Edit tour

Windows Analysis Report
ZAXkflgLEq.exe

Overview

General Information

Sample name:	ZAXkflgLEq.exe renamed because original name is a hash value
Original sample name:	464ea1bd9930cd4ecae392d7214c3905.exe
Analysis ID:	1417252
MD5:	464ea1bd9930cd4ecae392d7214c3905
SHA1:	525be920ce25cf340d8e47a0f3fd993a908449fc
SHA256:	cade479a0b203af759b0f82c80d4b95ca46abe3a4f665f365953eb5e25fe9284
Tags:	exe
Infos:

Detection

RHADAMANTHYS

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

ZAXkflgLEq.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\ZAXkflgLEq.exe" MD5: 464EA1BD9930CD4ECAE392D7214C3905)

dialer.exe (PID: 7436 cmdline: "C:\Windows\system32\dialer.exe" MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: ZAXkflgLEq.exe PID: 7392	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: dialer.exe PID: 7436	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.dialer.exe.58d0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.dialer.exe.56b0000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.ZAXkflgLEq.exe.4720000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.dialer.exe.56b0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.dialer.exe.58d0000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.ZAXkflgLEq.exe.4940000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.dialer.exe.56b0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZAXkflgLEq.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: ZAXkflgLEq.exe

ReversingLabs: Detection: 71%

Machine Learning detection for sample

Source: ZAXkflgLEq.exe

Joe Sandbox ML: detected

Source: ZAXkflgLEq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: ZAXkflgLEq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: www.carssell.online

Source: dialer.exe, 00000001.00000002.2180075196.000000000327C000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: https://www.carssell.online:443/b45c71e9ac60e42309ff71/ox15jpua.xlk0e

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_ce44904d-b

Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_dd65927f-f

Source: Yara match	File source: 1.3.dialer.exe.58d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ZAXkflgLEq.exe.4720000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.58d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ZAXkflgLEq.exe.4940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZAXkflgLEq.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 7436, type: MEMORYSTR

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Code function: 0_2_00C90AA0

0_2_00C90AA0

Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002D12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004898000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000049ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004B21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004843000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004A96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe	Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: ZAXkflgLEq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@3/0@1/1

Source: C:\Windows\SysWOW64\dialer.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZAXkflgLEq.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_0-1272

Source: unknown	Process created: C:\Users\user\Desktop\ZAXkflgLEq.exe "C:\Users\user\Desktop\ZAXkflgLEq.exe"
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\dialer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: ZAXkflgLEq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ZAXkflgLEq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp

Source: ZAXkflgLEq.exe

Static PE information: section name: .textbss

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C95AF4 pushad ; retf	0_3_00C95B03
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C96285 push F693B671h; retf	0_3_00C9628A
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C97C52 push dword ptr [edx+ebp+3Bh]; retf	0_3_00C97C5F
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C95DCE push edi; iretd	0_3_00C95DD5
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C96F48 push es; ret	0_3_00C96F49
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C92F4E push eax; retf	0_3_00C92F4F
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9416F push ecx; iretd	0_3_00C9417B
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9657C push esi; ret	0_3_00C96580
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9412F pushad ; ret	0_3_00C94137
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C49429 push cs; retf	0_2_00C49565
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C48964 push ebx; retf	0_2_00C48965
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C4750E push ds; iretd	0_2_00C47517
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C51269 push edx; retf	0_2_00C51422
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C4FF22 push edi; iretd	0_2_00C4FF2D
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03284305 push F693B671h; retf	1_3_0328430A
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03283B74 pushad ; retf	1_3_03283B83
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032821AF pushad ; ret	1_3_032821B7
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032821EF push ecx; iretd	1_3_032821FB
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032845FC push esi; ret	1_3_03284600
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03284FC8 push es; ret	1_3_03284FC9
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03280FCE push eax; retf	1_3_03280FCF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03283E4E push edi; iretd	1_3_03283E55
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03285CD2 push dword ptr [edx+ebp+3Bh]; retf	1_3_03285CDF

