Windows
Analysis Report
clip64.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 3508 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\cli p64.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 3504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5476 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\cli p64.dll",# 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 4460 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\clip 64.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2144 cmdline:
rundll32.e xe C:\User s\user\Des ktop\clip6 4.dll,??4C ClipperDLL @@QAEAAV0@ $$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6968 cmdline:
rundll32.e xe C:\User s\user\Des ktop\clip6 4.dll,??4C ClipperDLL @@QAEAAV0@ ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5276 cmdline:
rundll32.e xe C:\User s\user\Des ktop\clip6 4.dll,Main MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2304 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\clip 64.dll",?? 4CClipperD LL@@QAEAAV 0@$$QAV0@@ Z MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4036 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\clip 64.dll",?? 4CClipperD LL@@QAEAAV 0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4560 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\clip 64.dll",Ma in MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
{"Wallet Addresses": ["bc1q5geckylyfl4952lsex43u56p9c46eptlds05fj", "0x091451c16090f09214C57cB2D15c0cf7967E04d8", "ltc1q2rmqlk85xegdvh3f36smqf2rrfgwsyy26j6lel", "DPtXND8WRCBwX8WHPBLiCt8Lm6xsD3Mbr2", "48dSg7aiVzoAiDwaNHW316Gitnr1VCe2W1yCMNJqEWMe1M15vU1bVnUPZ8NQBSagnq74r57dEuvkC1Hd3gzvKaVZPjAdVSc"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_3 | Yara detected Amadey\'s Clipper DLL | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_3 | Yara detected Amadey\'s Clipper DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_3 | Yara detected Amadey\'s Clipper DLL | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 7_2_738F7D7E |
Source: | Code function: | 7_2_738F15E0 |
Source: | Code function: | 7_2_738F15E0 | |
Source: | Code function: | 7_2_738F15E0 |
Source: | Code function: | 7_2_738F15E0 |
Source: | Code function: | 7_2_738FDB01 |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 7_2_738F41A9 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 7_2_738F7D7E |
Source: | Thread delayed: | Jump to behavior |
Anti Debugging |
---|
Source: | Process Stats: |
Source: | Code function: | 7_2_738F5BB4 |
Source: | Code function: | 7_2_738F62E0 | |
Source: | Code function: | 7_2_738F7885 |
Source: | Code function: | 7_2_738F92A5 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 7_2_738F5BB4 | |
Source: | Code function: | 7_2_738F42F4 | |
Source: | Code function: | 7_2_738F4025 |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 7_2_738F3E45 |
Source: | Code function: | 7_2_738F41AC |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 112 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 12 Security Software Discovery | Remote Desktop Protocol | 3 Clipboard Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 112 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Rundll32 | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 12 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
83% | ReversingLabs | Win32.Trojan.Amadey | ||
100% | Avira | HEUR/AGEN.1301048 |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1423302 |
Start date and time: | 2024-04-09 21:57:51 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | clip64.dll |
Detection: | MAL |
Classification: | mal88.spyw.evad.winDLL@18/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: clip64.dll
Time | Type | Description |
---|---|---|
21:58:55 | API Interceptor | |
21:59:26 | API Interceptor |
File type: | |
Entropy (8bit): | 6.3473860804256095 |
TrID: |
|
File name: | clip64.dll |
File size: | 91'136 bytes |
MD5: | 8ee29b714ba490ec4a0828816f15ed4f |
SHA1: | 0556df48a668c35c6611ffce1425f1d9e89d0cd7 |
SHA256: | fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5 |
SHA512: | df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8 |
SSDEEP: | 1536:tgYNPCKLbqoYkbpplW9YoUsxXbbcouNh72ZszsWuKcdJUgzaB89p:tg0CWbBNpplToUsNuNh725LJUmaB89p |
TLSH: | 5E935B1030D2C071D97E55351878EAB68B7CB914CFE08EEF27551A7A8E702D1AE36D3A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........,Cy..Cy..Cy.....~Iy.....~.y.....~Qy.....~Ly.....~Ry.....~by.....~Fy..Cy...y.....~@y.....~By......By.....~By..RichCy......... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x10003e00 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x63BC2D74 [Mon Jan 9 15:06:28 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 52982bbab8b9d5eafbb4ec438626f86a |
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007F0D08E2EEA7h |
call 00007F0D08E2F290h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007F0D08E2ED58h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
jmp 00007F0D08E31EB3h |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F0D08E2E667h |
push 10014590h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F0D08E2F4F8h |
int3 |
push ebp |
mov ebp, esp |
and dword ptr [10016A48h], 00000000h |
sub esp, 24h |
or dword ptr [10016004h], 01h |
push 0000000Ah |
call 00007F0D08E3910Ch |
test eax, eax |
je 00007F0D08E2F04Fh |
and dword ptr [ebp-10h], 00000000h |
xor eax, eax |
push ebx |
push esi |
push edi |
xor ecx, ecx |
lea edi, dword ptr [ebp-24h] |
push ebx |
cpuid |
mov esi, ebx |
pop ebx |
mov dword ptr [edi], eax |
mov dword ptr [edi+04h], esi |
mov dword ptr [edi+08h], ecx |
xor ecx, ecx |
mov dword ptr [edi+0Ch], edx |
mov eax, dword ptr [ebp-24h] |
mov edi, dword ptr [ebp-1Ch] |
mov dword ptr [ebp-0Ch], eax |
xor edi, 6C65746Eh |
mov eax, dword ptr [ebp-18h] |
xor eax, 49656E69h |
mov dword ptr [ebp-08h], eax |
mov eax, dword ptr [ebp-20h] |
xor eax, 756E6547h |
mov dword ptr [ebp-04h], eax |
xor eax, eax |
inc eax |
push ebx |
cpuid |
mov esi, ebx |
pop ebx |
lea ebx, dword ptr [ebp-24h] |
mov dword ptr [ebx], eax |
mov eax, dword ptr [ebp-04h] |
mov dword ptr [ebx+04h], esi |
or eax, edi |
or eax, dword ptr [ebp-08h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x14aa0 | 0x9c | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14b3c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x18000 | 0xf8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x19000 | 0x1054 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x13f20 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x13f90 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xf000 | 0x12c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xdd56 | 0xde00 | 774a7ce91e30ef3e3d7da140db35dc34 | False | 0.5611099380630631 | data | 6.65624829160936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xf000 | 0x61ee | 0x6200 | e4ee272fe0863b0d859bd6ef543ae195 | False | 0.4253029336734694 | data | 4.998521354979746 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x16000 | 0x1444 | 0xc00 | 7b35d9606a8db5f8a5e5b03ea0fcbcf3 | False | 0.1494140625 | DOS executable (block device driver @\273) | 2.05558001204947 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x18000 | 0xf8 | 0x200 | d455d3af38ec99962a36d1f49a978aee | False | 0.3359375 | data | 2.5195793504807127 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x19000 | 0x1054 | 0x1200 | 04bba41d6da9e277608bbfbbab660375 | False | 0.712890625 | data | 6.26182229426962 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x18060 | 0x91 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.8689655172413793 |
DLL | Import |
---|---|
KERNEL32.dll | GlobalAlloc, GlobalLock, GlobalUnlock, WideCharToMultiByte, Sleep, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, DecodePointer |
USER32.dll | SetClipboardData, EmptyClipboard, OpenClipboard, CloseClipboard, GetClipboardData |
Name | Ordinal | Address |
---|---|---|
??4CClipperDLL@@QAEAAV0@$$QAV0@@Z | 1 | 0x10001120 |
??4CClipperDLL@@QAEAAV0@ABV0@@Z | 2 | 0x10001120 |
Main | 3 | 0x10003040 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 1 |
Start time: | 21:58:45 |
Start date: | 09/04/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xee0000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 21:58:45 |
Start date: | 09/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 21:58:46 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1c0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 21:58:46 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 21:58:46 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 21:58:49 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 21:58:52 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Target ID: | 8 |
Start time: | 21:58:55 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 21:58:55 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 21:58:55 |
Start date: | 09/04/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 3.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 2.6% |
Total number of Nodes: | 1686 |
Total number of Limit Nodes: | 36 |
Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F3C1F Relevance: 13.6, APIs: 9, Instructions: 134COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F3B18 Relevance: 4.6, APIs: 3, Instructions: 76COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738FAEEE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F7942 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F3E45 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F7D7E Relevance: 1.6, APIs: 1, Instructions: 141COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F92A5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F7885 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F7218 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F8EC3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F49ED Relevance: 9.1, APIs: 6, Instructions: 60COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F4D04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F6365 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F7AA3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 738F6CDE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |