Edit tour

Windows Analysis Report
artifact.exe

Overview

General Information

Sample name:	artifact.exe
Analysis ID:	1429039
MD5:	a7fcd0b15a080167c4c2f05063802a6e
SHA1:	c761d68786ff15b6e991770a8c9aee778dd011e9
SHA256:	9f6ae95b5540d0d6c60e942fa68dee44b2781c58da3f21321f18b8384ab41084
Tags:	exe
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Sigma detected: Suspicious Program Names

Contains functionality to dynamically determine API calls

Detected potential crypto function

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

artifact.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\artifact.exe" MD5: A7FCD0B15A080167C4C2F05063802A6E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://101.78.63.44:None/UphQey", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n", "Type": "Metasploit Download", "URL": "http://101.78.63.44/UphQey"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
artifact.exe	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp	Windows_Shellcode_Generic_8c487e57	unknown	unknown	0x0:$a: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0
00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x7:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x90:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.artifact.exe.400000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.artifact.exe.400000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Program Names

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\artifact.exe", CommandLine: "C:\Users\user\Desktop\artifact.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\artifact.exe, NewProcessName: C:\Users\user\Desktop\artifact.exe, OriginalFileName: C:\Users\user\Desktop\artifact.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\artifact.exe", ProcessId: 6652, ProcessName: artifact.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: artifact.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://101.78.63.44:None/UphQey", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n"}
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n", "Type": "Metasploit Download", "URL": "http://101.78.63.44/UphQey"}

Multi AV Scanner detection for submitted file

Source: artifact.exe	ReversingLabs: Detection: 91%
Source: artifact.exe	Virustotal: Detection: 81%			Perma Link

Machine Learning detection for sample

Source: artifact.exe

Joe Sandbox ML: detected

Source: artifact.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://101.78.63.44:None/UphQey
Source: Malware configuration extractor	URLs: http://101.78.63.44/UphQey

Source: Joe Sandbox View

ASN Name: CHINATELECOM-CTCLOUDCloudComputingCorporationCN CHINATELECOM-CTCLOUDCloudComputingCorporationCN

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 101.78.63.44:80

Source: unknown	TCP traffic detected without corresponding DNS query: 101.78.63.44
Source: unknown	TCP traffic detected without corresponding DNS query: 101.78.63.44
Source: unknown	TCP traffic detected without corresponding DNS query: 101.78.63.44

Source: artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://101.78.63.44/
Source: artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://101.78.63.44/2
Source: artifact.exe, 00000000.00000002.1705027660.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://101.78.63.44/UphQey
Source: artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://101.78.63.44/UphQeya
Source: artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://101.78.63.44/UphQeyp

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown

Source: C:\Users\user\Desktop\artifact.exe

Code function: 0_2_001F00B5

0_2_001F00B5

Source: artifact.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.winEXE@1/0@0/1

Source: artifact.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\artifact.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: artifact.exe	ReversingLabs: Detection: 91%
Source: artifact.exe	Virustotal: Detection: 81%

Source: C:\Users\user\Desktop\artifact.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\artifact.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\artifact.exe

Code function: 0_2_00401949 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_00401949

Source: C:\Users\user\Desktop\artifact.exe TID: 6624	Thread sleep count: 35 > 30			Jump to behavior
Source: C:\Users\user\Desktop\artifact.exe TID: 6624	Thread sleep time: -350000s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: artifact.exe, 00000000.00000002.1705027660.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: artifact.exe, 00000000.00000002.1705027660.0000000000805000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\artifact.exe

Code function: 0_2_00401949 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_00401949

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\artifact.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,		0_2_00401180
Source: C:\Users\user\Desktop\artifact.exe	Code function: 0_2_004028E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_004028E0

Source: C:\Users\user\Desktop\artifact.exe

Code function: 0_2_00401648 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,

0_2_00401648

Source: C:\Users\user\Desktop\artifact.exe

Code function: 0_2_00402810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00402810

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: artifact.exe, type: SAMPLE
Source: Yara match	File source: 0.0.artifact.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.artifact.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected Metasploit Payload

Source: Yara match

File source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
artifact.exe	92%	ReversingLabs	Win32.Backdoor.CobaltStrike
artifact.exe	82%	Virustotal		Browse
artifact.exe	100%	Avira	TR/Crypt.XPACK.Gen7
artifact.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.78.63.44/UphQey	0%	Virustotal		Browse
http://101.78.63.44/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.78.63.44:None/UphQey	true		low
http://101.78.63.44/UphQey	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://101.78.63.44/	artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
http://101.78.63.44/UphQeyp	artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://101.78.63.44/UphQeya	artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://101.78.63.44/2	artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.78.63.44	unknown	China		58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429039
Start date and time:	2024-04-20 10:12:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	artifact.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 11 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

Time	Type	Description
10:13:02	API Interceptor	37x Sleep call for process: artifact.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-CTCLOUDCloudComputingCorporationCN	BzmhHwFpCV.elf	Get hash	malicious	Mirai	Browse	101.216.51.220
	MY69DoYgp5.elf	Get hash	malicious	Mirai	Browse	101.131.11.151
	iZYqP2K1UC.elf	Get hash	malicious	Mirai	Browse	101.208.246.4
	tL98mBWW8p.elf	Get hash	malicious	Mirai	Browse	36.114.86.96
	D3qL35jbpG.elf	Get hash	malicious	Mirai	Browse	101.193.228.102
	994LJMbRxE.elf	Get hash	malicious	Mirai	Browse	101.213.138.43
	KX3376Hojb.elf	Get hash	malicious	Mirai	Browse	101.196.46.16
	BNuwexy0tz.elf	Get hash	malicious	Mirai	Browse	182.42.196.27
	arm7.elf	Get hash	malicious	Mirai	Browse	101.195.207.86
	VkiGKeyI3L.elf	Get hash	malicious	Mirai	Browse	101.210.94.140

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.451445020356485
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	artifact.exe
File size:	14'336 bytes
MD5:	a7fcd0b15a080167c4c2f05063802a6e
SHA1:	c761d68786ff15b6e991770a8c9aee778dd011e9
SHA256:	9f6ae95b5540d0d6c60e942fa68dee44b2781c58da3f21321f18b8384ab41084
SHA512:	64644039b3c20b861a3186e320e3a0a14119e65c5e37e0aa108515b13e833ef227379d757bb3d7cbf5cb2e37731b37cb846264677f464e5152621b25a71045c3
SSDEEP:	192:AaH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzPDbqUqV/Qjo7AGa:A2+kGKqbOCdWIVBff+xzPnfCXAn
TLSH:	03522A75EA4378F2FD2A897414EBBAFF9FB7E2234C105C86CF94DC4458234A6880664D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^.....................4...............0....@.................................!......... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x5EDED50B [Tue Jun 9 00:17:15 2020 UTC]
TLS Callbacks:	0x401950, 0x401900
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dc25ee78e2ef4d36faa0badf1e7461c9

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [00405040h], 00000001h
call 00007FD7546BF383h
add esp, 0Ch
jmp 00007FD7546BDCEBh
lea esi, dword ptr [esi+00000000h]
sub esp, 0Ch
mov dword ptr [00405040h], 00000000h
call 00007FD7546BF363h
add esp, 0Ch
jmp 00007FD7546BDCCBh
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov eax, dword ptr [00403420h]
test eax, eax
je 00007FD7546BE06Eh
mov dword ptr [esp], 00404020h
call dword ptr [00406168h]
mov edx, 00000000h
sub esp, 04h
test eax, eax
je 00007FD7546BE048h
mov dword ptr [esp+04h], 0040402Eh
mov dword ptr [esp], eax
call dword ptr [0040616Ch]
sub esp, 08h
mov edx, eax
test edx, edx
je 00007FD7546BE03Bh
mov dword ptr [esp], 00403420h
call edx
leave
ret
lea esi, dword ptr [esi+00h]
push ebp
mov ebp, esp
pop ebp
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
pop ebp
jmp eax
push ebp
mov ebp, esp
sub esp, 10h
mov edx, dword ptr [0040300Ch]
mov eax, dword ptr [ebp+08h]
test edx, edx
jle 00007FD7546BE052h
cmp dword ptr [00403010h], 00000000h
jle 00007FD7546BE049h
mov ecx, dword ptr [00000068h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6000	0x6ec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8000	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6138	0xfc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d44	0x1e00	7cb51d8c80820cb459af5e2ae8fd85b6	False	0.5514322916666666	data	5.870338373030558	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x424	0x600	bb8565cc97daf6f651bb651c348c768b	False	0.578125	data	5.4498317577935715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0x2f4	0x400	a40946782f5af553dfb4e92f5f8b97c5	False	0.4658203125	data	4.36563919678268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x5000	0x45c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6000	0x6ec	0x800	1fa811f6451d1b5dbef8208d24ba67ab	False	0.37451171875	data	4.201011654172533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x7000	0x34	0x200	9de5f1d116d44b01311bad1a72865561	False	0.06640625	Matlab v4 mat-file (little endian) \340\032@, numeric, rows 4198416, columns 0	0.2491299020576082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x8000	0x20	0x200	fbb2f655a2d41a7ed1460a18df87b605	False	0.05078125	data	0.22482003450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, QueryPerformanceCounter, ReadFile, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile

msvcrt.dll

__dllonexit, __getmainargs, __initenv, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _iob, _lock, _onexit, _unlock, _winmajor, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 10:13:04.132730961 CEST	49730	80	192.168.2.4	101.78.63.44
Apr 20, 2024 10:13:05.133074999 CEST	49730	80	192.168.2.4	101.78.63.44
Apr 20, 2024 10:13:07.133078098 CEST	49730	80	192.168.2.4	101.78.63.44

Target ID:	0
Start time:	10:13:01
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\artifact.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\artifact.exe"
Imagebase:	0x400000
File size:	14'336 bytes
MD5 hash:	A7FCD0B15A080167C4C2F05063802A6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Shellcode_Generic_8c487e57, Description: unknown, Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	15.7%
Total number of Nodes:	338
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401180 Relevance: 19.7, APIs: 13, Instructions: 199
sleeplibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0040120F
SetUnhandledExceptionFilter.KERNEL32 ref: 004012A4
GetProcAddress.KERNEL32 ref: 004012C2
malloc.MSVCRT ref: 00401359
strlen.MSVCRT ref: 00401376
malloc.MSVCRT ref: 00401381
memcpy.MSVCRT ref: 0040139D
_cexit.MSVCRT ref: 00401407
GetStartupInfoA.KERNEL32 ref: 00401476

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: malloc$AddressExceptionFilterInfoProcSleepStartupUnhandled_cexitmemcpystrlen
String ID:
API String ID: 2757201259-0
Opcode ID: 0896d371e4306826ea3b516f5471f02d2ee70c75e097cf85678b9c61fcbc2401
Instruction ID: caf7f87113209765f89ec29b7d99b9664cb1a8752d2cc1e2126da42f9d288e33
Opcode Fuzzy Hash: 0896d371e4306826ea3b516f5471f02d2ee70c75e097cf85678b9c61fcbc2401
Instruction Fuzzy Hash: A9814CB09086008FD710EF69DA8475E7BE0FB45308F41853EE984BB3A2D77998448F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401648 Relevance: 6.1, APIs: 4, Instructions: 57
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeA.KERNEL32 ref: 0040169D
ConnectNamedPipe.KERNELBASE ref: 004016BB
CloseHandle.KERNEL32 ref: 00401704

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateHandle
String ID:
API String ID: 2614152119-0
Opcode ID: 7211f97730a076d644bb01eb69bcf7beb0e4917fcdd1c76a291498aa5cb8fa3e
Instruction ID: c2fb21887016c7fc5506753a325a02489ab236c223c86ee3073f682f81f730fa
Opcode Fuzzy Hash: 7211f97730a076d644bb01eb69bcf7beb0e4917fcdd1c76a291498aa5cb8fa3e
Instruction Fuzzy Hash: 2E2147B18043019FD7009F69C94879FBBF4EF80354F01C92EE895AB291D3B995488F96

Uniqueness

Uniqueness Score: -1.00%

Function 001F00B5 Relevance: 1.6, APIs: 1, Instructions: 136
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(C69F8957,00000000,001F030C,00000050,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 001F00CA

Part of subcall function 001F00CE: HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,001F0143,00000000,00000000,00000000,84400200,00000000,?,696E6977,0074656E), ref: 001F00E2

Memory Dump Source

Source File: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_artifact.jbxd

Yara matches

Similarity

API ID: ConnectHttpInternetOpenRequest
String ID:
API String ID: 1341064763-0
Opcode ID: 87ff5076aafd84f36198dfb525d5f7a4556b83a43a4f2e81485eac528133ddf0
Instruction ID: 30e61125b6b33b8d9044e018759a3f09982c32566553e52c8fd65703d5537c9b
Opcode Fuzzy Hash: 87ff5076aafd84f36198dfb525d5f7a4556b83a43a4f2e81485eac528133ddf0
Instruction Fuzzy Hash: B141AB6511E3E969DB1B8B7889AD5FABF50AE07300B2C05CCD0C10F4A3D7C0D566C3AA

Uniqueness

Uniqueness Score: -1.00%

Function 00401840 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401846
sprintf.MSVCRT ref: 004018B0
CreateThread.KERNELBASE ref: 004018E4

Strings

\, xrefs: 00401853
D@@, xrefs: 0040189D
p, xrefs: 00401873
e, xrefs: 0040185B
i, xrefs: 0040186B
., xrefs: 00401885
\, xrefs: 0040187D
p, xrefs: 00401863
\, xrefs: 00401895
\, xrefs: 0040188D

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CountCreateThreadTicksprintf
String ID: .$D@@$\$\$\$\$e$i$p$p
API String ID: 1367138260-2424406903
Opcode ID: ff8628f5b1a4ddc711573d3f95a49cca88853ba2bddca83b23de660047b0d17b
Instruction ID: fe91bf6ba0e5a58d40950432c0aa4372ad4abb89053ee6ec7080849c8075752a
Opcode Fuzzy Hash: ff8628f5b1a4ddc711573d3f95a49cca88853ba2bddca83b23de660047b0d17b
Instruction Fuzzy Hash: 41017EB4408741DFE300DF15D54C70BBEE5AB84749F108A1DE5992B291C7FE86588F9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040158E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 004015B5
VirtualProtect.KERNELBASE ref: 00401600
CreateThread.KERNELBASE ref: 00401634

Strings

, xrefs: 004015F8

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: Virtual$AllocCreateProtectThread
String ID:
API String ID: 3039780055-3916222277
Opcode ID: 8c9b4925f2c38331d7960091a977156a5f2d224e9d77caf502326824ff6bd4f4
Instruction ID: ab7ecbb8b4d0cfa2b4e35fa7a7a6139784d06835c8a712c6c1e4e78079e308d8
Opcode Fuzzy Hash: 8c9b4925f2c38331d7960091a977156a5f2d224e9d77caf502326824ff6bd4f4
Instruction Fuzzy Hash: 51114CB0409344AFD700AF69C55835EFFF4FF84714F41882EE89A9B251D37894158F96

Uniqueness

Uniqueness Score: -1.00%

Function 00401732 Relevance: 4.6, APIs: 3, Instructions: 50
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0040177F
FindCloseChangeNotification.KERNELBASE ref: 004017CE

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: e28018d6bba379c47652cf01ac0f52033d30b3a841358745df5ed769183f4fb6
Instruction ID: be2562d6f34abf3596d3625e9fdd9efa4af1695c40b9771668e845dcbdfb8629
Opcode Fuzzy Hash: e28018d6bba379c47652cf01ac0f52033d30b3a841358745df5ed769183f4fb6
Instruction Fuzzy Hash: 07116AB08043059BD700AF69C48879FBBF4FB84364F00C92EE8A567391D3B885098FD6

Uniqueness

Uniqueness Score: -1.00%

Function 001F00CE Relevance: 3.1, APIs: 2, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,001F0143,00000000,00000000,00000000,84400200,00000000,?,696E6977,0074656E), ref: 001F00E2
ExitProcess.KERNEL32(56A2B5F0,?,696E6977,0074656E), ref: 001F02C8

Memory Dump Source

Source File: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_artifact.jbxd

Yara matches

Similarity

API ID: ExitHttpOpenProcessRequest
String ID:
API String ID: 4217525295-0
Opcode ID: c825f18c99f9df7cf564f541a7d8b5394c2efc7e3cb1da508c9495459e7d8d3c
Instruction ID: c8273e1c552f8a5bcb3a5f847a0879837e992a95eb542fe01d2ff5ba3e34752c
Opcode Fuzzy Hash: c825f18c99f9df7cf564f541a7d8b5394c2efc7e3cb1da508c9495459e7d8d3c
Instruction Fuzzy Hash: 310128A178524D3AF73501B79C9AF3B695DCBC9FE4F268128B608921C1EE50DC008038

Uniqueness

Uniqueness Score: -1.00%

Function 004017E2 Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004017F2
Sleep.KERNELBASE ref: 00401806

Part of subcall function 00401732: CreateFileA.KERNELBASE ref: 0040177F

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CreateFileSleepmalloc
String ID:
API String ID: 1916127908-0
Opcode ID: c8d9fe3cdf8be18cd1aebcc6d5cf113ad35aad66be6e8e6627d307ecd541ead5
Instruction ID: 23489b1e7db7791da7ad07f796b6cb5a3409a33c5bdae94927da59e9009fe16f
Opcode Fuzzy Hash: c8d9fe3cdf8be18cd1aebcc6d5cf113ad35aad66be6e8e6627d307ecd541ead5
Instruction Fuzzy Hash: 63F0FEB05093049BD700BF6ADA8541ABFE8EB48359F41483EEA88E7355D734A9408F5A

Uniqueness

Uniqueness Score: -1.00%

Function 001F02B5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(56A2B5F0,?,696E6977,0074656E), ref: 001F02C8

Memory Dump Source

Source File: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f0000_artifact.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2b286968ddc1a49ec0ddd2bc3c89754808bb0da514edcfefc3e388cd992a2a8e
Instruction ID: dff2dc9fca5b5713ed5cc4f1b95d88c0a30b93362796b45392ce308c3a8f9244
Opcode Fuzzy Hash: 2b286968ddc1a49ec0ddd2bc3c89754808bb0da514edcfefc3e388cd992a2a8e
Instruction Fuzzy Hash: DEB0921558B6A99D86035731592FAEBBF440C0321038E888FC0446F897D316C1A542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0 Relevance: 1.3, APIs: 1, Instructions: 16
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401840: GetTickCount.KERNEL32 ref: 00401846
Part of subcall function 00401840: sprintf.MSVCRT ref: 004018B0
Part of subcall function 00401840: CreateThread.KERNELBASE ref: 004018E4

Sleep.KERNELBASE(00000000), ref: 00402D00

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CountCreateSleepThreadTicksprintf
String ID:
API String ID: 2384577035-0
Opcode ID: bd8f3d9e59f49267480f3634579cdc376b1d03b417cd4c0d905da31a9f0f6df8
Instruction ID: cf4a89c8a94c25b0ee02edaa7cc70f75c59475cb57c0e2ce054420fc0d344a57
Opcode Fuzzy Hash: bd8f3d9e59f49267480f3634579cdc376b1d03b417cd4c0d905da31a9f0f6df8
Instruction Fuzzy Hash: ECD05B7040C2047BD6407F55CD45A2A7B58FB05354F00092CF995162D6DA791850667B

Uniqueness

Uniqueness Score: -1.00%

Function 00402CDA Relevance: 1.3, APIs: 1, Instructions: 13
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401840: GetTickCount.KERNEL32 ref: 00401846
Part of subcall function 00401840: sprintf.MSVCRT ref: 004018B0
Part of subcall function 00401840: CreateThread.KERNELBASE ref: 004018E4

Sleep.KERNELBASE(00000000), ref: 00402D00

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CountCreateSleepThreadTicksprintf
String ID:
API String ID: 2384577035-0
Opcode ID: beed4f5e477bc4de7a76f8f993676898df3c6d29b118f36d5a26f91d1cf54b3c
Instruction ID: 5efa37f52187eedb4945f577d34cabbe14a236f11a9762c65c4e008d846ef068
Opcode Fuzzy Hash: beed4f5e477bc4de7a76f8f993676898df3c6d29b118f36d5a26f91d1cf54b3c
Instruction Fuzzy Hash: 92D012B040C2046BE6407F69C945A2B7A9CFB04388F01083DED85162C7CABD185066BB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401949 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 004019A5
GetProcAddress.KERNEL32 ref: 004019CC
GetProcAddress.KERNEL32 ref: 004019E6
FreeLibrary.KERNEL32 ref: 00401A5A

Strings

0p@, xrefs: 00401A83
0p@, xrefs: 00401A9F
0p@, xrefs: 00401A88
u@@, xrefs: 004019C1

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: 0p@$0p@$0p@$u@@
API String ID: 2256533930-709996013
Opcode ID: 4ca651e4fae0634099a83d279d20d672a55cd66a2c119adacc1e932fecc0e34e
Instruction ID: 34d6fccde5c68b87c573635ca5f6feadaf6b8f8ab0358a6d14f9fcf661f388c2
Opcode Fuzzy Hash: 4ca651e4fae0634099a83d279d20d672a55cd66a2c119adacc1e932fecc0e34e
Instruction Fuzzy Hash: 463141B16066008BD7109F68DAC875B7BE4FB80305F44853EE844BB3B1D37A9994CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402810 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00402867
GetCurrentProcessId.KERNEL32 ref: 0040287C
GetCurrentThreadId.KERNEL32 ref: 00402884
GetTickCount.KERNEL32 ref: 0040288C
QueryPerformanceCounter.KERNEL32 ref: 0040289B

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 22833428e81146e0a5c52e8d77171e58052e69936402a7b322efee44ae5d86d5
Instruction ID: cc31347c17379e6945de62dc4fed4c1f87cf7c797c04cbb890476670299d8cea
Opcode Fuzzy Hash: 22833428e81146e0a5c52e8d77171e58052e69936402a7b322efee44ae5d86d5
Instruction Fuzzy Hash: 0B110AB58083088FC300EF69D64811ABBF0BB88344F454A3DE985AB351EB75DA54CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 004028E0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040292F
UnhandledExceptionFilter.KERNEL32 ref: 0040293F
GetCurrentProcess.KERNEL32 ref: 00402948
TerminateProcess.KERNEL32 ref: 00402959
abort.MSVCRT ref: 00402962

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: a7ce449f81dac3b55e41422608254bfeb6744166700c5fa2a1b601d02114f5bc
Instruction ID: c81f2c63a292368498da3dfc2163c21b224d5074d04612caf218b5d2161d737d
Opcode Fuzzy Hash: a7ce449f81dac3b55e41422608254bfeb6744166700c5fa2a1b601d02114f5bc
Instruction Fuzzy Hash: 180192B4804604DFD700EFB9EA4924A7BF0FB49305F018539E989AB325E7B49954CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401E50 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00401E7B
vfprintf.MSVCRT ref: 00401E97
abort.MSVCRT ref: 00401E9C
VirtualQuery.KERNEL32 ref: 00401F51
VirtualQuery.KERNEL32 ref: 00401F89
memcpy.MSVCRT ref: 00401FAE

Strings

@, xrefs: 00402054

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: QueryVirtual$abortfwritememcpyvfprintf
String ID: @
API String ID: 3828011698-2766056989
Opcode ID: e32a1385863e959df9be4258968a2de80bc7a8fbb60befc8a34616536ed87dbd
Instruction ID: fa2a899f518313baa766925860d0dcfa7db237cf959ac16a6f7a9b8b98f83dad
Opcode Fuzzy Hash: e32a1385863e959df9be4258968a2de80bc7a8fbb60befc8a34616536ed87dbd
Instruction Fuzzy Hash: F071F8B19083019FD710EF69D68451FBBE0FB84344F51892EF989AB391D778E844CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00401BF0 Relevance: 9.1, APIs: 6, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00401C1F
signal.MSVCRT ref: 00401C91
signal.MSVCRT ref: 00401D4F

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 40efb0478bb03fd93f9cf4e433f08c71c49adf31f8cd8fa26b6b64571fd07455
Instruction ID: 31fda9add73c80aaf962d61d05ad18905034e614423a930bd2037992e55a8d12
Opcode Fuzzy Hash: 40efb0478bb03fd93f9cf4e433f08c71c49adf31f8cd8fa26b6b64571fd07455
Instruction Fuzzy Hash: F8312CB054C2014BF7206B69858435F76D0AB45328F154B2FE8A5EB3E0C7BDC8C5979B

Uniqueness

Uniqueness Score: -1.00%

Function 00401B10 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00401B39
__dllonexit.MSVCRT ref: 00401B73
_unlock.MSVCRT ref: 00401BA3
_onexit.MSVCRT ref: 00401BB3

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: 270069bba0798b0e4740df1d318cefa85a4af748aac3f4e2a22aa8cb5c6bf12c
Instruction ID: 2465752408bea5ed21686405082ad7dcec20a190ed2a55635f154f6b09a614bc
Opcode Fuzzy Hash: 270069bba0798b0e4740df1d318cefa85a4af748aac3f4e2a22aa8cb5c6bf12c
Instruction Fuzzy Hash: 471172B49097018BC700EF79D9C965EBBE0BB48349F41493EF484A73A2E77894949F86

Uniqueness

Uniqueness Score: -1.00%

Function 004014F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00401506
GetProcAddress.KERNEL32 ref: 00401523

Strings

.@@, xrefs: 00401518

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .@@
API String ID: 1646373207-1261943917
Opcode ID: 170f8e7740f22e88c8547e62771cf9cf30410d308f47294af9cecec8ea975b23
Instruction ID: 138d2ec15cf2da010f499937370b7f1ecb1461c5101d83193fee8c8a9e689fae
Opcode Fuzzy Hash: 170f8e7740f22e88c8547e62771cf9cf30410d308f47294af9cecec8ea975b23
Instruction Fuzzy Hash: D1E0EDB560430157D7107F78AA0921B7EE4AB81305F858439D982BB295EB78C815875A

Uniqueness

Uniqueness Score: -1.00%

Function 00402A70 Relevance: 5.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00402A8F
free.MSVCRT ref: 00402ADF
LeaveCriticalSection.KERNEL32 ref: 00402AEB

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 828cd1b5d21274585a5f27dbdf47b48eac2805e8dff15c491d88dfeef477ea7b
Instruction ID: 207df5b4a7935bfb9233df31f262c1f56ca4f736ffdf13fbfb9fc7f0f1967052
Opcode Fuzzy Hash: 828cd1b5d21274585a5f27dbdf47b48eac2805e8dff15c491d88dfeef477ea7b
Instruction Fuzzy Hash: 4D0161707142018FC710BF68DA8841B7BF1FB44341B64457AD846EB3C1EBB89854CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00402970 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040297E
TlsGetValue.KERNEL32 ref: 004029A5
GetLastError.KERNEL32 ref: 004029AC
LeaveCriticalSection.KERNEL32 ref: 004029CC

Memory Dump Source

Source File: 00000000.00000002.1704834734.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1704745349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704858808.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704883438.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704907716.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_artifact.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: b7f7ea959ab3ad087e25ec29e2cbc8bd56614734389a7cabe3a8653af3328612
Instruction ID: 2b094d646b23bf8bddbc3419bcc70322d9fd2dac3922e53017257648de6f58a1
Opcode Fuzzy Hash: b7f7ea959ab3ad087e25ec29e2cbc8bd56614734389a7cabe3a8653af3328612
Instruction Fuzzy Hash: A2F0A4B1A007048FCB107F78EA8851B7BB4EB44381F060539DD856F385D774A818CBAA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report artifact.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: artifact.exePID: 6652, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
artifact.exe

Function 00401180 Relevance: 19.7, APIs: 13, Instructions: 199
sleeplibrarystringCOMMON

Function 00401648 Relevance: 6.1, APIs: 4, Instructions: 57
pipeCOMMON

Function 001F00B5 Relevance: 1.6, APIs: 1, Instructions: 136
networkCOMMON

Function 00401840 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 31
threadCOMMON

Function 0040158E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
memorythreadCOMMON

Function 00401732 Relevance: 4.6, APIs: 3, Instructions: 50
fileCOMMON

Function 001F00CE Relevance: 3.1, APIs: 2, Instructions: 75
networkCOMMON

Function 004017E2 Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMON

Function 001F02B5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00402CD0 Relevance: 1.3, APIs: 1, Instructions: 16
sleepCOMMON

Function 00402CDA Relevance: 1.3, APIs: 1, Instructions: 13
sleepCOMMON

Function 00401949 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 85
libraryloaderCOMMON

Function 00401E50 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 185
fileCOMMON

Function 00401BF0 Relevance: 9.1, APIs: 6, Instructions: 95
COMMON