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE

Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: dialer.exe, 00000001.00000002.2180219972.00000000034E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C92277 mov eax, dword ptr fs:[00000030h]	0_3_00C92277
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C92277 mov eax, dword ptr fs:[00000030h]	0_2_00C92277
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_0328027F mov eax, dword ptr fs:[00000030h]	1_3_0328027F

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Code function: 0_2_00C90AA0 HeapCreate,HeapAlloc,HeapAlloc,GetModuleHandleA,HeapAlloc,CreateEventA,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,HeapFree,WaitForSingleObject,FindCloseChangeNotification,VirtualFree,GetProcessHeap,HeapFree,HeapDestroy,

0_2_00C90AA0

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"

Jump to behavior

Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	21 Input Capture	131 Security Software Discovery	Remote Services	21 Input Capture	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ZAXkflgLEq.exe	71%	ReversingLabs	Win32.Trojan.Rhadamanthys
ZAXkflgLEq.exe	100%	Avira	TR/Crypt.XPACK.Gen
ZAXkflgLEq.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://www.carssell.online:443/b45c71e9ac60e42309ff71/ox15jpua.xlk0e	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.carssell.online	91.92.254.230	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.carssell.online:443/b45c71e9ac60e42309ff71/ox15jpua.xlk0e	dialer.exe, 00000001.00000002.2180075196.000000000327C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.254.230	www.carssell.online	Bulgaria		34368	THEZONEBG	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417252
Start date and time:	2024-03-28 20:13:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZAXkflgLEq.exe renamed because original name is a hash value
Original Sample Name:	464ea1bd9930cd4ecae392d7214c3905.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dialer.exe, PID 7436 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ZAXkflgLEq.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	Ydpdt8Efff.exe	Get hash	malicious	Metasploit	Browse	91.92.251.119
	SecuriteInfo.com.Linux.BtcMine.798.28745.31751.elf	Get hash	malicious	Unknown	Browse	91.92.249.202
	SecuriteInfo.com.Linux.BtcMine.791.1794.25936.elf	Get hash	malicious	Unknown	Browse	91.92.249.202
	https://accedi.91-92-243-23.cprapid.com/ING/	Get hash	malicious	Unknown	Browse	91.92.243.23
	6Y6IpTEdR1.elf	Get hash	malicious	Mirai	Browse	91.92.241.246
	6CllngOjeS.elf	Get hash	malicious	Mirai	Browse	91.92.241.246
	QFrEHZB9q7.elf	Get hash	malicious	Mirai	Browse	91.92.241.246
	TVcKf6reGr.elf	Get hash	malicious	Mirai	Browse	91.92.241.246
	3f1esZupW0.elf	Get hash	malicious	Mirai	Browse	91.92.241.246
	bNEazx06Ai.elf	Get hash	malicious	Mirai	Browse	91.92.241.246

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
caec7ddf6889590d999d7ca1b76373b6	IN3 0GC-(94762)_489.lnk	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	SecuriteInfo.com.Win32.TrojanX-gen.9272.30056.exe	Get hash	malicious	PureCrypter, Amadey, PureLog Stealer, RHADAMANTHYS	Browse	91.92.254.230
	Browser Update.js	Get hash	malicious	BitRAT, RHADAMANTHYS	Browse	91.92.254.230
	qHqbFN7Xof.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	qqeng.pdf.lnk	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	qqeng.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	sdfsadsa.js	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	ChromeSetup.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	iSbEfOEmv8.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230
	Leak Porn MMS Teen Girl.js	Get hash	malicious	RHADAMANTHYS	Browse	91.92.254.230

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.843708182845879
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZAXkflgLEq.exe
File size:	363'520 bytes
MD5:	464ea1bd9930cd4ecae392d7214c3905
SHA1:	525be920ce25cf340d8e47a0f3fd993a908449fc
SHA256:	cade479a0b203af759b0f82c80d4b95ca46abe3a4f665f365953eb5e25fe9284
SHA512:	73bcb3c6119a73ccd34d8300cf4e4fc3b4abf4f7cdbba49d9ad341931785e36dc98258b0e759fe999c31b56320533f228bee8755838cb7850797ef5f14ad3aa3
SSDEEP:	6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqrsb:gf2R/EEkCQFYDwRqw
TLSH:	017423DFB69A5418ED3626F3DE5652383B1574580B460EFF9D7B6E20A010FA94E28F03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]...............v...............v...................,.....................\.............Rich....................PE..L..._{_d...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4508ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x645F7B5F [Sat May 13 11:58:23 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	be49a2411263045f8ee0c442783b5f83

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004697B0h
push 004510BFh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00462040h]
pop ecx
or dword ptr [0046A038h], FFFFFFFFh
or dword ptr [0046A03Ch], FFFFFFFFh
call dword ptr [00462044h]
mov ecx, dword ptr [0046A034h]
mov dword ptr [eax], ecx
call dword ptr [00462048h]
mov ecx, dword ptr [0046A030h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0046204Ch]
mov eax, dword ptr [eax]
mov dword ptr [0046A040h], eax
call 00007F409D07B9B9h
cmp dword ptr [0046A010h], ebx
jne 00007F409D07B8BEh
push 00450A3Eh
call dword ptr [00462050h]
pop ecx
call 00007F409D07B98Bh
push 0046A00Ch
push 0046A008h
call 00007F409D07C009h
mov eax, dword ptr [0046A02Ch]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0046A028h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00462058h]
push 0046A004h
push 0046A000h
call 00007F409D07BFD6h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x69938	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0xec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x697bc	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x62000	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x500cb	0x50200	bdbcdd118c6e30fb53bf5111c1951d15	False	0.685620002925117	data	4.9977211758267455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.textbss	0x52000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x62000	0x7de6	0x7e00	1709bd218ecea6c5cc61d8d6b305dc08	False	0.466827876984127	data	3.2818934390044032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x44	0x200	598e1aae6ecbd8237c4383f4be94b9f1	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6b000	0x3e8	0x400	f0f5533983957143427cb560728e8d9b	False	0.43359375	data	3.2476078648555533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0xec	0x200	a556edc642fb4f2d688da12eb6e5cf04	False	0.490234375	data	3.440680260594041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6b060	0x384	data	English	United States	0.45555555555555555

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, HeapFree, GetProcessHeap, WaitForSingleObject, HeapDestroy, MulDiv, lstrlenW, CreateEventA, GetModuleFileNameW, GetModuleHandleA, CloseHandle, HeapCreate, GetStartupInfoA
USER32.dll	AdjustWindowRect, GetDlgItem, GetIconInfo, SendDlgItemMessageA, InflateRect, DialogBoxParamA, CreateIconFromResourceEx, SendMessageW, LookupIconIdFromDirectoryEx, LoadImageA, SetForegroundWindow, EndDialog, OffsetRect, GetWindowLongA, SetWindowPos, UnionRect, SetWindowTextW
GDI32.dll	GetObjectA
ole32.dll	CoCreateGuid, CoTaskMemFree, CoInitializeEx
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, memset, memcpy, wcsrchr, wcschr, _controlfp, _except_handler3

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 20:13:59.704015970 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:13:59.704047918 CET	443	49732	91.92.254.230	192.168.2.4
Mar 28, 2024 20:13:59.704125881 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:13:59.704188108 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:13:59.704195023 CET	443	49732	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:00.274635077 CET	443	49732	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:00.274702072 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:00.282838106 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:00.282850027 CET	443	49732	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:00.283097029 CET	443	49732	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:00.283150911 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:00.285976887 CET	49732	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:00.285995007 CET	443	49732	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:05.271744013 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.271779060 CET	443	49733	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:05.271861076 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.271958113 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.271967888 CET	443	49733	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:05.812031031 CET	443	49733	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:05.812144995 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.813637972 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.813644886 CET	443	49733	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:05.813880920 CET	443	49733	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:05.813940048 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.817764997 CET	49733	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:05.817791939 CET	443	49733	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:10.818871021 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:10.818916082 CET	443	49734	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:10.818981886 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:10.819084883 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:10.819097996 CET	443	49734	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:11.382241964 CET	443	49734	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:11.382353067 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:11.383959055 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:11.383969069 CET	443	49734	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:11.387305975 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:11.390552998 CET	443	49734	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:11.390635014 CET	49734	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.381176949 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.381221056 CET	443	49740	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:16.381347895 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.381469011 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.381479025 CET	443	49740	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:16.944820881 CET	443	49740	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:16.945071936 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.946537971 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.946547031 CET	443	49740	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:16.946693897 CET	443	49740	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:16.946757078 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.950090885 CET	49740	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:16.950114012 CET	443	49740	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:21.943599939 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:21.943635941 CET	443	49741	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:21.943792105 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:21.943880081 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:21.943891048 CET	443	49741	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:22.483638048 CET	443	49741	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:22.483748913 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:22.485389948 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:22.485404015 CET	443	49741	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:22.485615015 CET	443	49741	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:22.485688925 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:22.488742113 CET	49741	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:22.488764048 CET	443	49741	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:28.301003933 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.301049948 CET	443	49742	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:28.301142931 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.301275969 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.301285028 CET	443	49742	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:28.865582943 CET	443	49742	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:28.865709066 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.867258072 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.867266893 CET	443	49742	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:28.867424965 CET	443	49742	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:28.867468119 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.870656967 CET	49742	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:28.870673895 CET	443	49742	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:33.881027937 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:33.881078005 CET	443	49743	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:33.881148100 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:33.881263971 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:33.881278992 CET	443	49743	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:34.450644016 CET	443	49743	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:34.450825930 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:34.456334114 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:34.456351995 CET	443	49743	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:34.456654072 CET	443	49743	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:34.456722975 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:34.459772110 CET	49743	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:34.459809065 CET	443	49743	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:39.443681002 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:39.443732023 CET	443	49744	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:39.443825960 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:39.443964005 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:39.443980932 CET	443	49744	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:40.006283045 CET	443	49744	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:40.006407022 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:40.007884026 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:40.007890940 CET	443	49744	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:40.008111954 CET	443	49744	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:40.008203030 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:40.010433912 CET	49744	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:40.010445118 CET	443	49744	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:45.661933899 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:45.661972046 CET	443	49745	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:45.662034035 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:45.662118912 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:45.662127972 CET	443	49745	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:46.199973106 CET	443	49745	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:46.200203896 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:46.201570034 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:46.201580048 CET	443	49745	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:46.201750994 CET	443	49745	91.92.254.230	192.168.2.4
Mar 28, 2024 20:14:46.201798916 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:46.204579115 CET	49745	443	192.168.2.4	91.92.254.230
Mar 28, 2024 20:14:46.204600096 CET	443	49745	91.92.254.230	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 20:13:59.598016977 CET	57294	53	192.168.2.4	1.1.1.1
Mar 28, 2024 20:13:59.701288939 CET	53	57294	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 28, 2024 20:13:59.598016977 CET	192.168.2.4	1.1.1.1	0x434a	Standard query (0)	www.carssell.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 28, 2024 20:13:59.701288939 CET	1.1.1.1	192.168.2.4	0x434a	No error (0)	www.carssell.online		91.92.254.230	A (IP address)	IN (0x0001)	false
Mar 28, 2024 20:13:59.701288939 CET	1.1.1.1	192.168.2.4	0x434a	No error (0)	www.carssell.online		91.92.255.217	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:13:53
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\ZAXkflgLEq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZAXkflgLEq.exe"
Imagebase:	0xc40000
File size:	363'520 bytes
MD5 hash:	464EA1BD9930CD4ECAE392D7214C3905
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:13:56
Start date:	28/03/2024
Path:	C:\Windows\SysWOW64\dialer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\dialer.exe"
Imagebase:	0xa20000
File size:	32'256 bytes
MD5 hash:	E4BD77FB64DDE78F1A95ECE09F6A9B85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.6%
Total number of Nodes:	59
Total number of Limit Nodes:	1

Executed Functions

Function 00C90AA0 Relevance: 28.8, APIs: 19, Instructions: 275
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00100000,01000000,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02,00000000), ref: 00C90AAF
HeapAlloc.KERNEL32 ref: 00C90AF7
GetModuleHandleA.KERNEL32(00000000), ref: 00C90B09
HeapAlloc.KERNEL32(00000000,00000008,0004B000), ref: 00C90B21
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C90B2E

Part of subcall function 00C90E50: GetProcessHeap.KERNEL32(00000000,3B9ACA00,00000000,76ED5E70,00000000,00000000), ref: 00C90E67
Part of subcall function 00C90E50: RtlAllocateHeap.NTDLL(00000000), ref: 00C90E6A
Part of subcall function 00C90E50: memset.MSVCRT ref: 00C90E85
Part of subcall function 00C90E50: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C90E99
Part of subcall function 00C90E50: wcsrchr.MSVCRT ref: 00C90EAE
Part of subcall function 00C90E50: wcschr.MSVCRT ref: 00C90EC3
Part of subcall function 00C90E50: lstrlenW.KERNEL32(-00000002), ref: 00C90ED8
Part of subcall function 00C90E50: memset.MSVCRT ref: 00C90EF2
Part of subcall function 00C90E50: wcschr.MSVCRT ref: 00C90F3B

HeapAlloc.KERNEL32(?,00000008,00000000,?,?,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0), ref: 00C90C0D
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02), ref: 00C90CD8
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02,00000000), ref: 00C90CDF
memcpy.MSVCRT ref: 00C90D03
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02), ref: 00C90D1A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02,00000000), ref: 00C90D21
memcpy.MSVCRT ref: 00C90D41
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0), ref: 00C90DAA
WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02,00000000), ref: 00C90DBC
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00C90FEE,00C90A02,00CA20E0,00C90A02,00000000,?,0000000A), ref: 00C90DC5
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00C90E11
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90E16
HeapFree.KERNEL32(00000000), ref: 00C90E1D
HeapDestroy.KERNELBASE(0000003C), ref: 00C90E35

Memory Dump Source

Source File: 00000000.00000002.1687591670.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1687578983.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687619709.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687633503.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_ZAXkflgLEq.jbxd

Similarity

API ID: Heap$Alloc$Process$Free$CreateModulememcpymemsetwcschr$AllocateChangeCloseDestroyEventFileFindHandleNameNotificationObjectSingleVirtualWaitlstrlenwcsrchr
String ID:
API String ID: 1234286951-0
Opcode ID: a731241c5ceca8f3e767991ca9361735b23a42f9799f4611fdfe4803fd6fcaac
Instruction ID: 38e7f6b89e8c51c300f363208982e776e66682cbef88d51bf12736a8830352b6
Opcode Fuzzy Hash: a731241c5ceca8f3e767991ca9361735b23a42f9799f4611fdfe4803fd6fcaac
Instruction Fuzzy Hash: 17B1DF719083419FDB14DF68CC48B2ABBE5FF89308F14892CFA9A87251DB70E944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C90E50 Relevance: 21.1, APIs: 14, Instructions: 139
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,3B9ACA00,00000000,76ED5E70,00000000,00000000), ref: 00C90E67
RtlAllocateHeap.NTDLL(00000000), ref: 00C90E6A
memset.MSVCRT ref: 00C90E85
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C90E99
wcsrchr.MSVCRT ref: 00C90EAE
wcschr.MSVCRT ref: 00C90EC3
lstrlenW.KERNEL32(-00000002), ref: 00C90ED8
memset.MSVCRT ref: 00C90EF2
wcschr.MSVCRT ref: 00C90F3B
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00C90F73
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00C90F91
MulDiv.KERNEL32(00000001,80000000,80000000), ref: 00C90FA3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90FC1
HeapFree.KERNEL32(00000000), ref: 00C90FC4

Memory Dump Source

Source File: 00000000.00000002.1687591670.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1687578983.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687619709.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687633503.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_ZAXkflgLEq.jbxd

Similarity

API ID: Heap$Free$Processmemsetwcschr$AllocateFileModuleNamelstrlenwcsrchr
String ID:
API String ID: 2120544777-0
Opcode ID: c5de14b431edfc312e733d02cc0e85fcb55f52952b88e7ff2a3b060f00ecb6d4
Instruction ID: 281e4d918b44fd16b5b3b049a2e569208687bdf66c20f67e8609dfd4257af9d2
Opcode Fuzzy Hash: c5de14b431edfc312e733d02cc0e85fcb55f52952b88e7ff2a3b060f00ecb6d4
Instruction Fuzzy Hash: B34128316043159BEF30A7A4AC8EB7E73A8EB85755F24002AFE05D7180EA69DB45C361

Uniqueness

Uniqueness Score: -1.00%

Function 00C908CE Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00C908FB
__p__fmode.MSVCRT ref: 00C90910
__p__commode.MSVCRT ref: 00C9091E
__setusermatherr.MSVCRT ref: 00C9094A
_initterm.MSVCRT ref: 00C90960
__getmainargs.MSVCRT ref: 00C90983
_initterm.MSVCRT ref: 00C90993
GetStartupInfoA.KERNEL32(?), ref: 00C909D2
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00C909F6
exit.KERNELBASE ref: 00C90A06
_XcptFilter.MSVCRT ref: 00C90A18

Memory Dump Source

Source File: 00000000.00000002.1687591670.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1687578983.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687619709.0000000000C92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687633503.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_ZAXkflgLEq.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 277ce4af971321a90a5f8b20a46c8731fb157a4db3efde624faf0531900ce871
Instruction ID: e0ceaf5ea8b40a7df600411590b8e151240778041bebd33cdbcc4c8131146e6c
Opcode Fuzzy Hash: 277ce4af971321a90a5f8b20a46c8731fb157a4db3efde624faf0531900ce871
Instruction Fuzzy Hash: DB418171C40354EFDF219FA8DC89BAD7BB8FB0A714F20011AF956972A2C7744940DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00C92311

Part of subcall function 00C92098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
Part of subcall function 00C92098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00C92363
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 00C923BD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C923F0

Strings

,, xrefs: 00C92341

Memory Dump Source

Source File: 00000000.00000003.1684662033.0000000000C92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_c92000_ZAXkflgLEq.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 15a4efe748f616053fe8ffffddab00f5333e8782292edb7e0670b88d1d28ae77
Instruction ID: afd061057be8982de2c411395a002e400fc5d1f9cbf9f418e5463529f844a684
Opcode Fuzzy Hash: 15a4efe748f616053fe8ffffddab00f5333e8782292edb7e0670b88d1d28ae77
Instruction Fuzzy Hash: 87410975900709AFCF10DFA9C885A9EBBF8FF08354F10851AF969A7640D370EA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?,?,0000000B), ref: 00C92311

Part of subcall function 00C92098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
Part of subcall function 00C92098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004,?,?,?,00000000,?,?,0000000B), ref: 00C92363
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C,00000000,00000000,?,?,0000000B), ref: 00C923BD
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,00000000,?,?,0000000B), ref: 00C923F0

Strings

,, xrefs: 00C92341

Memory Dump Source

Source File: 00000000.00000002.1687619709.0000000000C92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1687578983.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687591670.0000000000C41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687633503.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_ZAXkflgLEq.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 15a4efe748f616053fe8ffffddab00f5333e8782292edb7e0670b88d1d28ae77
Instruction ID: afd061057be8982de2c411395a002e400fc5d1f9cbf9f418e5463529f844a684
Opcode Fuzzy Hash: 15a4efe748f616053fe8ffffddab00f5333e8782292edb7e0670b88d1d28ae77
Instruction Fuzzy Hash: 87410975900709AFCF10DFA9C885A9EBBF8FF08354F10851AF969A7640D370EA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

Memory Dump Source

Source File: 00000000.00000003.1684662033.0000000000C92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_c92000_ZAXkflgLEq.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 58d33a2286b1307ecf43942fa3a2943298be9470f27338292b4d4f4598374a42
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: ED718B71E0464AEFDF41CF98C985BEEBBF0AB09314F244095E5A5FB241C234AA91DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00C920C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C9226D

Memory Dump Source

Source File: 00000000.00000002.1687619709.0000000000C92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1687578983.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687591670.0000000000C41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687633503.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_ZAXkflgLEq.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c4e05415e69c24d916c032145dcef53eb47034c17d4a44e0f4697a572808d492
Instruction ID: 58d33a2286b1307ecf43942fa3a2943298be9470f27338292b4d4f4598374a42
Opcode Fuzzy Hash: c4e05415e69c24d916c032145dcef53eb47034c17d4a44e0f4697a572808d492
Instruction Fuzzy Hash: ED718B71E0464AEFDF41CF98C985BEEBBF0AB09314F244095E5A5FB241C234AA91DF64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C92277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1684662033.0000000000C92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_c92000_ZAXkflgLEq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: a038c646b6034cfeac575c1a50066f44b59d435e7a24f5f0d8d45ffb79ec1308
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 25F06D79A00A00EF8F24CF0AC54CC95B7F6FB9573076545A5E414DB221D3B0EE44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C92277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687619709.0000000000C92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1687578983.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687591670.0000000000C41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687633503.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_ZAXkflgLEq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: a038c646b6034cfeac575c1a50066f44b59d435e7a24f5f0d8d45ffb79ec1308
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 25F06D79A00A00EF8F24CF0AC54CC95B7F6FB9573076545A5E414DB221D3B0EE44DBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dialer.exePID: 7436, Parent PID: 3288COMMON

Executed Functions

Function 032802D4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 0328031C

Part of subcall function 032800A0: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 032800C9
Part of subcall function 032800A0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03280275

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 0328036E
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 032803DD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032803FD
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 03280424
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0328044C
FindCloseChangeNotification.KERNELBASE(?), ref: 03280467

Strings

,, xrefs: 0328034C

Memory Dump Source

Source File: 00000001.00000003.1687543108.0000000003280000.00000040.00000001.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_3280000_dialer.jbxd

Similarity

API ID: Virtual$Alloc$Free$ChangeCloseFileFindNotificationProtectView
String ID: ,
API String ID: 2870039258-3772416878
Opcode ID: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
Instruction ID: ece56d5c9fd9a959a4412b79e534c6bf5d259ae3ca43458d313cc6568d060d07
Opcode Fuzzy Hash: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
Instruction Fuzzy Hash: F751FE75911209FFCB20DFA5C884A9EBBB8FF08354F14C529F955A7291D770AA84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 032800A0 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 032800C9
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03280275

Memory Dump Source

Source File: 00000001.00000003.1687543108.0000000003280000.00000040.00000001.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_3280000_dialer.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 445393724c27eb0bcf0822e979eb60a3de85dddbc18e5109f29214edafa5f75e
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: CB71BC71E1524AEFCB41DF98C981BEDBBF0AF09314F188095E461FB281C274AA95CF64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZAXkflgLEq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
ZAXkflgLEq.exe

Function 00C90AA0 Relevance: 28.8, APIs: 19, Instructions: 275
memorysynchronizationCOMMON

Function 00C90E50 Relevance: 21.1, APIs: 14, Instructions: 139
memorystringCOMMON

Function 00C908CE Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00C922CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
memoryCOMMON

Function 00C92098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON