Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
unpacked_1648556.bin.exe

Overview

General Information

Sample name:unpacked_1648556.bin.exe
Analysis ID:1417149
MD5:95e35564ed41b3eeb4db220baec91c41
SHA1:4c209f8b3c7684fc96c5d77c7b4f0ef896a40814
SHA256:9b5498c5c240818198e2eea9d9b8dce18273ea24b167882c9efc030e2643f127
Tags:exeIcedID
Infos:

Detection

IcedID
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • unpacked_1648556.bin.exe (PID: 420 cmdline: "C:\Users\user\Desktop\unpacked_1648556.bin.exe" MD5: 95E35564ED41B3EEB4DB220BAEC91C41)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
IcedIDAccording to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.
  • GOLD CABIN
  • Lunar Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
unpacked_1648556.bin.exeJoeSecurity_IcedID_3Yara detected IcedIDJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_IcedID_3Yara detected IcedIDJoe Security
      00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_IcedID_3Yara detected IcedIDJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.unpacked_1648556.bin.exe.400000.0.unpackJoeSecurity_IcedID_3Yara detected IcedIDJoe Security
          0.0.unpacked_1648556.bin.exe.400000.0.unpackJoeSecurity_IcedID_3Yara detected IcedIDJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: unpacked_1648556.bin.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://certifacto.com/RAvira URL Cloud: Label: phishing
            Source: https://certifacto.com/Avira URL Cloud: Label: phishing
            Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHMAvira URL Cloud: Label: phishing
            Source: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for domain / URL
            Source: certifacto.comVirustotal: Detection: 14%Perma Link
            Source: https://cowspidzu.pro/Virustotal: Detection: 5%Perma Link
            Source: bladisuka.redVirustotal: Detection: 7%Perma Link
            Source: https://certifacto.com/Virustotal: Detection: 16%Perma Link
            Source: https://bladisuka.red/Virustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted file
            Source: unpacked_1648556.bin.exeVirustotal: Detection: 67%Perma Link
            Source: unpacked_1648556.bin.exeReversingLabs: Detection: 57%
            Yara detected IcedID
            Source: Yara matchFile source: unpacked_1648556.bin.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Machine Learning detection for sample
            Source: unpacked_1648556.bin.exeJoe Sandbox ML: detected
            Source: unpacked_1648556.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownDNS traffic detected: query: muratinue.com replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: certifacto.com replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: bladisuka.red replaycode: Name error (3)
            Source: unknownDNS traffic detected: query: cowspidzu.pro replaycode: Name error (3)
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: certifacto.com
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bladisuka.red/
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bladisuka.red/R
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000%
            Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000=
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certifacto.com/
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certifacto.com/R
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM
            Source: unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cowspidzu.pro/
            Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000
            Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000&
            Source: unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000l
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://muratinue.com/
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://muratinue.com/R
            Source: unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000%
            Source: unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2356059601.00000000004CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF000000000000000044U3h
            Source: unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000xGM

            E-Banking Fraud

            barindex
            Yara detected IcedID
            Source: Yara matchFile source: unpacked_1648556.bin.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: unpacked_1648556.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal96.troj.evad.winEXE@1/0@24/0
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeFile created: C:\Users\user\AppData\Local\userJump to behavior
            Source: unpacked_1648556.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unpacked_1648556.bin.exeVirustotal: Detection: 67%
            Source: unpacked_1648556.bin.exeReversingLabs: Detection: 57%

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeCode function: 0_2_004010F6 wsprintfA,0_2_004010F6
            Found stalling execution ending in API Sleep call
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeStalling execution: Execution stalls by calling Sleepgraph_0-193
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeRDTSC instruction interceptor: First address: 401131 second address: 401151 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeRDTSC instruction interceptor: First address: 401151 second address: 401131 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007FF2013B19AAh 0x0000000c jc 00007FF2013B1969h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007FF2013B1968h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007FF2013B199Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007FF2013B18E5h 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeCode function: 0_2_00401224 rdtsc 0_2_00401224
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exe TID: 6128Thread sleep time: -660000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeLast function: Thread delayed
            Source: unpacked_1648556.bin.exe, 00000000.00000002.3304402538.000000000048E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeAPI call chain: ExitProcess graph end nodegraph_0-158
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeCode function: 0_2_00401224 rdtsc 0_2_00401224
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeCode function: 0_2_00401000 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle,0_2_00401000
            Source: C:\Users\user\Desktop\unpacked_1648556.bin.exeCode function: 0_2_004014F9 SHGetFolderPathA,lstrcatA,lstrcatA,lstrlenA,GetUserNameA,CreateDirectoryA,lstrcatA,0_2_004014F9

            Stealing of Sensitive Information

            barindex
            Yara detected IcedID
            Source: Yara matchFile source: unpacked_1648556.bin.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected IcedID
            Source: Yara matchFile source: unpacked_1648556.bin.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.unpacked_1648556.bin.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote ServicesData from Local System1
            Non-Application Layer Protocol            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            DLL Side-Loading            		Security Account Manager1
            Account Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
            System Owner/User Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets21
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            unpacked_1648556.bin.exe67%VirustotalBrowse
            unpacked_1648556.bin.exe58%ReversingLabsWin32.Trojan.IcedID
            unpacked_1648556.bin.exe100%AviraHEUR/AGEN.1317131
            unpacked_1648556.bin.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            certifacto.com14%VirustotalBrowse
            bladisuka.red8%VirustotalBrowse
            cowspidzu.pro4%VirustotalBrowse
            muratinue.com3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF00000000000000000%Avira URL Cloudsafe
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000%0%Avira URL Cloudsafe
            https://cowspidzu.pro/0%Avira URL Cloudsafe
            https://bladisuka.red/photo.png?id=01B677C698EC38846700FF00000000000000000%Avira URL Cloudsafe
            https://cowspidzu.pro/6%VirustotalBrowse
            https://certifacto.com/R100%Avira URL Cloudphishing
            https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000l0%Avira URL Cloudsafe
            https://certifacto.com/100%Avira URL Cloudphishing
            https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000&0%Avira URL Cloudsafe
            https://bladisuka.red/R0%Avira URL Cloudsafe
            https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000%0%Avira URL Cloudsafe
            https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHM100%Avira URL Cloudphishing
            https://muratinue.com/R0%Avira URL Cloudsafe
            https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000100%Avira URL Cloudphishing
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF000000000000000044U3h0%Avira URL Cloudsafe
            https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000=0%Avira URL Cloudsafe
            https://muratinue.com/0%Avira URL Cloudsafe
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000xGM0%Avira URL Cloudsafe
            https://bladisuka.red/0%Avira URL Cloudsafe
            https://certifacto.com/17%VirustotalBrowse
            https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF00000000000000000%Avira URL Cloudsafe
            https://bladisuka.red/10%VirustotalBrowse
            https://muratinue.com/3%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            certifacto.com
            		unknown
            		unknownfalseunknown
            muratinue.com
            		unknown
            		unknownfalseunknown
            cowspidzu.pro
            		unknown
            		unknownfalseunknown
            bladisuka.red
            		unknown
            		unknownfalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://cowspidzu.pro/unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpfalse
            • 6%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000%unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://certifacto.com/Runpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000lunpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://certifacto.com/unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 17%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		unknown
            https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000&unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://bladisuka.red/Runpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000%unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000XHMunpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            https://muratinue.com/Runpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://certifacto.com/photo.png?id=01B677C698EC38846700FF0000000000000000unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2685214695.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF000000000000000044U3hunpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2356059601.00000000004CC000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://bladisuka.red/photo.png?id=01B677C698EC38846700FF0000000000000000=unpacked_1648556.bin.exe, 00000000.00000002.3304500733.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.3300283554.00000000004F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://muratinue.com/unpacked_1648556.bin.exe, 00000000.00000003.2355981421.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://muratinue.com/photo.png?id=01B677C698EC38846700FF0000000000000000xGMunpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://bladisuka.red/unpacked_1648556.bin.exe, 00000000.00000003.2996773531.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 10%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://cowspidzu.pro/photo.png?id=01B677C698EC38846700FF0000000000000000unpacked_1648556.bin.exe, 00000000.00000003.3300199442.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, unpacked_1648556.bin.exe, 00000000.00000002.3304451196.00000000004B8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1417149
            Start date and time:2024-03-28 17:16:04 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 3m 50s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:4
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:unpacked_1648556.bin.exe
            Detection:MAL
            Classification:mal96.troj.evad.winEXE@1/0@24/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 5
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:16:48API Interceptor24x Sleep call for process: unpacked_1648556.bin.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):2.987212235940418
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:unpacked_1648556.bin.exe
            File size:13'102 bytes
            MD5:95e35564ed41b3eeb4db220baec91c41
            SHA1:4c209f8b3c7684fc96c5d77c7b4f0ef896a40814
            SHA256:9b5498c5c240818198e2eea9d9b8dce18273ea24b167882c9efc030e2643f127
            SHA512:e07b43669dcb234a23b5189c272e2205596bdb80b73acc4aba82f12f20b94c0abc996a1f6d9bab7db0e1e78fc93132d6e9cdb4a2007fd5b680e9e33dbd1b4f4c
            SSDEEP:96:MMqEESUUhDYXAybZACN3fICtECLi0/rxV+YVh:MMqr7UhcXAybZBrWw/+YVh
            TLSH:6042F8D7AC14A8B0FBC744B40A49216DE3F72922277014F78DB349CADAA2E95346D722
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................+.......+.......Rich....................PE..L...St.]............................=........ ....@

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x40163d
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:TERMINAL_SERVER_AWARE
            Time Stamp:0x5D9C7453 [Tue Oct 8 11:34:43 2019 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:0e18f33408be6e4cb217f0266066c51c

            Entrypoint Preview

            Instruction
            call 00007FF200BF00ECh
            push 00000000h
            call dword ptr [0040200Ch]
            int3
            sub esp, 1Ch
            or dword ptr [esp+04h], FFFFFFFFh
            mov eax, edx
            push ebx
            push esi
            mov ebx, ecx
            mov dword ptr [esp+18h], eax
            xor ecx, ecx
            push ecx
            push ecx
            mov dword ptr [eax], ecx
            mov esi, ecx
            mov eax, dword ptr [esp+30h]
            push ecx
            push ecx
            push ecx
            mov dword ptr [esp+24h], ecx
            mov dword ptr [eax], ecx
            call dword ptr [0040207Ch]
            mov ecx, eax
            mov dword ptr [esp+20h], ecx
            test ecx, ecx
            je 00007FF200BF03B1h
            movzx eax, word ptr [ebx+08h]
            push ebp
            push esi
            push eax
            push dword ptr [ebx]
            push ecx
            call dword ptr [00402088h]
            mov ebp, dword ptr [00402068h]
            mov ecx, eax
            mov dword ptr [esp+20h], ecx
            test ecx, ecx
            je 00007FF200BF0386h
            mov eax, dword ptr [ebx+0Ch]
            neg eax
            push edi
            sbb eax, eax
            and eax, 00800000h
            push eax
            mov dword ptr [esp+20h], eax
            xor eax, eax
            push eax
            push eax
            push eax
            push dword ptr [ebx+04h]
            push 004020FCh
            push ecx
            call dword ptr [00402070h]
            mov edi, eax
            test edi, edi
            je 00007FF200BF034Fh
            cmp dword ptr [ebx+0Ch], esi
            je 00007FF200BF024Ah
            push 00000004h
            lea eax, dword ptr [esp+20h]
            mov dword ptr [esp+20h], 00003300h
            push eax
            push 0000001Fh
            push edi
            call dword ptr [0040206Ch]
            xor ebx, ebx
            push ebx
            push ebx
            push ebx
            push ebx
            push ebx
            push ebx
            push edi
            call dword ptr [00402074h]

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x210c0x78.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x40000x8c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x94.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x9320xa001ed92ae465afad5ebd29398040c5300bFalse0.647265625data6.043762853215392IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x20000x4680x600ed1fd9a0fd0d16380b51b3b9343b0b46False0.375data3.9346229806161377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x30000x2500x400ff9a11e3a14acb509f0e69fe85705da0False0.6240234375data5.345200891641907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .reloc0x40000x8c0x2005bf3b03a3feb562e4a8af4efc9b4f384False0.298828125data2.1736473568030688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Imports

            DLLImport
            ADVAPI32.dllGetUserNameA
            SHELL32.dllSHGetFolderPathA
            KERNEL32.dlllstrcpyA, ExitProcess, CreateDirectoryA, lstrcatA, Sleep, lstrlenA, ReadFile, HeapFree, WriteFile, CreateFileA, CloseHandle, HeapAlloc, GetFileSize, GetProcessHeap, GetModuleFileNameA, VirtualProtect, VirtualAlloc, HeapReAlloc
            WINHTTP.dllWinHttpCloseHandle, WinHttpSetOption, WinHttpOpenRequest, WinHttpSendRequest, WinHttpQueryHeaders, WinHttpOpen, WinHttpReceiveResponse, WinHttpQueryDataAvailable, WinHttpConnect, WinHttpReadData
            USER32.dllwsprintfA, wsprintfW

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Mar 28, 2024 17:16:48.911663055 CET5126353192.168.2.61.1.1.1
            Mar 28, 2024 17:16:49.066091061 CET53512631.1.1.1192.168.2.6
            Mar 28, 2024 17:16:54.072612047 CET5369253192.168.2.61.1.1.1
            Mar 28, 2024 17:16:54.226530075 CET53536921.1.1.1192.168.2.6
            Mar 28, 2024 17:16:59.243163109 CET5832753192.168.2.61.1.1.1
            Mar 28, 2024 17:16:59.571815968 CET53583271.1.1.1192.168.2.6
            Mar 28, 2024 17:17:05.155638933 CET6006753192.168.2.61.1.1.1
            Mar 28, 2024 17:17:05.312792063 CET53600671.1.1.1192.168.2.6
            Mar 28, 2024 17:17:10.321038961 CET6097953192.168.2.61.1.1.1
            Mar 28, 2024 17:17:10.422667980 CET53609791.1.1.1192.168.2.6
            Mar 28, 2024 17:17:15.431349039 CET6176253192.168.2.61.1.1.1
            Mar 28, 2024 17:17:15.529731035 CET53617621.1.1.1192.168.2.6
            Mar 28, 2024 17:17:20.540585041 CET6399753192.168.2.61.1.1.1
            Mar 28, 2024 17:17:20.693928957 CET53639971.1.1.1192.168.2.6
            Mar 28, 2024 17:17:25.712395906 CET5498353192.168.2.61.1.1.1
            Mar 28, 2024 17:17:25.976932049 CET53549831.1.1.1192.168.2.6
            Mar 28, 2024 17:17:30.993406057 CET5846053192.168.2.61.1.1.1
            Mar 28, 2024 17:17:31.096348047 CET53584601.1.1.1192.168.2.6
            Mar 28, 2024 17:17:36.102478981 CET5069053192.168.2.61.1.1.1
            Mar 28, 2024 17:17:36.203187943 CET53506901.1.1.1192.168.2.6
            Mar 28, 2024 17:17:41.211946011 CET6217953192.168.2.61.1.1.1
            Mar 28, 2024 17:17:41.541584969 CET53621791.1.1.1192.168.2.6
            Mar 28, 2024 17:17:46.555217981 CET5320353192.168.2.61.1.1.1
            Mar 28, 2024 17:17:46.817689896 CET53532031.1.1.1192.168.2.6
            Mar 28, 2024 17:17:51.845413923 CET5460553192.168.2.61.1.1.1
            Mar 28, 2024 17:17:51.998668909 CET53546051.1.1.1192.168.2.6
            Mar 28, 2024 17:17:57.008708000 CET4992953192.168.2.61.1.1.1
            Mar 28, 2024 17:17:57.107084036 CET53499291.1.1.1192.168.2.6
            Mar 28, 2024 17:18:02.119016886 CET6494253192.168.2.61.1.1.1
            Mar 28, 2024 17:18:02.456033945 CET53649421.1.1.1192.168.2.6
            Mar 28, 2024 17:18:07.461941957 CET6473953192.168.2.61.1.1.1
            Mar 28, 2024 17:18:07.730433941 CET53647391.1.1.1192.168.2.6
            Mar 28, 2024 17:18:12.744152069 CET6372053192.168.2.61.1.1.1
            Mar 28, 2024 17:18:12.842741966 CET53637201.1.1.1192.168.2.6
            Mar 28, 2024 17:18:17.855781078 CET5645353192.168.2.61.1.1.1
            Mar 28, 2024 17:18:17.976353884 CET53564531.1.1.1192.168.2.6
            Mar 28, 2024 17:18:23.002911091 CET4947153192.168.2.61.1.1.1
            Mar 28, 2024 17:18:23.340204000 CET53494711.1.1.1192.168.2.6
            Mar 28, 2024 17:18:28.352649927 CET6432953192.168.2.61.1.1.1
            Mar 28, 2024 17:18:28.621323109 CET53643291.1.1.1192.168.2.6
            Mar 28, 2024 17:18:33.636082888 CET5680253192.168.2.61.1.1.1
            Mar 28, 2024 17:18:33.736326933 CET53568021.1.1.1192.168.2.6
            Mar 28, 2024 17:18:38.742861032 CET5917553192.168.2.61.1.1.1
            Mar 28, 2024 17:18:38.842607021 CET53591751.1.1.1192.168.2.6
            Mar 28, 2024 17:18:43.852070093 CET5748753192.168.2.61.1.1.1
            Mar 28, 2024 17:18:44.173481941 CET53574871.1.1.1192.168.2.6
            Mar 28, 2024 17:18:49.198506117 CET5338153192.168.2.61.1.1.1
            Mar 28, 2024 17:18:49.463541031 CET53533811.1.1.1192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Mar 28, 2024 17:16:48.911663055 CET192.168.2.61.1.1.10xbc09Standard query (0)certifacto.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:16:54.072612047 CET192.168.2.61.1.1.10x858aStandard query (0)muratinue.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:16:59.243163109 CET192.168.2.61.1.1.10xbe2Standard query (0)bladisuka.redA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:05.155638933 CET192.168.2.61.1.1.10x8fcdStandard query (0)cowspidzu.proA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:10.321038961 CET192.168.2.61.1.1.10xd7ecStandard query (0)certifacto.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:15.431349039 CET192.168.2.61.1.1.10x2fc8Standard query (0)muratinue.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:20.540585041 CET192.168.2.61.1.1.10x4afdStandard query (0)bladisuka.redA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:25.712395906 CET192.168.2.61.1.1.10x1d3cStandard query (0)cowspidzu.proA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:30.993406057 CET192.168.2.61.1.1.10x5843Standard query (0)certifacto.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:36.102478981 CET192.168.2.61.1.1.10x6c85Standard query (0)muratinue.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:41.211946011 CET192.168.2.61.1.1.10x7f96Standard query (0)bladisuka.redA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:46.555217981 CET192.168.2.61.1.1.10x39aStandard query (0)cowspidzu.proA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:51.845413923 CET192.168.2.61.1.1.10xe2cdStandard query (0)certifacto.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:57.008708000 CET192.168.2.61.1.1.10x1d2Standard query (0)muratinue.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:02.119016886 CET192.168.2.61.1.1.10x93dStandard query (0)bladisuka.redA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:07.461941957 CET192.168.2.61.1.1.10x1d46Standard query (0)cowspidzu.proA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:12.744152069 CET192.168.2.61.1.1.10x83b5Standard query (0)certifacto.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:17.855781078 CET192.168.2.61.1.1.10x5a95Standard query (0)muratinue.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:23.002911091 CET192.168.2.61.1.1.10x71c0Standard query (0)bladisuka.redA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:28.352649927 CET192.168.2.61.1.1.10x63e6Standard query (0)cowspidzu.proA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:33.636082888 CET192.168.2.61.1.1.10x6499Standard query (0)certifacto.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:38.742861032 CET192.168.2.61.1.1.10x1f1dStandard query (0)muratinue.comA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:43.852070093 CET192.168.2.61.1.1.10x547cStandard query (0)bladisuka.redA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:49.198506117 CET192.168.2.61.1.1.10xd041Standard query (0)cowspidzu.proA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Mar 28, 2024 17:16:49.066091061 CET1.1.1.1192.168.2.60xbc09Name error (3)certifacto.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:16:54.226530075 CET1.1.1.1192.168.2.60x858aName error (3)muratinue.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:16:59.571815968 CET1.1.1.1192.168.2.60xbe2Name error (3)bladisuka.rednonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:05.312792063 CET1.1.1.1192.168.2.60x8fcdName error (3)cowspidzu.prononenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:10.422667980 CET1.1.1.1192.168.2.60xd7ecName error (3)certifacto.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:15.529731035 CET1.1.1.1192.168.2.60x2fc8Name error (3)muratinue.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:20.693928957 CET1.1.1.1192.168.2.60x4afdName error (3)bladisuka.rednonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:25.976932049 CET1.1.1.1192.168.2.60x1d3cName error (3)cowspidzu.prononenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:31.096348047 CET1.1.1.1192.168.2.60x5843Name error (3)certifacto.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:36.203187943 CET1.1.1.1192.168.2.60x6c85Name error (3)muratinue.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:41.541584969 CET1.1.1.1192.168.2.60x7f96Name error (3)bladisuka.rednonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:46.817689896 CET1.1.1.1192.168.2.60x39aName error (3)cowspidzu.prononenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:51.998668909 CET1.1.1.1192.168.2.60xe2cdName error (3)certifacto.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:17:57.107084036 CET1.1.1.1192.168.2.60x1d2Name error (3)muratinue.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:02.456033945 CET1.1.1.1192.168.2.60x93dName error (3)bladisuka.rednonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:07.730433941 CET1.1.1.1192.168.2.60x1d46Name error (3)cowspidzu.prononenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:12.842741966 CET1.1.1.1192.168.2.60x83b5Name error (3)certifacto.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:17.976353884 CET1.1.1.1192.168.2.60x5a95Name error (3)muratinue.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:23.340204000 CET1.1.1.1192.168.2.60x71c0Name error (3)bladisuka.rednonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:28.621323109 CET1.1.1.1192.168.2.60x63e6Name error (3)cowspidzu.prononenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:33.736326933 CET1.1.1.1192.168.2.60x6499Name error (3)certifacto.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:38.842607021 CET1.1.1.1192.168.2.60x1f1dName error (3)muratinue.comnonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:44.173481941 CET1.1.1.1192.168.2.60x547cName error (3)bladisuka.rednonenoneA (IP address)IN (0x0001)false
            Mar 28, 2024 17:18:49.463541031 CET1.1.1.1192.168.2.60xd041Name error (3)cowspidzu.prononenoneA (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:17:16:48
            Start date:28/03/2024
            Path:C:\Users\user\Desktop\unpacked_1648556.bin.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\unpacked_1648556.bin.exe"
            Imagebase:0x400000
            File size:13'102 bytes
            MD5 hash:95E35564ED41B3EEB4DB220BAEC91C41
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000000.2055305505.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:41.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:46.3%
              Total number of Nodes:67
              Total number of Limit Nodes:4
              execution_graph 150 40163d 153 4014f9 SHGetFolderPathA 150->153 154 40152f lstrcatA lstrlenA GetUserNameA CreateDirectoryA lstrcatA 153->154 174 40186e 154->174 157 4015a2 158 4015a8 ExitProcess 157->158 178 401000 CreateFileA 157->178 161 4015c6 197 40133e 161->197 162 4015df 187 401224 162->187 167 4015ee 169 40133e 4 API calls 167->169 171 401601 169->171 171->158 203 40109a CreateFileA 171->203 173 401618 208 4013eb VirtualAlloc 173->208 175 4018bc 174->175 176 401882 174->176 175->157 176->175 177 4018a4 GetProcessHeap HeapAlloc 176->177 177->175 179 401024 178->179 180 401028 GetFileSize 178->180 179->161 179->162 181 40103a GetProcessHeap HeapAlloc 180->181 182 40108b CloseHandle 180->182 181->182 183 401052 ReadFile 181->183 182->179 184 401069 183->184 184->182 185 401077 GetProcessHeap HeapFree 184->185 186 401089 184->186 185->186 186->182 214 4010f6 187->214 189 401241 wsprintfA wsprintfW 190 4012dc wsprintfW 189->190 217 40164b WinHttpOpen 190->217 192 401333 192->158 192->167 193 4012a6 Sleep 194 4012c0 wsprintfW 193->194 195 40128b 193->195 194->190 195->192 195->193 195->194 196 401295 GetProcessHeap HeapFree 195->196 196->193 198 401353 197->198 202 4013c4 197->202 199 4013a5 GetProcessHeap HeapAlloc 198->199 198->202 200 4013bc 199->200 199->202 201 40186e 2 API calls 200->201 201->202 202->162 202->173 204 4010c2 WriteFile 203->204 205 4010be 203->205 206 4010e6 CloseHandle 204->206 207 4010d8 204->207 205->173 206->205 207->206 209 4014f3 208->209 210 40141b GetModuleFileNameA lstrcpyA 208->210 209->158 212 4014a6 VirtualProtect 210->212 212->209 216 401131 wsprintfA 214->216 216->189 218 401801 217->218 219 401686 WinHttpConnect 217->219 218->195 220 4017fa WinHttpCloseHandle 219->220 221 4016aa WinHttpOpenRequest 219->221 220->218 222 4017f3 WinHttpCloseHandle 221->222 223 4016da 221->223 222->220 224 4016f7 WinHttpSendRequest 223->224 225 4016df WinHttpSetOption 223->225 226 4017f0 WinHttpCloseHandle 224->226 227 40170e WinHttpReceiveResponse 224->227 225->224 226->222 227->226 228 40171e WinHttpQueryHeaders WinHttpQueryDataAvailable 227->228 229 4017d8 228->229 230 40175e 228->230 229->226 230->229 231 401775 GetProcessHeap HeapReAlloc 230->231 232 401787 GetProcessHeap HeapAlloc 230->232 233 40179c WinHttpReadData 230->233 234 4017bb WinHttpQueryDataAvailable 230->234 231->230 232->230 233->229 233->230 234->229 234->230

              Callgraph

              • Executed
              • Not Executed
              • Opacity -> Relevance
              • Disassembly available
              callgraph 0 Function_00401000 1 Function_00401224 2 Function_004010F6 1->2 5 Function_0040164B 1->5 3 Function_004014F9 3->0 3->1 4 Function_0040109A 3->4 6 Function_004013EB 3->6 8 Function_0040186E 3->8 9 Function_0040133E 3->9 7 Function_0040163D 7->3 10 Function_0040180F 8->10 9->8

              Executed Functions

              Function 00401224 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 88memorysleepCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 004010F6: wsprintfA.USER32 ref: 00401213
              • wsprintfA.USER32 ref: 0040125B
              • wsprintfW.USER32 ref: 00401284
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00401299
              • HeapFree.KERNEL32(00000000), ref: 004012A0
              • Sleep.KERNELBASE(00001388), ref: 004012AB
              • wsprintfW.USER32 ref: 004012D7
              • wsprintfW.USER32 ref: 004012EE
                • Part of subcall function 0040164B: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00403050,?), ref: 00401672
                • Part of subcall function 0040164B: WinHttpConnect.WINHTTP(00000000,?,00403000,00000000,769373E0), ref: 00401690
                • Part of subcall function 0040164B: WinHttpOpenRequest.WINHTTP(00000000,GET,00000008,00000000,00000000,00000000,?,?), ref: 004016CA
                • Part of subcall function 0040164B: WinHttpSetOption.WINHTTP(00000000,0000001F,?,?,?,?,?,?,?,00000004), ref: 004016F1
                • Part of subcall function 0040164B: WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401700
                • Part of subcall function 0040164B: WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 00401710
                • Part of subcall function 0040164B: WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,?,?,?,?,00000000), ref: 00401738
                • Part of subcall function 0040164B: WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,00000000), ref: 00401750
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: Http$wsprintf$HeapOpenQueryRequest$AvailableConnectDataFreeHeadersOptionProcessReceiveResponseSendSleep
              • String ID: /photo.png?id=%0.2X%0.8X%0.8X%s$P0@$P0@$certifacto.com
              • API String ID: 2449687179-4257802127
              • Opcode ID: bb6f965cb869c1e29d3edd06f1c1eb35708df14fdce8961a2f3ffc5c110496ed
              • Instruction ID: ac0a9ec265034623daaf93235f63ea977b0f2928ee0bb21e20cc7be28b8d66a2
              • Opcode Fuzzy Hash: bb6f965cb869c1e29d3edd06f1c1eb35708df14fdce8961a2f3ffc5c110496ed
              • Instruction Fuzzy Hash: 6031AE724043049FD7219F60DD89BABB7ECAB45311F10083BF648E61D0E7B99658CB9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004014F9 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 107stringCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00401519
              • lstrcatA.KERNEL32(?,004020A8), ref: 0040153C
              • lstrlenA.KERNEL32(?,00000100), ref: 00401549
              • GetUserNameA.ADVAPI32(00000000), ref: 00401558
              • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00401566
              • lstrcatA.KERNEL32(?,\photo.png), ref: 00401578
                • Part of subcall function 00401000: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004015C1,?), ref: 00401017
                • Part of subcall function 0040133E: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,00401601,00000100,?), ref: 004013A8
                • Part of subcall function 0040133E: HeapAlloc.KERNEL32(00000000,?,?,?,?,00401601,00000100,?), ref: 004013AF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: CreateHeaplstrcat$AllocDirectoryFileFolderNamePathProcessUserlstrlen
              • String ID: \photo.png$c:\Users\Public\
              • API String ID: 2646763722-1729186543
              • Opcode ID: c72ea984eb8d80ac2369ad5aef1a4933e53f060351bd53c6ec56284a8b01ca31
              • Instruction ID: 1e32d002f9172cf96e27b289902e577b30f24e7352077b94137c0d75217fd915
              • Opcode Fuzzy Hash: c72ea984eb8d80ac2369ad5aef1a4933e53f060351bd53c6ec56284a8b01ca31
              • Instruction Fuzzy Hash: 71315D7290120AABDB14DBA1DD44ADE77BCAF88318F1040BBE505F7190EA789B49CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 67memoryfileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 65 401000-401022 CreateFileA 66 401024-401026 65->66 67 401028-401038 GetFileSize 65->67 68 401094-401099 66->68 69 40103a-401050 GetProcessHeap HeapAlloc 67->69 70 40108b-401092 CloseHandle 67->70 69->70 71 401052-401067 ReadFile 69->71 70->68 72 401071-401075 71->72 73 401069-40106f 71->73 74 401077-401083 GetProcessHeap HeapFree 72->74 75 401089 72->75 73->70 73->72 74->75 75->70
              APIs
              • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004015C1,?), ref: 00401017
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,004015C1,?), ref: 0040102A
              • GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,004015C1,?), ref: 0040103E
              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,004015C1,?), ref: 00401045
              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,004015C1,?), ref: 0040105D
              • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,004015C1,?), ref: 0040107C
              • HeapFree.KERNEL32(00000000,?,?,?,?,?,004015C1,?), ref: 00401083
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,004015C1,?), ref: 0040108C
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: Heap$File$Process$AllocCloseCreateFreeHandleReadSize
              • String ID:
              • API String ID: 3250796435-0
              • Opcode ID: d71e39f31f059ef02541d960fa9c1b590571dd240f127db14d7bca99188b9bd7
              • Instruction ID: 7196823dc6dde995d276883100c29ad84b9aaa5454c4053e5c344cd77300fa2d
              • Opcode Fuzzy Hash: d71e39f31f059ef02541d960fa9c1b590571dd240f127db14d7bca99188b9bd7
              • Instruction Fuzzy Hash: 64118C71600314AFE7215B609E8CF3B3AACEB48791F00023AFE42E62E0CB748C44CA75
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040164B Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00403050,?), ref: 00401672
              • WinHttpConnect.WINHTTP(00000000,?,00403000,00000000,769373E0), ref: 00401690
              • WinHttpOpenRequest.WINHTTP(00000000,GET,00000008,00000000,00000000,00000000,?,?), ref: 004016CA
              • WinHttpSetOption.WINHTTP(00000000,0000001F,?,?,?,?,?,?,?,00000004), ref: 004016F1
              • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401700
              • WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 00401710
              • WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,?,?,?,?,00000000), ref: 00401738
              • WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,00000000), ref: 00401750
              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000), ref: 00401778
              • HeapReAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 0040177F
              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,00000000), ref: 00401789
              • HeapAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 00401790
              • WinHttpReadData.WINHTTP(00000000,?,00000004,?,?,?,?,00000000), ref: 004017AA
              • WinHttpQueryDataAvailable.WINHTTP(00000000,00000000,?,?,?,00000000), ref: 004017CE
              • WinHttpCloseHandle.WINHTTP(00000000), ref: 004017F1
              • WinHttpCloseHandle.WINHTTP(?), ref: 004017F7
              • WinHttpCloseHandle.WINHTTP(?), ref: 004017FE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: Http$Heap$CloseDataHandleQuery$AllocAvailableOpenProcessRequest$ConnectHeadersOptionReadReceiveResponseSend
              • String ID: GET
              • API String ID: 3448144009-1805413626
              • Opcode ID: fbdb2734ed39104321bbea6601a825f1598d8f8ac04e13d7a6c1a0a8a8b556f9
              • Instruction ID: c000a016404b84c3db06d1c1d03d7f955183dab0a866c7734e066e2fd7071995
              • Opcode Fuzzy Hash: fbdb2734ed39104321bbea6601a825f1598d8f8ac04e13d7a6c1a0a8a8b556f9
              • Instruction Fuzzy Hash: 06513D71204306AFE7159F64DD88A3BB6ECFB88745F04463EF945E6290D778CD04CA6A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040163D Relevance: 3.0, APIs: 2, Instructions: 3COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 76 40163d call 4014f9 78 401642-401644 ExitProcess 76->78
              APIs
                • Part of subcall function 004014F9: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00401519
                • Part of subcall function 004014F9: lstrcatA.KERNEL32(?,004020A8), ref: 0040153C
                • Part of subcall function 004014F9: lstrlenA.KERNEL32(?,00000100), ref: 00401549
                • Part of subcall function 004014F9: GetUserNameA.ADVAPI32(00000000), ref: 00401558
                • Part of subcall function 004014F9: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00401566
                • Part of subcall function 004014F9: lstrcatA.KERNEL32(?,\photo.png), ref: 00401578
              • ExitProcess.KERNEL32 ref: 00401644
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: lstrcat$CreateDirectoryExitFolderNamePathProcessUserlstrlen
              • String ID:
              • API String ID: 837314502-0
              • Opcode ID: 67f2f9c6430378e8bbf73e29909b1a8120cfe11d62b5aa809138c9d740b9c40d
              • Instruction ID: 699473198d60680ca1db461fe7274139018ac47e06ba6666adbd288e2d28ca11
              • Opcode Fuzzy Hash: 67f2f9c6430378e8bbf73e29909b1a8120cfe11d62b5aa809138c9d740b9c40d
              • Instruction Fuzzy Hash: B790022414420196F14027619A4E7083614570070EF00812AB605741F24DB410009569
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 004010F6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 107COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 110 4010f6-40112d 111 401131-40115b 110->111 112 4011a5 111->112 113 40115d 111->113 114 4011a9-4011ac 112->114 115 401166-40116a 113->115 116 40115f-401164 113->116 114->111 117 4011ae-401223 wsprintfA 114->117 115->114 116->115 118 40116c-40116e 116->118 118->112 119 401170 118->119 120 401172-401177 119->120 121 401179-40117d 119->121 120->121 122 40117f-401181 120->122 121->114 122->112 123 401183 122->123 124 401185-40118a 123->124 125 40118c-401190 123->125 124->125 126 401192-401194 124->126 125->114 126->112 127 401196 126->127 128 401198-40119d 127->128 129 40119f-4011a3 127->129 128->112 128->129 129->114
              APIs
              Strings
              • %0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.8X, xrefs: 0040120A
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: wsprintf
              • String ID: %0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.8X
              • API String ID: 2111968516-2948424886
              • Opcode ID: 735d48468313b247fda2b519b6a9cf4e7bbef6b982e9e44abc55cc91181ded41
              • Instruction ID: 7ebe0c0504e96e8a14ac6d91dfe0f92ddaf99528c90f3393e26f59d48c55d300
              • Opcode Fuzzy Hash: 735d48468313b247fda2b519b6a9cf4e7bbef6b982e9e44abc55cc91181ded41
              • Instruction Fuzzy Hash: EF31827150C3825DD319CF29450026BFFE6AB9E314F18C9BFF5D9A62A2C138C5498B1A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004013EB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94memorystringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 79 4013eb-401415 VirtualAlloc 80 4014f3-4014f8 79->80 81 40141b-401421 79->81 82 401423-401425 81->82 83 401435-4014a4 GetModuleFileNameA lstrcpyA 81->83 84 401427-401430 82->84 85 4014b3-4014c4 83->85 86 4014a6 83->86 84->84 87 401432 84->87 89 4014d3-4014f1 VirtualProtect 85->89 90 4014c6 85->90 88 4014a8-4014b1 86->88 87->83 88->85 88->88 89->80 91 4014c8-4014d1 90->91 91->89 91->91
              APIs
              • VirtualAlloc.KERNEL32(00000000,-00000758,00003000,00000004,?,?,?,00000100,00000100,00401627), ref: 0040140B
              • GetModuleFileNameA.KERNEL32(00000000,00000010,00000104,?,?,?,?,00000100,00000100,00401627), ref: 00401479
              • lstrcpyA.KERNEL32(00000114,?,?,?,?,?,00000100,00000100,00401627), ref: 0040148C
              • VirtualProtect.KERNEL32(00000000,?,00000020,?,?,?,?,00000100,00000100,00401627), ref: 004014EB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3304323010.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.3304310287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304336203.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304348581.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.3304361717.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpacked_1648556.jbxd
              Yara matches
              Similarity
              • API ID: Virtual$AllocFileModuleNameProtectlstrcpy
              • String ID: /index.php$P0@
              • API String ID: 3006385884-1767980295
              • Opcode ID: 0485d42b71d75694ef283f4a58f368b17bd47d2e6821ddc06a87ea717f02bed8
              • Instruction ID: 4e3a36998658176b69afbe06ed387cec5f0d1b1896a2089fca78f9c9dec74f40
              • Opcode Fuzzy Hash: 0485d42b71d75694ef283f4a58f368b17bd47d2e6821ddc06a87ea717f02bed8
              • Instruction Fuzzy Hash: 17314776601B81AFD3158F2CCD84AA6BFA8FF45705F04822EE6899B3A5C735E504CB64
              Uniqueness

              Uniqueness Score: -1.00%