4C84F31A1409715EB1AE0B68AA1DA21ADCA23477D3C589D8D15213BAA3C105710D532190570C55492885E515220E3B18941096571A292A73
    Malicious:true
    Yara Hits:
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, Author: USG
    • Rule: OpCloudHopper_Malware_6, Description: Detects malware from Operation Cloud Hopper, Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, Author: Florian Roth
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.^...0...0...0.~...<.0.~.....0.~...e.0.......0.......0...1.N.0.~.....0.~.....0.~.....0.Rich..0.........................PE..L...|..X...........!.....J...........u.......`...............................p......9.....@.........................`....,.....x....0.......................@..........................................@............`..|............................text...xI.......J.................. ..`.rdata..]....`.......N..............@..@.data...\7..........................@....rsrc........0......................@..@.reloc...#...@...$..................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\handkerchief.dat

    Download File
    Process:C:\Users\user\Desktop\cANdLlHS4N.exe
    File Type:data
    Category:dropped
    Size (bytes):254593
    Entropy (8bit):6.992551822422355
    Encrypted:false
    SSDEEP:6144:cMq9yyNTKrkgMEVAUtmEXlW+/xf8GQ6/Ta2QSirGf23YJKRluri9Zoqip3:Q9lNTokREm0mN+/uGQ6/O2orsKHt9Zo1
    MD5:FB0C714CD2EBDCC6F33817ABE7813C36
    SHA1:FC4F3698E768F690425523CDFD548B81D891C3B0
    SHA-256:773B176B3A68C3D21FAE907AF8FBA7908B55726BD591C5335C8C0BC9DE179B76
    SHA-512:65EF996A9A9BD47D50F7649C7895D000C943346B17385390B951691CEC07ED7AA487CA3225EE84022B67643F2A574E7DE8C18F81F2576F0BE92BD3930EE9FDC6
    Malicious:false
    Yara Hits:
    • Rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief, Description: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, Author: USG
    • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, Author: Florian Roth
    Reputation:low
    Preview:0891@VR68D748062..D.........N........HML.....^.{(....+....m..m..e.....o..-...n.E....f..\'.O.c..Q..A;..R./...\~oK".n.itxZ"].n..A?..}..P.A.......^.q.szibZsWryisWtz.OL..^...z.^.}..}.V.N.....N..^..^.V..V..^......N..N.^.#.oD.V.V..N......o..V....V...N.a.5.wwn..^.K.N.^....V.J.N.I.N.V._...N....N.^....^.V.V....N.0N.N.{0.^..........^..........R...n.z.^....^..^......V.V.N.!.o$.^.^..V......o..^....^...V.N..O..^....^.V....V.N.N..^.0^.^...............N..........................................[...(.......}...+.....[...(..*....}............7......../............(..#.....?..........................3.................c........^......g.................^.^.......(..........................#.........s......+...Kq..N..................c...........c.......c...c.......f...c....+.../H..c....+......c...........c.......c...c.......f.........c.........c...........c.......c...c.......f.........c...c....+...........

    C:\Users\user\AppData\Local\Temp\obedience.exe

    Download File
    Process:C:\Users\user\Desktop\cANdLlHS4N.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1616040
    Entropy (8bit):7.373866112987865
    Encrypted:false
    SSDEEP:49152:fFdy58d2Bqc8Y7IDbauSVGDzhGjThGDzhmj8L5NsmCY:fFs58d2Bqc8Y7IDbauSVGDzhGjThGDzo
    MD5:6A1C14D5F16A07BEF55943134FE618C0
    SHA1:1A46E961BFFC6BCC1ADAC9708393462024F0F6AD
    SHA-256:ABA4DF64717462C61801D737C9FA20A7FADA61539EAEF50954331D31F7306D27
    SHA-512:07A8D9899CE04C4248CEBDFC105A37F3D8A337FF8F498F23853EDD05AC054DD99F976B13B2348660099C9135CE16A0876F7CFDF87E4B7139E88C27F9C598CF9B
    Malicious:true
    Antivirus:
    • Antivirus: Metadefender, Detection: 8%, Browse
    • Antivirus: ReversingLabs, Detection: 9%
    Reputation:low
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.................................c,...........@.............................../...........................`..$............................P......................................................CODE....$........................... ..`DATA................................@...BSS......................................idata.../.......0..................@....tls.........@...........................rdata.......P......................@..P.reloc..$....`......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\obedience.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 10 05:21:32 2022, mtime=Thu Mar 10 05:21:44 2022, atime=Thu Mar 10 05:21:32 2022, length=1616040, window=hide
    Category:dropped
    Size (bytes):1118
    Entropy (8bit):5.008588795039891
    Encrypted:false
    SSDEEP:24:8mrk3tHwNeRhHgKGUsAwZfaBJ9YC7aB6m:8mrk3tIeRhTrOaBJ9GB6
    MD5:D47E7BF51A9E2A6A44377FBC009DDB8D
    SHA1:4EF66D3777808262BD963A9188EF9C5D4B298AD9
    SHA-256:C755D52F273156F5C8F2D133260A8332C71FB8252398834379588949A8F8AE2D
    SHA-512:0CBA99F6751C04383823984474BF8A23DBD094BEAFE60B9E89BBFE4309822EC65C8E2306EA8D916056826D9A3EDE8691F4444FD7183C7C8A2DA0F14D5FE8D266
    Malicious:false
    Reputation:low
    Preview:L..................F.... .......G4..k.I.G4......G4............................:..DG..Yr?.D..U..k0.&...&...........-....$..2...hy.G4......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..jT.2.....Y....................yN|.A.p.p.D.a.t.a...B.P.1.....>Q.;..Local.<.......N..jT.2.....Y........................L.o.c.a.l.....N.1.....jT.2..Temp..:.......N..jT.2.....Y.....................J..T.e.m.p.....h.2.....jT.2 .OBEDIE~1.EXE..L......jT.2jT.2.....S....................$Z..o.b.e.d.i.e.n.c.e...e.x.e.......^...............-.......]............'......C:\Users\user\AppData\Local\Temp\obedience.exe..*.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.o.b.e.d.i.e.n.c.e...e.x.e.".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.........|....I.J.H..K..:...`.......X.......971342...........!a..%.H.VZAj....%$.............!a..%.H.VZAj....%$........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.349238472441651
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:cANdLlHS4N.exe
    File size:3804160
    MD5:b3139b26a2dabb9b6e728884d8fa8b33
    SHA1:de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
    SHA256:5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
    SHA512:f6b857fdb4b393e9e80893d081c46471cb75a92289d53a8d457fe889eee46b7212c5188032aa24400da6e8ba56168716aeb3e48c77758b4fbb74817ba4b13951
    SSDEEP:98304:drzo0aM7e5O92nAv/tyE6peB1IY8CEueiSH0h292bNcx:pzo0S4yRY8tueiSUh1bCx
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a...............x\......xL..............vA......vu.[....vt......vE......vB.....Rich....................PE..L...M..X...........

    File Icon

    Icon Hash:e4e4b2b2a4b4b4a4

    Static PE Info

    General

    Entrypoint:0x50cf91
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x58ACFA4D [Wed Feb 22 02:41:17 2017 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:c20231bee688c91a492f8eb02fe15604

    Entrypoint Preview

    Instruction
    call 00007F907CA3EEFEh
    jmp 00007F907CA34F0Eh
    mov edi, edi
    push ebp
    mov ebp, esp
    push ebx
    mov ebx, dword ptr [ebp+08h]
    cmp ebx, FFFFFFE0h
    jnbe 00007F907CA350F1h
    push esi
    push edi
    cmp dword ptr [00773A24h], 00000000h
    jne 00007F907CA3509Ah
    call 00007F907CA3E88Dh
    push 0000001Eh
    call 00007F907CA3E6D7h
    push 000000FFh
    call 00007F907CA34A3Fh
    pop ecx
    pop ecx
    test ebx, ebx
    je 00007F907CA35086h
    mov eax, ebx
    jmp 00007F907CA35085h
    xor eax, eax
    inc eax
    push eax
    push 00000000h
    push dword ptr [00773A24h]
    call dword ptr [0053626Ch]
    mov edi, eax
    test edi, edi
    jne 00007F907CA350A8h
    push 0000000Ch
    pop esi
    cmp dword ptr [007742E8h], eax
    je 00007F907CA3508Fh
    push ebx
    call 00007F907CA3E48Bh
    pop ecx
    test eax, eax
    jne 00007F907CA3502Bh
    jmp 00007F907CA35089h
    call 00007F907CA35B82h
    mov dword ptr [eax], esi
    call 00007F907CA35B7Bh
    mov dword ptr [eax], esi
    mov eax, edi
    pop edi
    pop esi
    jmp 00007F907CA35096h
    push ebx
    call 00007F907CA3E46Ah
    pop ecx
    call 00007F907CA35B67h
    mov dword ptr [eax], 0000000Ch
    xor eax, eax
    pop ebx
    pop ebp
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    mov eax, dword ptr [ebp+08h]
    push esi
    mov esi, ecx
    mov byte ptr [esi+0Ch], 00000000h
    test eax, eax
    jne 00007F907CA350E5h
    call 00007F907CA3C2C2h
    mov dword ptr [esi+08h], eax
    mov ecx, dword ptr [eax+6Ch]
    mov dword ptr [esi], ecx
    mov ecx, dword ptr [eax+68h]
    mov dword ptr [esi+04h], ecx
    mov ecx, dword ptr [esi]
    cmp ecx, dword ptr [00000000h]

    Rich Headers

    Programming Language:
    • [ C ] VS2008 SP1 build 30729
    • [ASM] VS2010 build 30319
    • [ C ] VS2010 build 30319
    • [C++] VS2010 build 30319
    • [RES] VS2010 build 30319
    • [IMP] VS2008 SP1 build 30729
    • [LNK] VS2010 build 30319

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x179b140x168.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3760000x9c28.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3800000x1bb70.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x160b100x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1360000x9d0.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1349380x134a00False0.562648719117data6.53626347491IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x1360000x470620x47200False0.270200598638data5.08185706308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x17e0000x1f77240x1f0200False0.373334258472data7.60576445986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x3760000x9c280x9e00False0.375247231013data5.1750982001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x3800000x2aa6e0x2ac00False0.271872715643data5.04489445576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_CURSOR0x376f580x134dataChineseChina
    RT_CURSOR0x37708c0xb4dataChineseChina
    RT_CURSOR0x3771400x134AmigaOS bitmap fontChineseChina
    RT_CURSOR0x3772740x134dataChineseChina
    RT_CURSOR0x3773a80x134dataChineseChina
    RT_CURSOR0x3774dc0x134dataChineseChina
    RT_CURSOR0x3776100x134dataChineseChina
    RT_CURSOR0x3777440x134dataChineseChina
    RT_CURSOR0x3778780x134dataChineseChina
    RT_CURSOR0x3779ac0x134dataChineseChina
    RT_CURSOR0x377ae00x134dataChineseChina
    RT_CURSOR0x377c140x134dataChineseChina
    RT_CURSOR0x377d480x134AmigaOS bitmap fontChineseChina
    RT_CURSOR0x377e7c0x134dataChineseChina
    RT_CURSOR0x377fb00x134dataChineseChina
    RT_CURSOR0x3780e40x134dataChineseChina
    RT_BITMAP0x3782180xb8dataChineseChina
    RT_BITMAP0x3782d00x144dataChineseChina
    RT_ICON0x3784140x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2290679807, next used block 8912767
    RT_ICON0x3786fc0x128GLS_BINARY_LSB_FIRST
    RT_ICON0x3788240xea8data
    RT_ICON0x3796cc0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
    RT_ICON0x379f740x568GLS_BINARY_LSB_FIRST
    RT_ICON0x37a4dc0x25a8data
    RT_ICON0x37ca840x10a8data
    RT_ICON0x37db2c0x468GLS_BINARY_LSB_FIRST
    RT_ICON0x37df940x2e8data
    RT_ICON0x37e27c0x128GLS_BINARY_LSB_FIRST
    RT_MENU0x37e3a40x18cdataChineseChina
    RT_DIALOG0x37e5300xd6data
    RT_DIALOG0x37e6080xe2dataChineseChina
    RT_DIALOG0x37e6ec0x34dataChineseChina
    RT_STRING0x37e7200x2edata
    RT_STRING0x37e7500x30data
    RT_STRING0x37e7800x8edata
    RT_STRING0x37e8100xc0data
    RT_STRING0x37e8d00x136data
    RT_STRING0x37ea080x3cdata
    RT_STRING0x37ea440x60data
    RT_STRING0x37eaa40x54data
    RT_STRING0x37eaf80x3adata
    RT_STRING0x37eb340xa4data
    RT_STRING0x37ebd80x3edata
    RT_STRING0x37ec180x4edataChineseChina
    RT_STRING0x37ec680x2cdataChineseChina
    RT_STRING0x37ec940x84dataChineseChina
    RT_STRING0x37ed180x1c4dataChineseChina
    RT_STRING0x37eedc0x14edataChineseChina
    RT_STRING0x37f02c0x10edataChineseChina
    RT_STRING0x37f13c0x50dataChineseChina
    RT_STRING0x37f18c0x44dataChineseChina
    RT_STRING0x37f1d00x68dataChineseChina
    RT_STRING0x37f2380x1b2dataChineseChina
    RT_STRING0x37f3ec0xf4dataChineseChina
    RT_STRING0x37f4e00x24dataChineseChina
    RT_STRING0x37f5040x1a6dataChineseChina
    RT_ACCELERATOR0x37f6ac0x68data
    RT_GROUP_CURSOR0x37f7140x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
    RT_GROUP_CURSOR0x37f7380x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f74c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7600x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7740x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7880x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f79c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7b00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7c40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7d80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7ec0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f8000x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f8140x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f8280x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f83c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_ICON0x37f8500x76data
    RT_GROUP_ICON0x37f8c80x22data
    RT_VERSION0x37f8ec0xdcdata
    RT_MANIFEST0x37f9c80x25fASCII text, with very long lines, with no line terminatorsEnglishUnited States

    Imports

    DLLImport
    KERNEL32.dllLCMapStringW, GetTimeZoneInformation, WriteConsoleW, CompareStringW, IsValidLocale, CreateFileW, SetEnvironmentVariableA, GetStringTypeW, IsValidCodePage, GetEnvironmentStringsW, QueryPerformanceCounter, FreeEnvironmentStringsW, GetLocaleInfoW, GetConsoleMode, GetConsoleCP, GetStdHandle, SetHandleCount, HeapCreate, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetFileType, SetStdHandle, GetSystemTimeAsFileTime, HeapSize, HeapQueryInformation, HeapReAlloc, VirtualQuery, GetSystemInfo, CreateThread, ExitThread, HeapAlloc, GetStartupInfoW, HeapSetInformation, GetCommandLineA, EncodePointer, DecodePointer, ExitProcess, RaiseException, RtlUnwind, HeapFree, FindResourceExW, SearchPathA, GetProfileIntA, InitializeCriticalSectionAndSpinCount, SetErrorMode, GetNumberFormatA, GetWindowsDirectoryA, GetFileSizeEx, LocalFileTimeToFileTime, GetFileAttributesExA, FileTimeToLocalFileTime, FileTimeToSystemTime, GetShortPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, MoveFileA, CreateFileA, lstrcmpiA, GetThreadLocale, GetStringTypeExA, DeleteFileA, GetCurrentDirectoryA, GetACP, GetOEMCP, GetCPInfo, GetModuleFileNameW, ReleaseActCtx, CreateActCtxW, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, CopyFileA, GlobalSize, FormatMessageA, LocalFree, lstrlenW, MulDiv, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, ReplaceFileA, SystemTimeToFileTime, GetFileAttributesA, GetUserDefaultLCID, GlobalFree, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, WaitForSingleObject, ResumeThread, SetThreadPriority, GetCurrentThread, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetModuleFileNameA, GetLocaleInfoA, InterlockedExchange, lstrcmpA, GlobalAlloc, GetModuleHandleW, FindResourceA, FreeResource, GetCurrentThreadId, GlobalFindAtomA, GlobalDeleteAtom, GetVersionExA, FreeLibrary, CompareStringA, LoadLibraryW, lstrcmpW, GlobalLock, GlobalUnlock, GetCurrentProcessId, GetProcAddress, GetModuleHandleA, LoadLibraryA, lstrlenA, GlobalGetAtomNameA, GlobalAddAtomA, ActivateActCtx, DeactivateActCtx, SetLastError, FindResourceW, LoadResource, LockResource, SizeofResource, InterlockedDecrement, InterlockedIncrement, CreateMutexA, GetLastError, WideCharToMultiByte, GetTempPathA, CreateProcessA, GetTickCount, VirtualAlloc, lstrcpyA, lstrcatA, MultiByteToWideChar, Sleep, CreateToolhelp32Snapshot, Process32First, Process32Next, CloseHandle, EnumSystemLocalesA, VirtualProtect, GetProcessHeap
    USER32.dllCharUpperA, KillTimer, SetTimer, UnionRect, SetParent, GetSystemMenu, DeleteMenu, IsRectEmpty, LoadCursorW, SetLayeredWindowAttributes, EnumDisplayMonitors, LoadCursorA, GetSysColorBrush, MapVirtualKeyA, GetKeyNameTextA, SystemParametersInfoA, GetSystemMetrics, GetMenuItemInfoA, InflateRect, RealChildWindowFromPoint, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, GetMenuStringA, AppendMenuA, InsertMenuA, RemoveMenu, GetDC, ReleaseDC, SetWindowContextHelpId, MapDialogRect, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, ShowOwnedPopups, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, PostQuitMessage, MoveWindow, SetWindowTextA, IsDialogMessageA, CheckDlgButton, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, RegisterWindowMessageA, LoadIconA, SendDlgItemMessageA, IsChild, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, CloseClipboard, GetMessagePos, GetMonitorInfoA, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, MessageBoxA, CreateWindowExA, GetClassInfoExA, RegisterClassA, AdjustWindowRectEx, GetWindowRect, ScreenToClient, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, DefWindowProcA, CallWindowProcA, GetClassNameA, GetSysColor, UnpackDDElParam, ReuseDDElParam, LoadMenuA, DestroyMenu, WinHelpA, SetWindowPos, LoadImageA, DestroyIcon, SetFocus, GetWindowThreadProcessId, GetActiveWindow, IsWindowEnabled, EqualRect, GetDlgItem, SetWindowLongA, GetDlgCtrlID, GetKeyState, LoadIconW, SetCursor, PeekMessageA, GetCapture, ReleaseCapture, SetClipboardData, OpenClipboard, GetUpdateRect, LoadAcceleratorsA, GetParent, UpdateWindow, EnableWindow, PtInRect, GetClientRect, FrameRect, SetActiveWindow, IsWindowVisible, IsIconic, SendMessageA, InsertMenuItemA, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreatePopupMenu, GetClassInfoA, IntersectRect, OffsetRect, SetRectEmpty, CopyRect, GetMenu, GetLastActivePopup, LoadAcceleratorsW, LoadMenuW, CharNextA, CopyAcceleratorTableA, SetRect, GetWindowRgn, DestroyCursor, DrawIcon, SubtractRect, MapVirtualKeyExA, BringWindowToTop, PostMessageA, SetMenu, GetDesktopWindow, GetWindow, ShowWindow, GetWindowLongA, IsWindow, TranslateAcceleratorA, InvalidateRect, IsCharLowerA, GetDoubleClickTime, CharUpperBuffA, CopyIcon, LoadImageW, MonitorFromWindow, EmptyClipboard, IsClipboardFormatAvailable, SetMenuDefaultItem, WaitMessage, PostThreadMessageA, CreateMenu, IsMenu, UpdateLayeredWindow, MonitorFromPoint, InvalidateRgn, DrawMenuBar, DefMDIChildProcA, DefFrameProcA, RegisterClipboardFormatA, CopyImage, GetIconInfo, EnableScrollBar, HideCaret, InvertRect, GetMenuDefaultItem, LockWindowUpdate, SetCursorPos, CreateAcceleratorTableA, GetKeyboardState, GetKeyboardLayout, ToAsciiEx, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateA, SetClassLongA, GetAsyncKeyState, NotifyWinEvent, WindowFromPoint, DestroyAcceleratorTable, RedrawWindow, SetWindowRgn, IsZoomed, UnregisterClassA, MessageBeep, GetNextDlgGroupItem, GetMessageTime, SetCapture, TranslateMDISysAccel
    GDI32.dllGetLayout, SetLayout, DeleteObject, SelectClipRgn, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, CreatePatternBrush, GetStockObject, SelectPalette, GetObjectType, CreatePen, CreateSolidBrush, CreateHatchBrush, GetTextExtentPoint32A, CreateRectRgnIndirect, PatBlt, CreateDIBitmap, GetTextMetricsA, EnumFontFamiliesA, GetTextCharsetInfo, CombineRgn, GetMapMode, DPtoLP, GetBkColor, GetTextColor, GetRgnBox, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CreateEllipticRgn, Polyline, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, EnumFontFamiliesExA, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, GetTextFaceA, SetPixelV, MoveToEx, SetTextAlign, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CopyMetaFileA, GetDeviceCaps, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, CreateCompatibleDC, SetRectRgn, Ellipse, CreateCompatibleBitmap
    MSIMG32.dllAlphaBlend, TransparentBlt
    COMDLG32.dllGetFileTitleA
    WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
    ADVAPI32.dllRegEnumValueA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegEnumKeyExA, RegOpenKeyExW, RegCloseKey, RegSetValueA, GetFileSecurityA, SetFileSecurityA
    SHELL32.dllSHAppBarMessage, ShellExecuteA, DragFinish, DragQueryFileA, SHAddToRecentDocs, ExtractIconA, SHBrowseForFolderA, SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetDesktopFolder, SHGetFileInfoA
    COMCTL32.dllImageList_GetIconSize
    SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathIsUNCA, PathFindExtensionA, PathRemoveFileSpecW
    ole32.dllOleIsCurrentClipboard, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CoInitializeEx, CreateStreamOnHGlobal, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, CoGetClassObject, OleFlushClipboard, OleDuplicateData, ReleaseStgMedium, StringFromCLSID, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromString, CoCreateGuid, CLSIDFromProgID, CoInitialize, CoCreateInstance, CoUninitialize, DoDragDrop, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, CoRegisterMessageFilter, CoRevokeClassObject, StgOpenStorageOnILockBytes
    OLEAUT32.dllSysStringLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, VariantCopy, VarBstrFromDate, SysAllocStringByteLen, SysFreeString, VariantChangeType, SysAllocStringLen, VariantInit, VariantClear, SysAllocString
    oledlg.dll
    OLEACC.dllAccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
    gdiplus.dllGdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
    IMM32.dllImmReleaseContext, ImmGetContext, ImmGetOpenStatus
    WINMM.dllPlaySoundA

    Version Infos

    DescriptionData
    Translation0x0009 0x04b0

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseChina
    EnglishUnited States

    Network Behavior

    Snort IDS Alerts

    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
    03/10/22-07:23:02.013122TCP2024173ET TROJAN Red Leaves magic packet detected (APT10 implant)4976480192.168.2.467.205.132.17

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Mar 10, 2022 07:21:37.608027935 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608115911 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:37.608268023 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608624935 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608640909 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:37.608659029 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608669996 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:37.608793974 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.973103046 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.973156929 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.973328114 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.974839926 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.974857092 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.974925041 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.974950075 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.974972963 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.976782084 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.976818085 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.976900101 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.977200031 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.977219105 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.977279902 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.977293015 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.977401018 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.992253065 CET49739443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.992326021 CET4434973967.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.992415905 CET49739443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.993453026 CET49739443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.993479013 CET4434973967.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.993547916 CET4434973967.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995389938 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.995440960 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995537996 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.995886087 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.995913029 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995955944 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995991945 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.996011972 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.997436047 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.997484922 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.998003960 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.998060942 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.998078108 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.998094082 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.998102903 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.998209000 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:53.106363058 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.106456041 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:21:53.106570959 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.108678102 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.108748913 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:21:53.108772039 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.108789921 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:21:53.108952999 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:03.153788090 CET4974653192.168.2.467.205.132.17
    Mar 10, 2022 07:22:06.168540955 CET4974653192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.184732914 CET4974653192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366229057 CET49747443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366271973 CET4434974767.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.366451979 CET49747443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366818905 CET49747443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366833925 CET4434974767.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.366939068 CET4434974767.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.368575096 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.368624926 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.368717909 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.369051933 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.369082928 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.369129896 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.369153023 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.369174957 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.370532990 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.370563984 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.370745897 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.372329950 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.372349024 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.372400045 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.372473955 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.372488022 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.374878883 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.374902964 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.374969959 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.375251055 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.375267029 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.375308990 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.375382900 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.375394106 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.396006107 CET49751443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.396064997 CET4434975167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.396150112 CET49751443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.396461010 CET49751443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.396492958 CET4434975167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.396565914 CET4434975167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:22.436521053 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.436614990 CET44349756144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:22.436717033 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.437103033 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.437125921 CET44349756144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:22.437145948 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.437156916 CET44349756144.168.45.116192.168.2.4

    HTTP Request Dependency Graph

    • 67.205.132.17:443

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.44973767.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.974839926 CET838OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    1192.168.2.44973867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.977200031 CET838OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    10192.168.2.44975867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.757384062 CET1124OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    11192.168.2.44975967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.760591984 CET1125OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    12192.168.2.44976067.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.762743950 CET1126OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    13192.168.2.44976167.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.764647961 CET1126OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    14192.168.2.44976267.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.821583033 CET1127OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    15192.168.2.44976467.205.132.1780C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:02.116496086 CET1129INHTTP/1.1 400 Bad Request
    Server: nginx
    Date: Thu, 10 Mar 2022 06:23:02 GMT
    Content-Type: text/html
    Content-Length: 150
    Connection: close
    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortProcess
    16192.168.2.44976567.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.487189054 CET1129OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    17192.168.2.44976667.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.489439964 CET1130OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    18192.168.2.44976767.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.491816044 CET1131OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    19192.168.2.44976867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.497479916 CET1131OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    2192.168.2.44973967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.993453026 CET839OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    20192.168.2.44976967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.508974075 CET1132OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    21192.168.2.44977267.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.738704920 CET1135OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    22192.168.2.44977367.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.745321989 CET1136OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    23192.168.2.44977467.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.748333931 CET1136OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    24192.168.2.44977567.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.760200977 CET1137OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    25192.168.2.44977667.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.765038967 CET1138OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    3192.168.2.44974067.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.995886087 CET840OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    4192.168.2.44974167.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.998060942 CET840OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    5192.168.2.44974767.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.366818905 CET1112OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    6192.168.2.44974867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.369051933 CET1112OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    7192.168.2.44974967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.372329950 CET1113OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    8192.168.2.44975067.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.375251055 CET1114OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    9192.168.2.44975167.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.396461010 CET1114OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:07:21:31
    Start date:10/03/2022
    Path:C:\Users\user\Desktop\cANdLlHS4N.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\cANdLlHS4N.exe"
    Imagebase:0x9a0000
    File size:3804160 bytes
    MD5 hash:B3139B26A2DABB9B6E728884D8FA8B33
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief, Description: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
    • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: OpCloudHopper_Malware_6, Description: Detects malware from Operation Cloud Hopper, Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief, Description: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Author: USG
    Reputation:low

    General

    Target ID:1
    Start time:07:21:33
    Start date:10/03/2022
    Path:C:\Users\user\AppData\Local\Temp\obedience.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\AppData\Local\Temp\obedience.exe
    Imagebase:0x400000
    File size:1616040 bytes
    MD5 hash:6A1C14D5F16A07BEF55943134FE618C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Yara matches:
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Author: USG
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Author: kev
    Antivirus matches:
    • Detection: 8%, Metadefender, Browse
    • Detection: 9%, ReversingLabs
    Reputation:low

    General

    Target ID:2
    Start time:07:21:35
    Start date:10/03/2022
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):true
    Commandline:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Imagebase:0x920000
    File size:822536 bytes
    MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: kev
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: kev
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: kev
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaves, Description: detect RedLeaves in memory, Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
    Reputation:high

    General

    Target ID:3
    Start time:07:21:44
    Start date:10/03/2022
    Path:C:\Users\user\AppData\Local\Temp\obedience.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Local\Temp\obedience.exe"
    Imagebase:0x400000
    File size:1616040 bytes
    MD5 hash:6A1C14D5F16A07BEF55943134FE618C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Yara matches:
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, Author: USG
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: kev
    Reputation:low

    General

    Target ID:4
    Start time:07:21:46
    Start date:10/03/2022
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):
    Commandline:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Imagebase:
    File size:822536 bytes
    MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    No disassembly