Windows
Analysis Report
xVcsGL5R1Nbh.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- xVcsGL5R1Nbh.exe (PID: 6844 cmdline:
"C:\Users\ user\Deskt op\xVcsGL5 R1Nbh.exe" MD5: CBE87D6ABF69BDD3877821F493E6F6B1) - cmd.exe (PID: 5164 cmdline:
cmd.exe /C Y /N /D Y /T 1 & De l "C:\User s\user\Des ktop\xVcsG L5R1Nbh.ex e" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
{"Host": "patria.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "4ee9f9af7e9"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Njrat | Yara detected Njrat | Joe Security |
Timestamp: | 04/23/24-00:07:13.366284 |
SID: | 2825564 |
Source Port: | 49730 |
Destination Port: | 1994 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/23/24-00:06:12.129270 |
SID: | 2033132 |
Source Port: | 49730 |
Destination Port: | 1994 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/23/24-00:06:12.504132 |
SID: | 2825563 |
Source Port: | 49730 |
Destination Port: | 1994 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/23/24-00:07:13.518261 |
SID: | 2825565 |
Source Port: | 49730 |
Destination Port: | 1994 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_011B19F0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_04D0255A | |
Source: | Code function: | 0_2_04D02523 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 Input Capture | 1 Security Software Discovery | Remote Services | 1 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 2 Process Injection | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 21 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Process Injection | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 File Deletion | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Dropper.Gen7 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
patria.duckdns.org | 46.246.6.20 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | low |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
46.246.6.20 | patria.duckdns.org | Sweden | 42708 | PORTLANEwwwportlanecomSE | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1429973 |
Start date and time: | 2024-04-23 00:05:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 18s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | xVcsGL5R1Nbh.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/1@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: xVcsGL5R1Nbh.exe
Time | Type | Description |
---|---|---|
00:06:40 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
46.246.6.20 | Get hash | malicious | Njrat | Browse | ||
Get hash | malicious | AsyncRAT | Browse | |||
Get hash | malicious | Njrat | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
patria.duckdns.org | Get hash | malicious | Njrat | Browse |
| |
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
PORTLANEwwwportlanecomSE | Get hash | malicious | Njrat | Browse |
| |
Get hash | malicious | AsyncRAT, DcRat | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\xVcsGL5R1Nbh.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 907 |
Entropy (8bit): | 5.243019596074263 |
Encrypted: | false |
SSDEEP: | 24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/ |
MD5: | 48A0572426885EBDE53CA62C7F2E194E |
SHA1: | 035628CDF6276367F6C83E9F4AA2172933850AA8 |
SHA-256: | 4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538 |
SHA-512: | DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 3.79842206282092 |
TrID: |
|
File name: | xVcsGL5R1Nbh.exe |
File size: | 32'768 bytes |
MD5: | cbe87d6abf69bdd3877821f493e6f6b1 |
SHA1: | 4099bc3848634a8d5ca58cd8c0fe029748b368e9 |
SHA256: | 76bd193c0535e6109143d35950e045e03fb25c4ab8419ca6fa69c4fbea4cd085 |
SHA512: | 3c762fe9283dea8e9b007d477e0e979dd157bc271e8da4b68e5af8762245d0335283284eeec90246c767e9c31f8e456871ecfe392b350c6236be83819dcb4a5a |
SSDEEP: | 384:h0bUe5XB4e0XvOb7w0Q0mS03AWTxtTUFQqzFzObbt:6T9Bum455dRbt |
TLSH: | 69E218467BE94215D6BC1AFC8CB313214772E3838532EB6F9CDC98CA4B676D00245EE9 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&f.................P... ......ng... ........@.. ....................................@................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40676e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6626DA9A [Mon Apr 22 21:46:02 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6714 | 0x57 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8000 | 0x2a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x4774 | 0x5000 | b00b74176e982e3c39043b9036e20959 | False | 0.474853515625 | data | 5.288956411742384 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x8000 | 0x2a0 | 0x1000 | 72e29550a9764ae2ca0bc9263e829114 | False | 0.07666015625 | data | 0.6655850551657312 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xa000 | 0xc | 0x1000 | 34585954bedb30c5084980db7d41ad8f | False | 0.0087890625 | data | 0.013126943721219527 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x8058 | 0x244 | data | 0.46379310344827585 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/23/24-00:07:13.366284 | TCP | 2825564 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
04/23/24-00:06:12.129270 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
04/23/24-00:06:12.504132 | TCP | 2825563 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
04/23/24-00:07:13.518261 | TCP | 2825565 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 23, 2024 00:06:11.752430916 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:12.026603937 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:12.026868105 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:12.129270077 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:12.503940105 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:12.504132032 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:13.003900051 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:17.612581968 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:18.106451035 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:20.896636963 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:20.900985956 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:21.315797091 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:39.006707907 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:39.007106066 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:39.407672882 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:56.483587980 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:06:56.483974934 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:06:56.815632105 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:05.753369093 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:06.119800091 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:07.269557953 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:07.606569052 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:10.333960056 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:10.377898932 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:10.412349939 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:10.817898035 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:11.972057104 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:12.315212965 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:12.315299034 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:12.707153082 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:13.128427982 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:13.366101980 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:13.366283894 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:13.518167973 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:13.518260956 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:13.719157934 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:13.719350100 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:13.920140028 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:13.920216084 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.107163906 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:14.107275963 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.297291040 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.384402037 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:14.384676933 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.587399006 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:14.587798119 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.768400908 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.818304062 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:14.818516970 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:14.993105888 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.019443035 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.019602060 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.051496983 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.051826000 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.206361055 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.206583977 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.267344952 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.267471075 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.349406004 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.349543095 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.518618107 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.518821955 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.565484047 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.626679897 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.626913071 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:15.796655893 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.796674967 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:15.796782970 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:16.061517954 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:16.073595047 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:16.114614010 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:16.114707947 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:16.143233061 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:16.338680029 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:16.338699102 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:16.338756084 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:16.338757038 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Apr 23, 2024 00:07:16.401595116 CEST | 1994 | 49730 | 46.246.6.20 | 192.168.2.4 |
Apr 23, 2024 00:07:16.401660919 CEST | 49730 | 1994 | 192.168.2.4 | 46.246.6.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 23, 2024 00:06:11.604895115 CEST | 56979 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 23, 2024 00:06:11.749433041 CEST | 53 | 56979 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 23, 2024 00:06:11.604895115 CEST | 192.168.2.4 | 1.1.1.1 | 0x3a9a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 23, 2024 00:06:11.749433041 CEST | 1.1.1.1 | 192.168.2.4 | 0x3a9a | No error (0) | 46.246.6.20 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 00:06:03 |
Start date: | 23/04/2024 |
Path: | C:\Users\user\Desktop\xVcsGL5R1Nbh.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x350000 |
File size: | 32'768 bytes |
MD5 hash: | CBE87D6ABF69BDD3877821F493E6F6B1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 5 |
Start time: | 00:07:14 |
Start date: | 23/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 00:07:14 |
Start date: | 23/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 16% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 2.1% |
Total number of Nodes: | 144 |
Total number of Limit Nodes: | 7 |
Graph
Function 011B19F0 Relevance: 3.9, Strings: 2, Instructions: 1396COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02523 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D0255A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011B03E8 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011B03F8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1B5DE Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D0099C Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00894 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00190 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D009BE Relevance: 1.6, APIs: 1, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00FC0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D022CD Relevance: 1.6, APIs: 1, Instructions: 80COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1B6F4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D026A5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1BC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D0239C Relevance: 1.6, APIs: 1, Instructions: 76COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D001B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1B61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1BD23 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D0278F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02873 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1B9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1A140 Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02207 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1BC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D01282 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02E09 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D008D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D03ADD Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02896 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D027B2 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D026D6 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1AC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00E2C Relevance: 1.6, APIs: 1, Instructions: 60networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1B9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D0222A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D03EDD Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D012A2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1A2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02306 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1AD9F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D023DA Relevance: 1.6, APIs: 1, Instructions: 53COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1B736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D03D90 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00E4E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D01016 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D02E3A Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1AC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D00032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1BD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D03F02 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1ADCE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D03B16 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D03DB2 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B1A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05101F4C Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD07C4 Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B2B0A4 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD07AF Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD05DF Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD0880 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD0606 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B2B0F3 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05101863 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05101FB7 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B123F4 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B123BC Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |